CVE-2018-3954

Devices in the Linksys ESeries line of routers (Linksys E1200 Firmware Version 2.0.09 and Linksys E2500 Firmware Version 3.0.04) are susceptible to OS command injection vulnerabilities due to improper filtering of data passed to and retrieved from NVRAMData entered into the 'Router Name' input field through the web portal is submitted to apply.cgi as the value to the 'machine_name' POST parameter. When the 'preinit' binary receives the SIGHUP signal it enters a code path that calls a function named 'set_host_domain_name' from its libshared.so shared object.

CVSS v3 7.2 HIGH
CVSS v2.0 9.0 HIGH

7.2^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

9.0^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:L/Au:S/C:C/I:C/A:C

Exploitability : 8.0 / Impact : 10.0

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
https://talosintelligence.com/vulnerability_reports/TALOS-2018-0625	Exploit Third Party Advisory
https://talosintelligence.com/vulnerability_reports/TALOS-2018-0625	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:linksys:e1200_firmware:2.0.09:*:*:*:*:*:*:*

cpe:2.3:h:linksys:e1200:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND

cpe:2.3:o:linksys:e2500_firmware:3.0.04:*:*:*:*:*:*:*

cpe:2.3:h:linksys:e2500:-:*:*:*:*:*:*:*

History

21 Nov 2024, 04:06

Type	Values Removed	Values Added
References	~~() https://talosintelligence.com/vulnerability_reports/TALOS-2018-0625 - Exploit, Third Party Advisory~~	() https://talosintelligence.com/vulnerability_reports/TALOS-2018-0625 - Exploit, Third Party Advisory

Information

Published : 2018-10-17 02:29

Updated : 2024-11-21 04:06

NVD link : CVE-2018-3954

Mitre link : CVE-2018-3954

CVE.ORG link : CVE-2018-3954

JSON object : View

Products Affected

linksys

e2500
e2500_firmware
e1200
e1200_firmware

CWE

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

{"id": "CVE-2018-3954", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 9.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "authentication": "SINGLE", "integrityImpact": "COMPLETE", "accessComplexity": "LOW", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "acInsufInfo": false, "impactScore": 10.0, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Secondary", "source": "talos-cna@cisco.com", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.2}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.2}]}, "published": "2018-10-17T02:29:01.500", "references": [{"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2018-0625", "tags": ["Exploit", "Third Party Advisory"], "source": "talos-cna@cisco.com"}, {"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2018-0625", "tags": ["Exploit", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-78"}]}], "descriptions": [{"lang": "en", "value": "Devices in the Linksys ESeries line of routers (Linksys E1200 Firmware Version 2.0.09 and Linksys E2500 Firmware Version 3.0.04) are susceptible to OS command injection vulnerabilities due to improper filtering of data passed to and retrieved from NVRAMData entered into the 'Router Name' input field through the web portal is submitted to apply.cgi as the value to the 'machine_name' POST parameter. When the 'preinit' binary receives the SIGHUP signal it enters a code path that calls a function named 'set_host_domain_name' from its libshared.so shared object."}, {"lang": "es", "value": "Los dispositivos de la l\u00ednea de routers Linksys ESeries (Linksys E1200 con versi\u00f3n del firmware 2.0.09 y Linksys E2500 con versi\u00f3n del firmware 3.0.04) son susceptibles a vulnerabilidades de inyecci\u00f3n de comandos del sistema operativo debido al filtrado incorrecto de datos pasados y recuperados desde los datos NVRAM introducidos en el campo de entrada \"Router Name\" mediante el portal web y enviados a apply.cgi como el valor del par\u00e1metro POST \"machine_name\". Cuando el binario \"preinit\" recibe la se\u00f1al SIGHUP, introduce una ruta de c\u00f3digo que llama a una funci\u00f3n denominada \"set_host_domain_name\" desde su objeto compartido en libshared.so."}], "lastModified": "2024-11-21T04:06:22.587", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linksys:e1200_firmware:2.0.09:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D814CD48-1D88-4F06-A235-BB9EA8EB8D07"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:linksys:e1200:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "47605441-7B24-4FF5-9956-6836117130EA"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linksys:e2500_firmware:3.0.04:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4E7346C0-5E2E-4840-AA3C-F23527C81A51"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:linksys:e2500:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "D37D6660-2A10-44A6-8CAF-F5BC5F6C476E"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "talos-cna@cisco.com"}