CVE-2017-8835 (GCVE-0-2017-8835)

Vulnerability from cvelistv5

Published

2017-06-05 14:00

Modified

2024-08-05 16:48

Severity ?

CWE

Summary

References

URL

	Vendor	Product	Version
	n/a	n/a	Version: n/a

gsd-2017-8835

Vulnerability from gsd

Modified

2023-12-13 01:21

Details

Aliases

CVE-2017-8835

Aliases

CVE-2017-8835

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2017-8835",
    "description": "SQL injection exists on Peplink Balance 305, 380, 580, 710, 1350, and 2500 devices with firmware before fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093. An attack vector is the bauth cookie to cgi-bin/MANGA/admin.cgi. One impact is enumeration of user accounts by observing whether a session ID can be retrieved from the sessions database.",
    "id": "GSD-2017-8835",
    "references": [
      "https://packetstormsecurity.com/files/cve/CVE-2017-8835"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2017-8835"
      ],
      "details": "SQL injection exists on Peplink Balance 305, 380, 580, 710, 1350, and 2500 devices with firmware before fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093. An attack vector is the bauth cookie to cgi-bin/MANGA/admin.cgi. One impact is enumeration of user accounts by observing whether a session ID can be retrieved from the sessions database.",
      "id": "GSD-2017-8835",
      "modified": "2023-12-13T01:21:08.529337Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@mitre.org",
        "ID": "CVE-2017-8835",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "SQL injection exists on Peplink Balance 305, 380, 580, 710, 1350, and 2500 devices with firmware before fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093. An attack vector is the bauth cookie to cgi-bin/MANGA/admin.cgi. One impact is enumeration of user accounts by observing whether a session ID can be retrieved from the sessions database."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "http://seclists.org/bugtraq/2017/Jun/1",
            "refsource": "MISC",
            "url": "http://seclists.org/bugtraq/2017/Jun/1"
          },
          {
            "name": "42130",
            "refsource": "EXPLOIT-DB",
            "url": "https://www.exploit-db.com/exploits/42130/"
          },
          {
            "name": "https://www.x41-dsec.de/lab/advisories/x41-2017-005-peplink/",
            "refsource": "MISC",
            "url": "https://www.x41-dsec.de/lab/advisories/x41-2017-005-peplink/"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:peplink:b305hw2_firmware:7.0.1:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:peplink:balance_305:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:peplink:380hw6_firmware:7.0.1:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:peplink:balance_380:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:peplink:580hw2_firmware:7.0.1:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:peplink:balance_580:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:peplink:710hw3_firmware:7.0.1:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:peplink:balance_710:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:peplink:1350hw2_firmware:7.0.1:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:peplink:balance_1350:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:peplink:2500_firmware:7.0.1:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:peplink:balance_2500:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2017-8835"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "SQL injection exists on Peplink Balance 305, 380, 580, 710, 1350, and 2500 devices with firmware before fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093. An attack vector is the bauth cookie to cgi-bin/MANGA/admin.cgi. One impact is enumeration of user accounts by observing whether a session ID can be retrieved from the sessions database."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-89"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.x41-dsec.de/lab/advisories/x41-2017-005-peplink/",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://www.x41-dsec.de/lab/advisories/x41-2017-005-peplink/"
            },
            {
              "name": "http://seclists.org/bugtraq/2017/Jun/1",
              "refsource": "MISC",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "http://seclists.org/bugtraq/2017/Jun/1"
            },
            {
              "name": "42130",
              "refsource": "EXPLOIT-DB",
              "tags": [],
              "url": "https://www.exploit-db.com/exploits/42130/"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 7.5,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 6.4,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "HIGH",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2017-08-13T01:29Z",
      "publishedDate": "2017-06-05T14:29Z"
    }
  }
}

cnvd-2017-09525

Vulnerability from cnvd

Title

多款Peplink Balance产品存在SQL注入漏洞

Description

Peplink Balance 305等都是用于中型企业的多出口负载均衡路由器。使用fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093之前版本固件的多款Peplink Balance产品中存在SQL注入漏洞。远程攻击者可利用该漏洞枚举用户账户。

Severity

高

Patch Name

多款Peplink Balance产品存在SQL注入漏洞的补丁

Patch Description

Formal description

目前厂商已发布升级补丁以修复漏洞，详情请关注厂商主页： https://www.peplink.com/

Reference

http://seclists.org/bugtraq/2017/Jun/1 https://www.x41-dsec.de/lab/advisories/x41-2017-005-peplink/

Impacted products

Name
['Peplink Balance 2500', 'Peplink Balance 1350', 'Peplink Balance 710', 'Peplink Balance 580', 'Peplink Balance 380', 'Peplink Balance 305']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2017-8835"
    }
  },
  "description": "Peplink Balance 305\u7b49\u90fd\u662f\u7528\u4e8e\u4e2d\u578b\u4f01\u4e1a\u7684\u591a\u51fa\u53e3\u8d1f\u8f7d\u5747\u8861\u8def\u7531\u5668\u3002\r\n\r\n\u4f7f\u7528fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093\u4e4b\u524d\u7248\u672c\u56fa\u4ef6\u7684\u591a\u6b3ePeplink Balance\u4ea7\u54c1\u4e2d\u5b58\u5728SQL\u6ce8\u5165\u6f0f\u6d1e\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u679a\u4e3e\u7528\u6237\u8d26\u6237\u3002",
  "discovererName": "X41 D-Sec GmbH, Eric Sesterhenn",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8be6\u60c5\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\uff1a\r\nhttps://www.peplink.com/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2017-09525",
  "openTime": "2017-06-14",
  "patchDescription": "Peplink Balance 305\u7b49\u90fd\u662f\u7528\u4e8e\u4e2d\u578b\u4f01\u4e1a\u7684\u591a\u51fa\u53e3\u8d1f\u8f7d\u5747\u8861\u8def\u7531\u5668\u3002\r\n\r\n\u4f7f\u7528fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093\u4e4b\u524d\u7248\u672c\u56fa\u4ef6\u7684\u591a\u6b3ePeplink Balance\u4ea7\u54c1\u4e2d\u5b58\u5728SQL\u6ce8\u5165\u6f0f\u6d1e\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u679a\u4e3e\u7528\u6237\u8d26\u6237\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "\u591a\u6b3ePeplink Balance\u4ea7\u54c1\u5b58\u5728SQL\u6ce8\u5165\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Peplink Balance 2500",
      "Peplink Balance 1350",
      "Peplink Balance 710",
      "Peplink Balance 580",
      "Peplink Balance 380",
      "Peplink Balance 305"
    ]
  },
  "referenceLink": "http://seclists.org/bugtraq/2017/Jun/1\r\nhttps://www.x41-dsec.de/lab/advisories/x41-2017-005-peplink/",
  "serverity": "\u9ad8",
  "submitTime": "2017-06-06",
  "title": "\u591a\u6b3ePeplink Balance\u4ea7\u54c1\u5b58\u5728SQL\u6ce8\u5165\u6f0f\u6d1e"
}

fkie_cve-2017-8835

Vulnerability from fkie_nvd

Published

2017-06-05 14:29

Modified

2025-04-20 01:37

Severity ?

9.8 (Critical) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
cve@mitre.org	http://seclists.org/bugtraq/2017/Jun/1	Mailing List, Third Party Advisory
cve@mitre.org	https://www.exploit-db.com/exploits/42130/
cve@mitre.org	https://www.x41-dsec.de/lab/advisories/x41-2017-005-peplink/	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://seclists.org/bugtraq/2017/Jun/1	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://www.exploit-db.com/exploits/42130/
af854a3a-2127-422b-91ae-364da2661108	https://www.x41-dsec.de/lab/advisories/x41-2017-005-peplink/	Patch, Third Party Advisory

Impacted products

Vendor	Product	Version
peplink	b305hw2_firmware	7.0.1
peplink	balance_305	-
peplink	380hw6_firmware	7.0.1
peplink	balance_380	-
peplink	580hw2_firmware	7.0.1
peplink	balance_580	-
peplink	710hw3_firmware	7.0.1
peplink	balance_710	-
peplink	1350hw2_firmware	7.0.1
peplink	balance_1350	-
peplink	2500_firmware	7.0.1
peplink	balance_2500	-

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:peplink:b305hw2_firmware:7.0.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "C934DEA3-D52B-4780-9DB1-DB0892AC5F81",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:peplink:balance_305:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "C9CB13A7-2179-46F5-9305-40AFBDE3F0F7",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:peplink:380hw6_firmware:7.0.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "3AF409A3-1B36-4F46-A1CC-AFBEFA517201",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:peplink:balance_380:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "277BC849-D50C-407D-8A05-CA81E9742AA0",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:peplink:580hw2_firmware:7.0.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "E44985F4-9377-41F4-BE49-B9E65A5FD9FF",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:peplink:balance_580:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "CD7DF9BE-5519-40CF-832F-DC1FE0913973",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:peplink:710hw3_firmware:7.0.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "584B6897-48D1-4618-9343-43AC251CD691",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:peplink:balance_710:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "6D5E9E4F-7786-4A7A-A04D-AB9DB420703A",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:peplink:1350hw2_firmware:7.0.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "E6FD22ED-88A6-44E3-A99D-3236D4E6E6B1",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:peplink:balance_1350:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "BF8E6365-21EB-487B-8739-5DC7512CF01B",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:peplink:2500_firmware:7.0.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "DA09E6C0-B9D3-4E65-AFC2-A517040B2DE0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:peplink:balance_2500:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "D5058786-C405-4524-BD0C-0F08CB20C580",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "SQL injection exists on Peplink Balance 305, 380, 580, 710, 1350, and 2500 devices with firmware before fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093. An attack vector is the bauth cookie to cgi-bin/MANGA/admin.cgi. One impact is enumeration of user accounts by observing whether a session ID can be retrieved from the sessions database."
    },
    {
      "lang": "es",
      "value": "Una inyecci\u00f3n SQL se presenta en los dispositivos Peplink Balance 305, 380, 580, 710, 1350 y 2500 con versi\u00f3n de firmware anterior a  fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093. Un vector de ataque es la cookie bauth para el archivo cgi-bin/MANGA/admin.cgi. Un impacto es la enumeraci\u00f3n de las cuentas de usuario al observar si se puede recuperar un ID de sesi\u00f3n de la base de datos de sesiones."
    }
  ],
  "id": "CVE-2017-8835",
  "lastModified": "2025-04-20T01:37:25.860",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "HIGH",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 7.5,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.0"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2017-06-05T14:29:00.420",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://seclists.org/bugtraq/2017/Jun/1"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://www.exploit-db.com/exploits/42130/"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://www.x41-dsec.de/lab/advisories/x41-2017-005-peplink/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://seclists.org/bugtraq/2017/Jun/1"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://www.exploit-db.com/exploits/42130/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://www.x41-dsec.de/lab/advisories/x41-2017-005-peplink/"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-89"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

SQL injection exists on Peplink Balance 305, 380, 580, 710, 1350, and 2500 devices with firmware before fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093. An attack vector is the bauth cookie to cgi-bin/MANGA/admin.cgi. One impact is enumeration of user accounts by observing whether a session ID can be retrieved from the sessions database. plural Peplink Balance Device product firmware includes SQL An injection vulnerability exists.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. PeplinkBalance305 is a multi-export load balancing router for medium-sized enterprises. A remote attacker can exploit this vulnerability to enumerate user accounts. Peplink Balance 305 etc. The following products are affected: Peplink Balance 305; 380; 580; 710; 1350; 2500. X41 D-Sec GmbH Security Advisory: X41-2017-005

Multiple Vulnerabilities in peplink balance routers

Overview

Confirmed Affected Versions: 7.0.0-build1904 Confirmed Patched Versions: fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093.bin Vulnerable Firmware: fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.0-build1904.bin Models: Balance Routers 305, 380, 580, 710, 1350, 2500 Vendor: Peplink Vendor URL: https://www.peplink.com/ Vector: Network Credit: X41 D-Sec GmbH, Eric Sesterhenn Additional Credits: Claus Overbeck (Abovo IT) Status: Public Advisory-URL: https://www.x41-dsec.de/lab/advisories/x41-2017-005-peplink/

Summary and Impact

Several issues have been identified, which allow attackers to access the administrative web interface with admin credentials, delete files, perform CSRF and XSS attacks.

Product Description

From the vendor webpage: Use Load Balancing and SpeedFusion bandwidth bonding to deliver superfast VoIP, video streaming, and data using an SD-WAN enabled network. Even with a basic Balance 20 dual-WAN router, you can mix different transport technologies and providers to keep your network up when individual links go down. Switching between links is automatic and seamless.

SQL Injection via bauth Cookie

Severity Rating: Critical Vector: Network CVE: CVE-2017-8835 CWE: 89 CVSS Score: 9.8 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary and Impact

Peplink devices are vulnerable to an SQL injection attack via the bauth cookie parameter which is set e.g. when accessing https://ip/cgi-bin/MANGA/admin.cgi.

The injection can be checked with the following command:

./sqlmap.py -u "https://ip/cgi-bin/MANGA/admin.cgi" --cookie="bauth=csOWLxU4BvoMfhY2rHLVFm1EmZWV74zinla9IVclqrYxH16426647" -p"bauth" --level 5 --risk 3 --dbms sqlite --technique=BEUSQ --flush-session -t trace.log --prefix "'" --suffix "--" -a

The vulnerability in the Peplink device allows to access the SQLite session database containing user and session variables. By using the the following cookie in a web request, it is possible to select a running administrator session to be used for the attackers login.

bauth=-12' or id IN (select s.id from sessions as s left join sessionsvariables as v on v.id=s.id where v.name='rwa' and v.value='1') or '1'='2

By forming specialised SQL queries, it is possible to retrieve usernames from the database. This worked by returning a valid session in case the username existed and no session if it did not exist. In the first case the server did not set a new session cookie in the response to the request.

SELECT id FROM sessions WHERE sessionid = '-14' or id IN (select s.id from sessions as s left join sessionsvariables as v on v.id=s.id where v.name='username' and substr(v.value,1,3)='adm')

Workarounds

Install vendor supplied update.

No CSRF Protection

Severity Rating: Medium Vector: Network CVE: CVE-2017-8836 CWE: 352 CVSS Score: 5.4 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Summary and Impact

The CGI scripts in the administrative interface are not protected against cross site request forgery attacks. This allows an attacker to execute commands, if a logged in user visits a malicious website. This can for example be used to change the credentials of the administrative webinterface.

Workarounds

Install vendor supplied update.

Passwords stored in Cleartext

Severity Rating: Medium Vector: Network CVE: CVE-2017-8837 CWE: 256 CVSS Score: 4.0 CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Summary and Impact

The Peplink devices store passwords in cleartext in the files /etc/waipass and /etc/roapass. In case one of these devices is compromised the attacker can gain access to the cleartext passwords and abuse them to compromise further systems.

Workarounds

Install vendor supplied update.

XSS via syncid Parameter

Severity Rating: Medium Vector: Network CVE: CVE-2017-8838 CWE: 80 CVSS Score: 5.4 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Summary and Impact

If the webinterface is accessible, it is possible to abuse the syncid parameter to trigger a cross-site-scripting issue by calling https://ip/cgi-bin/HASync/hasync.cgi?debug=1&syncid=123%3Cscript%3Ealert%281%29%3C/script%3E

This executes the JavaScript in the victims browser, which can be abused to steal session cookies.

Workarounds

Install vendor supplied update.

XSS via preview.cgi

Severity Rating: Medium Vector: Network CVE: CVE-2017-8839 CWE: 80 CVSS Score: 5.4 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Summary and Impact

If the webinterface is accessible, it is possible to abuse the the orig_url parameter to trigger a cross-site-scripting issue in /guest/preview.cgi. The injection is directly into existing JavaScript.

This executes the JavaScript in the victims browser, which can be abused to steal session cookies.

Workarounds

Install vendor supplied update.

File Deletion

Severity Rating: Medium Vector: Network CVE: CVE-2017-8841 CWE: 73 CVSS Score: 6.5 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H

Summary and Impact

A logged in user can delete arbitrary files on the Peplink devices, by abusing the /cgi-bin/MANGA/firmware_process.cgi. When an absolute path is provided to the upfile.path parameter the file provided in the path is deleted during the process. This can be abused to cause a denial of service (DoS). In combination with the missing CSRF protection, this can be abused remotely via a logged in user.

Workarounds

Install vendor supplied update.

Information Disclosure

Severity Rating: Medium Vector: Network CVE: CVE-2017-8840 CWE: 200 CVSS Score: 5.3 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Summary and Impact

If the webinterface is accessible, it is possible to retrieve sensitive information without a valid login by opening cgi-bin/HASync/hasync.cgi?debug=1

This displays the following:

-----8<------------------------------------------------ Master LAN Address = [ / ] Serial Number = [ ] HA Group ID = [ ] Virtual IP = [ / ] Submitted syncid = [ ] -----8<------------------------------------------------

This information can be valuable for an attacker to exploit other issues.

Workarounds

Install vendor supplied update.

About X41 D-Sec GmbH

X41 D-Sec is a provider of application security services. We focus on application code reviews, design review and security testing. X41 D-Sec GmbH was founded in 2015 by Markus Vervier. We support customers in various industries such as finance, software development and public institutions.

Timeline

2017-04-07 Issue found 2017-04-10 Vendor asked for security contact 2017-04-11 Vendor replied, send GPG key 2017-04-11 Information supplied to vendor 2017-04-11 Vendor acknowledges that the information is received 2017-04-17 Vendor acknowledges SQL injection 2017-05-08 CVE IDs for all issues requested 2017-05-08 CVE IDs assigned 2017-05-11 Vendor informed about CVE IDs 2017-05-29 Version provided to X41 for testing 2017-05-31 First test results send back to the vendor 2017-06-01 Remaining test results send back to the vendor 2017-06-05 Coordinated Firmware and Advisory release

-- X41 D-SEC GmbH, Dennewartstr. 25-27, D-52068 Aachen T: +49 241 9809418-0, Fax: -9 Unternehmenssitz: Aachen, Amtsgericht Aachen: HRB19989 GeschA$?ftsfA1/4hrer: Markus Vervier

Show details on source website

JSON

To clipboard

{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "exploit_availability": {
      "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-201706-0987",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "710hw3",
        "scope": "eq",
        "trust": 1.6,
        "vendor": "peplink",
        "version": "7.0.1"
      },
      {
        "model": "1350hw2",
        "scope": "eq",
        "trust": 1.6,
        "vendor": "peplink",
        "version": "7.0.1"
      },
      {
        "model": "b305hw2",
        "scope": "eq",
        "trust": 1.6,
        "vendor": "peplink",
        "version": "7.0.1"
      },
      {
        "model": "380hw6",
        "scope": "eq",
        "trust": 1.6,
        "vendor": "peplink",
        "version": "7.0.1"
      },
      {
        "model": "580hw2",
        "scope": "eq",
        "trust": 1.6,
        "vendor": "peplink",
        "version": "7.0.1"
      },
      {
        "model": "2500",
        "scope": "eq",
        "trust": 1.6,
        "vendor": "peplink",
        "version": "7.0.1"
      },
      {
        "model": "balance 1350",
        "scope": null,
        "trust": 0.8,
        "vendor": "peplink",
        "version": null
      },
      {
        "model": "balance 2500",
        "scope": null,
        "trust": 0.8,
        "vendor": "peplink",
        "version": null
      },
      {
        "model": "balance 305",
        "scope": null,
        "trust": 0.8,
        "vendor": "peplink",
        "version": null
      },
      {
        "model": "balance 380",
        "scope": null,
        "trust": 0.8,
        "vendor": "peplink",
        "version": null
      },
      {
        "model": "balance 580",
        "scope": null,
        "trust": 0.8,
        "vendor": "peplink",
        "version": null
      },
      {
        "model": "balance 710",
        "scope": null,
        "trust": 0.8,
        "vendor": "peplink",
        "version": null
      },
      {
        "model": "balance",
        "scope": "eq",
        "trust": 0.6,
        "vendor": "peplink",
        "version": "2500"
      },
      {
        "model": "balance",
        "scope": "eq",
        "trust": 0.6,
        "vendor": "peplink",
        "version": "1350"
      },
      {
        "model": "balance",
        "scope": "eq",
        "trust": 0.6,
        "vendor": "peplink",
        "version": "710"
      },
      {
        "model": "balance",
        "scope": "eq",
        "trust": 0.6,
        "vendor": "peplink",
        "version": "580"
      },
      {
        "model": "balance",
        "scope": "eq",
        "trust": 0.6,
        "vendor": "peplink",
        "version": "380"
      },
      {
        "model": "balance",
        "scope": "eq",
        "trust": 0.6,
        "vendor": "peplink",
        "version": "305"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2017-09525"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2017-004608"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201705-330"
      },
      {
        "db": "NVD",
        "id": "CVE-2017-8835"
      }
    ]
  },
  "configurations": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/configurations#",
      "children": {
        "@container": "@list"
      },
      "cpe_match": {
        "@container": "@list"
      },
      "data": {
        "@container": "@list"
      },
      "nodes": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "cpe_match": [
              {
                "cpe22Uri": "cpe:/o:peplink:1350hw2_firmware",
                "vulnerable": true
              },
              {
                "cpe22Uri": "cpe:/o:peplink:2500_firmware",
                "vulnerable": true
              },
              {
                "cpe22Uri": "cpe:/o:peplink:b305hw2_firmware",
                "vulnerable": true
              },
              {
                "cpe22Uri": "cpe:/o:peplink:380hw6_firmware",
                "vulnerable": true
              },
              {
                "cpe22Uri": "cpe:/o:peplink:580hw2_firmware",
                "vulnerable": true
              },
              {
                "cpe22Uri": "cpe:/o:peplink:710hw3_firmware",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2017-004608"
      }
    ]
  },
  "credits": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/credits#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Eric Sesterhenn, Claus Overbeck",
    "sources": [
      {
        "db": "PACKETSTORM",
        "id": "142801"
      }
    ],
    "trust": 0.1
  },
  "cve": "CVE-2017-8835",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [
          {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "nvd@nist.gov",
            "availabilityImpact": "PARTIAL",
            "baseScore": 7.5,
            "confidentialityImpact": "PARTIAL",
            "exploitabilityScore": 10.0,
            "id": "CVE-2017-8835",
            "impactScore": 6.4,
            "integrityImpact": "PARTIAL",
            "severity": "HIGH",
            "trust": 1.8,
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "CNVD",
            "availabilityImpact": "COMPLETE",
            "baseScore": 10.0,
            "confidentialityImpact": "COMPLETE",
            "exploitabilityScore": 10.0,
            "id": "CNVD-2017-09525",
            "impactScore": 10.0,
            "integrityImpact": "COMPLETE",
            "severity": "HIGH",
            "trust": 0.6,
            "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
            "version": "2.0"
          },
          {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "VULHUB",
            "availabilityImpact": "PARTIAL",
            "baseScore": 7.5,
            "confidentialityImpact": "PARTIAL",
            "exploitabilityScore": 10.0,
            "id": "VHN-117038",
            "impactScore": 6.4,
            "integrityImpact": "PARTIAL",
            "severity": "HIGH",
            "trust": 0.1,
            "vectorString": "AV:N/AC:L/AU:N/C:P/I:P/A:P",
            "version": "2.0"
          }
        ],
        "cvssV3": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "author": "nvd@nist.gov",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "exploitabilityScore": 3.9,
            "id": "CVE-2017-8835",
            "impactScore": 5.9,
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "trust": 1.8,
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          }
        ],
        "severity": [
          {
            "author": "nvd@nist.gov",
            "id": "CVE-2017-8835",
            "trust": 1.0,
            "value": "CRITICAL"
          },
          {
            "author": "NVD",
            "id": "CVE-2017-8835",
            "trust": 0.8,
            "value": "Critical"
          },
          {
            "author": "CNVD",
            "id": "CNVD-2017-09525",
            "trust": 0.6,
            "value": "HIGH"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-201705-330",
            "trust": 0.6,
            "value": "HIGH"
          },
          {
            "author": "VULHUB",
            "id": "VHN-117038",
            "trust": 0.1,
            "value": "HIGH"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2017-09525"
      },
      {
        "db": "VULHUB",
        "id": "VHN-117038"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2017-004608"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201705-330"
      },
      {
        "db": "NVD",
        "id": "CVE-2017-8835"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "SQL injection exists on Peplink Balance 305, 380, 580, 710, 1350, and 2500 devices with firmware before fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093. An attack vector is the bauth cookie to cgi-bin/MANGA/admin.cgi. One impact is enumeration of user accounts by observing whether a session ID can be retrieved from the sessions database. plural Peplink Balance Device product firmware includes SQL An injection vulnerability exists.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. PeplinkBalance305 is a multi-export load balancing router for medium-sized enterprises. A remote attacker can exploit this vulnerability to enumerate user accounts. Peplink Balance 305 etc. The following products are affected: Peplink Balance 305; 380; 580; 710; 1350; 2500. \nX41 D-Sec GmbH Security Advisory: X41-2017-005\n\nMultiple Vulnerabilities in peplink balance routers\n===================================================\n\nOverview\n--------\nConfirmed Affected Versions: 7.0.0-build1904\nConfirmed Patched Versions:\nfw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093.bin\nVulnerable Firmware:\nfw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.0-build1904.bin\nModels: Balance Routers 305, 380, 580, 710, 1350, 2500\nVendor: Peplink\nVendor URL: https://www.peplink.com/\nVector: Network\nCredit: X41 D-Sec GmbH, Eric Sesterhenn\nAdditional Credits: Claus Overbeck (Abovo IT)\nStatus: Public\nAdvisory-URL: https://www.x41-dsec.de/lab/advisories/x41-2017-005-peplink/\n\n\nSummary and Impact\n------------------\nSeveral issues have been identified, which allow attackers to access the\nadministrative web interface with admin credentials, delete files,\nperform CSRF and XSS attacks. \n\n\nProduct Description\n-------------------\nFrom the vendor webpage:\nUse Load Balancing and SpeedFusion bandwidth bonding to deliver\nsuperfast VoIP, video streaming, and data using an SD-WAN enabled\nnetwork. Even with a basic Balance 20 dual-WAN router, you can mix\ndifferent transport technologies and providers to keep your network up\nwhen individual links go down. Switching between links is automatic and\nseamless. \n\n\n\nSQL Injection via bauth Cookie\n==============================\nSeverity Rating: Critical\nVector: Network\nCVE: CVE-2017-8835\nCWE: 89\nCVSS Score: 9.8\nCVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n\nSummary and Impact\n------------------\nPeplink devices are vulnerable to an SQL injection attack via the bauth\ncookie parameter which is set e.g. when accessing\nhttps://ip/cgi-bin/MANGA/admin.cgi. \n\nThe injection can be checked with the following command:\n\n./sqlmap.py -u \"https://ip/cgi-bin/MANGA/admin.cgi\"\n--cookie=\"bauth=csOWLxU4BvoMfhY2rHLVFm1EmZWV74zinla9IVclqrYxH16426647\"\n-p\"bauth\" --level 5 --risk 3 --dbms sqlite --technique=BEUSQ\n--flush-session -t trace.log --prefix \"\u0027\" --suffix \"--\" -a\n\nThe vulnerability in the Peplink device allows to access the SQLite\nsession database containing user and session variables. By using the the\nfollowing cookie in a web request, it is possible to select a running\nadministrator session to be used for the attackers login. \n\nbauth=-12\u0027 or id IN (select s.id from sessions as s left join\nsessionsvariables as v on v.id=s.id where v.name=\u0027rwa\u0027 and v.value=\u00271\u0027)\nor \u00271\u0027=\u00272\n\nBy forming specialised SQL queries, it is possible to retrieve usernames\nfrom the database. This worked by returning a valid session in case the\nusername existed and no session if it did not exist. In the first case\nthe server did not set a new session cookie in the response to the request. \n\nSELECT id FROM sessions WHERE sessionid = \u0027-14\u0027 or id IN (select s.id\nfrom sessions as s left join sessionsvariables as v on v.id=s.id where\nv.name=\u0027username\u0027 and substr(v.value,1,3)=\u0027adm\u0027)\n\n\n\nWorkarounds\n-----------\nInstall vendor supplied update. \n\n\nNo CSRF Protection\n==================\nSeverity Rating: Medium\nVector: Network\nCVE: CVE-2017-8836\nCWE: 352\nCVSS Score: 5.4\nCVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N\n\nSummary and Impact\n------------------\nThe CGI scripts in the administrative interface are not protected\nagainst cross site request forgery attacks. This allows an attacker to\nexecute commands, if a logged in user visits a malicious website. This\ncan for example be used to change the credentials of the administrative\nwebinterface. \n\n\nWorkarounds\n-----------\nInstall vendor supplied update. \n\n\n\n\nPasswords stored in Cleartext\n=============================\nSeverity Rating: Medium\nVector: Network\nCVE: CVE-2017-8837\nCWE: 256\nCVSS Score: 4.0\nCVSS Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\n\nSummary and Impact\n------------------\nThe Peplink devices store passwords in cleartext in the files\n/etc/waipass and /etc/roapass. In case one of these devices is\ncompromised the attacker can gain access to the cleartext passwords and\nabuse them to compromise further systems. \n\n\nWorkarounds\n-----------\nInstall vendor supplied update. \n\n\n\n\nXSS via syncid Parameter\n========================\nSeverity Rating: Medium\nVector: Network\nCVE: CVE-2017-8838\nCWE: 80\nCVSS Score: 5.4\nCVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N\n\nSummary and Impact\n------------------\nIf the webinterface is accessible, it is possible to abuse the syncid\nparameter to trigger a cross-site-scripting issue by calling\nhttps://ip/cgi-bin/HASync/hasync.cgi?debug=1\u0026syncid=123%3Cscript%3Ealert%281%29%3C/script%3E\n\nThis executes the JavaScript in the victims browser, which can be abused\nto steal session cookies. \n\nWorkarounds\n-----------\nInstall vendor supplied update. \n\n\n\n\nXSS via preview.cgi\n===================\nSeverity Rating: Medium\nVector: Network\nCVE: CVE-2017-8839\nCWE: 80\nCVSS Score: 5.4\nCVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N\n\nSummary and Impact\n------------------\nIf the webinterface is accessible, it is possible to abuse the the\norig_url parameter to trigger a cross-site-scripting issue in\n/guest/preview.cgi. The injection is directly into existing JavaScript. \n\nThis executes the JavaScript in the victims browser, which can be abused\nto steal session cookies. \n\nWorkarounds\n-----------\nInstall vendor supplied update. \n\n\n\nFile Deletion\n=============\nSeverity Rating: Medium\nVector: Network\nCVE: CVE-2017-8841\nCWE: 73\nCVSS Score: 6.5\nCVSS Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H\n\nSummary and Impact\n------------------\nA logged in user can delete arbitrary files on the Peplink devices, by\nabusing the /cgi-bin/MANGA/firmware_process.cgi. When an absolute path\nis provided to the upfile.path parameter the file provided in the path\nis deleted during the process. This can be abused to cause a denial of\nservice (DoS). In combination with the missing CSRF protection, this can\nbe abused remotely via a logged in user. \n\nWorkarounds\n-----------\nInstall vendor supplied update. \n\n\n\n\nInformation Disclosure\n======================\nSeverity Rating: Medium\nVector: Network\nCVE: CVE-2017-8840\nCWE: 200\nCVSS Score: 5.3\nCVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\n\nSummary and Impact\n------------------\nIf the webinterface is accessible, it is possible to retrieve sensitive\ninformation without a valid login by opening\ncgi-bin/HASync/hasync.cgi?debug=1\n\nThis displays the following:\n\n-----8\u003c------------------------------------------------\nMaster LAN Address    = [ \u003cinternal ip\u003e / \u003cnetmask\u003e ]\nSerial Number         = [ \u003cserial number\u003e ]\nHA Group ID           = [ \u003cgroup id\u003e ]\nVirtual IP            = [ \u003cinternal ip\u003e / \u003cnetmask\u003e ]\nSubmitted syncid      = [ \u003csyncid\u003e ]\n-----8\u003c------------------------------------------------\n\nThis information can be valuable for an attacker to exploit other issues. \n\nWorkarounds\n-----------\nInstall vendor supplied update. \n\n\n\n\nAbout X41 D-Sec GmbH\n--------------------\nX41 D-Sec is a provider of application security services. We focus on\napplication code reviews, design review and security testing. X41 D-Sec\nGmbH was founded in 2015 by Markus Vervier. We support customers in\nvarious industries such as finance, software development and public\ninstitutions. \n\nTimeline\n--------\n2017-04-07\tIssue found\n2017-04-10\tVendor asked for security contact\n2017-04-11\tVendor replied, send GPG key\n2017-04-11\tInformation supplied to vendor\n2017-04-11\tVendor acknowledges that the information is received\n2017-04-17\tVendor acknowledges SQL injection\n2017-05-08\tCVE IDs for all issues requested\n2017-05-08\tCVE IDs assigned\n2017-05-11\tVendor informed about CVE IDs\n2017-05-29\tVersion provided to X41 for testing\n2017-05-31\tFirst test results send back to the vendor\n2017-06-01\tRemaining test results send back to the vendor\n2017-06-05\tCoordinated Firmware and Advisory release\n\n-- \nX41 D-SEC GmbH, Dennewartstr. 25-27, D-52068 Aachen\nT: +49 241 9809418-0, Fax: -9\nUnternehmenssitz: Aachen, Amtsgericht Aachen: HRB19989\nGeschA$?ftsfA1/4hrer: Markus Vervier\n\n",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2017-8835"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2017-004608"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2017-09525"
      },
      {
        "db": "VULHUB",
        "id": "VHN-117038"
      },
      {
        "db": "PACKETSTORM",
        "id": "142801"
      }
    ],
    "trust": 2.34
  },
  "exploit_availability": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "reference": "https://www.scap.org.cn/vuln/vhn-117038",
        "trust": 0.1,
        "type": "unknown"
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-117038"
      }
    ]
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "NVD",
        "id": "CVE-2017-8835",
        "trust": 3.2
      },
      {
        "db": "EXPLOIT-DB",
        "id": "42130",
        "trust": 1.1
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2017-004608",
        "trust": 0.8
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201705-330",
        "trust": 0.7
      },
      {
        "db": "CNVD",
        "id": "CNVD-2017-09525",
        "trust": 0.6
      },
      {
        "db": "PACKETSTORM",
        "id": "142801",
        "trust": 0.2
      },
      {
        "db": "SEEBUG",
        "id": "SSVID-93186",
        "trust": 0.1
      },
      {
        "db": "VULHUB",
        "id": "VHN-117038",
        "trust": 0.1
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2017-09525"
      },
      {
        "db": "VULHUB",
        "id": "VHN-117038"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2017-004608"
      },
      {
        "db": "PACKETSTORM",
        "id": "142801"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201705-330"
      },
      {
        "db": "NVD",
        "id": "CVE-2017-8835"
      }
    ]
  },
  "id": "VAR-201706-0987",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2017-09525"
      },
      {
        "db": "VULHUB",
        "id": "VHN-117038"
      }
    ],
    "trust": 1.6375
  },
  "iot_taxonomy": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "category": [
          "Network device"
        ],
        "sub_category": null,
        "trust": 0.6
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2017-09525"
      }
    ]
  },
  "last_update_date": "2024-11-23T21:40:57.023000Z",
  "patch": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/patch#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "title": "Peplink Balance",
        "trust": 0.8,
        "url": "https://www.peplink.com/products/balance/"
      },
      {
        "title": "Patches for SQL injection vulnerabilities in several PeplinkBalance products",
        "trust": 0.6,
        "url": "https://www.cnvd.org.cn/patchInfo/show/95356"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2017-09525"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2017-004608"
      }
    ]
  },
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "CWE-89",
        "trust": 1.9
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-117038"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2017-004608"
      },
      {
        "db": "NVD",
        "id": "CVE-2017-8835"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 3.2,
        "url": "https://www.x41-dsec.de/lab/advisories/x41-2017-005-peplink/"
      },
      {
        "trust": 2.3,
        "url": "http://seclists.org/bugtraq/2017/jun/1"
      },
      {
        "trust": 1.1,
        "url": "https://www.exploit-db.com/exploits/42130/"
      },
      {
        "trust": 0.9,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2017-8835"
      },
      {
        "trust": 0.8,
        "url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-8835"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2017-8841"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2017-8838"
      },
      {
        "trust": 0.1,
        "url": "https://ip/cgi-bin/hasync/hasync.cgi?debug=1\u0026syncid=123%3cscript%3ealert%281%29%3c/script%3e"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2017-8837"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2017-8839"
      },
      {
        "trust": 0.1,
        "url": "https://www.peplink.com/"
      },
      {
        "trust": 0.1,
        "url": "https://ip/cgi-bin/manga/admin.cgi."
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2017-8836"
      },
      {
        "trust": 0.1,
        "url": "https://ip/cgi-bin/manga/admin.cgi\""
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2017-8840"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2017-09525"
      },
      {
        "db": "VULHUB",
        "id": "VHN-117038"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2017-004608"
      },
      {
        "db": "PACKETSTORM",
        "id": "142801"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201705-330"
      },
      {
        "db": "NVD",
        "id": "CVE-2017-8835"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "CNVD",
        "id": "CNVD-2017-09525"
      },
      {
        "db": "VULHUB",
        "id": "VHN-117038"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2017-004608"
      },
      {
        "db": "PACKETSTORM",
        "id": "142801"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201705-330"
      },
      {
        "db": "NVD",
        "id": "CVE-2017-8835"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2017-06-14T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2017-09525"
      },
      {
        "date": "2017-06-05T00:00:00",
        "db": "VULHUB",
        "id": "VHN-117038"
      },
      {
        "date": "2017-06-30T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2017-004608"
      },
      {
        "date": "2017-06-05T18:59:14",
        "db": "PACKETSTORM",
        "id": "142801"
      },
      {
        "date": "2017-05-09T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201705-330"
      },
      {
        "date": "2017-06-05T14:29:00.420000",
        "db": "NVD",
        "id": "CVE-2017-8835"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2017-06-14T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2017-09525"
      },
      {
        "date": "2017-08-13T00:00:00",
        "db": "VULHUB",
        "id": "VHN-117038"
      },
      {
        "date": "2017-06-30T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2017-004608"
      },
      {
        "date": "2017-06-07T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201705-330"
      },
      {
        "date": "2024-11-21T03:34:48.003000",
        "db": "NVD",
        "id": "CVE-2017-8835"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "remote",
    "sources": [
      {
        "db": "PACKETSTORM",
        "id": "142801"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201705-330"
      }
    ],
    "trust": 0.7
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "plural  Peplink Balance In the device product firmware  SQL Injection vulnerability",
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2017-004608"
      }
    ],
    "trust": 0.8
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "SQL injection",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-201705-330"
      }
    ],
    "trust": 0.6
  }
}

ghsa-cwh4-2qh3-3jxc

Vulnerability from github

Published

2022-05-17 02:14

Modified

2025-04-20 03:38

Severity ?

9.8 (Critical) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2017-8835"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-89"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-06-05T14:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "SQL injection exists on Peplink Balance 305, 380, 580, 710, 1350, and 2500 devices with firmware before fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093. An attack vector is the bauth cookie to cgi-bin/MANGA/admin.cgi. One impact is enumeration of user accounts by observing whether a session ID can be retrieved from the sessions database.",
  "id": "GHSA-cwh4-2qh3-3jxc",
  "modified": "2025-04-20T03:38:29Z",
  "published": "2022-05-17T02:14:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-8835"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/42130"
    },
    {
      "type": "WEB",
      "url": "https://www.x41-dsec.de/lab/advisories/x41-2017-005-peplink"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/bugtraq/2017/Jun/1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2017-8835 (GCVE-0-2017-8835)

Vulnerability from cvelistv5

gsd-2017-8835

Vulnerability from gsd

cnvd-2017-09525

Vulnerability from cnvd

fkie_cve-2017-8835

Vulnerability from fkie_nvd

var-201706-0987

Vulnerability from variot

Multiple Vulnerabilities in peplink balance routers

Overview

Summary and Impact

Product Description

SQL Injection via bauth Cookie

Summary and Impact

Workarounds

No CSRF Protection

Summary and Impact

Workarounds

Passwords stored in Cleartext

Summary and Impact

Workarounds

XSS via syncid Parameter

Summary and Impact

Workarounds

XSS via preview.cgi

Summary and Impact

Workarounds

File Deletion

Summary and Impact

Workarounds

Information Disclosure

Summary and Impact

Workarounds

About X41 D-Sec GmbH

Timeline

ghsa-cwh4-2qh3-3jxc

Vulnerability from github

Tags

Sightings

Nomenclature