cvelistv5 - cve-2018-14782

CVE-2018-14782 (GCVE-0-2018-14782)

Vulnerability from cvelistv5

Published

2018-08-10 19:00

Modified

2024-09-16 17:34

Severity ?

CWE

CWE-200 - INFORMATION EXPOSURE

Summary

NetComm Wireless G LTE Light Industrial M2M Router (NWL-25) with firmware 2.0.29.11 and prior. The device allows access to configuration files and profiles without authenticating the user.

References

URL

	Vendor	Product	Version
	ICS-CERT	NetComm Wireless G LTE Light Industrial M2M Router (NWL-25) with firmware 2.0.29.11 and prior.	Version: NetComm Wireless G LTE Light Industrial M2M Router (NWL-25) with firmware 2.0.29.11 and prior.

gsd-2018-14782

Vulnerability from gsd

Modified

2023-12-13 01:22

Details

NetComm Wireless G LTE Light Industrial M2M Router (NWL-25) with firmware 2.0.29.11 and prior. The device allows access to configuration files and profiles without authenticating the user.

Aliases

CVE-2018-14782

Aliases

CVE-2018-14782

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2018-14782",
    "description": "NetComm Wireless G LTE Light Industrial M2M Router (NWL-25) with firmware 2.0.29.11 and prior. The device allows access to configuration files and profiles without authenticating the user.",
    "id": "GSD-2018-14782"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2018-14782"
      ],
      "details": "NetComm Wireless G LTE Light Industrial M2M Router (NWL-25) with firmware 2.0.29.11 and prior. The device allows access to configuration files and profiles without authenticating the user.",
      "id": "GSD-2018-14782",
      "modified": "2023-12-13T01:22:38.422050Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "ics-cert@hq.dhs.gov",
        "DATE_PUBLIC": "2018-08-09T00:00:00",
        "ID": "CVE-2018-14782",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "NetComm Wireless G LTE Light Industrial M2M Router (NWL-25) with firmware 2.0.29.11 and prior.",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "NetComm Wireless G LTE Light Industrial M2M Router (NWL-25) with firmware 2.0.29.11 and prior."
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "ICS-CERT"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "NetComm Wireless G LTE Light Industrial M2M Router (NWL-25) with firmware 2.0.29.11 and prior. The device allows access to configuration files and profiles without authenticating the user."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "INFORMATION EXPOSURE CWE-200"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://ics-cert.us-cert.gov/advisories/ICSA-18-221-02",
            "refsource": "MISC",
            "url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-221-02"
          },
          {
            "name": "105053",
            "refsource": "BID",
            "url": "http://www.securityfocus.com/bid/105053"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:netcommwireless:nwl-25_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndIncluding": "2.0.29.11",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:netcommwireless:nwl-25:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "ics-cert@hq.dhs.gov",
          "ID": "CVE-2018-14782"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "NetComm Wireless G LTE Light Industrial M2M Router (NWL-25) with firmware 2.0.29.11 and prior. The device allows access to configuration files and profiles without authenticating the user."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-287"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://ics-cert.us-cert.gov/advisories/ICSA-18-221-02",
              "refsource": "MISC",
              "tags": [
                "Third Party Advisory",
                "US Government Resource"
              ],
              "url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-221-02"
            },
            {
              "name": "105053",
              "refsource": "BID",
              "tags": [
                "Third Party Advisory",
                "VDB Entry"
              ],
              "url": "http://www.securityfocus.com/bid/105053"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 5.0,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.0"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2019-10-09T23:35Z",
      "publishedDate": "2018-08-10T19:29Z"
    }
  }
}

fkie_cve-2018-14782

Vulnerability from fkie_nvd

Published

2018-08-10 19:29

Modified

2024-11-21 03:49

Severity ?

7.5 (High) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Summary

NetComm Wireless G LTE Light Industrial M2M Router (NWL-25) with firmware 2.0.29.11 and prior. The device allows access to configuration files and profiles without authenticating the user.

References

URL	Tags
ics-cert@hq.dhs.gov	http://www.securityfocus.com/bid/105053	Third Party Advisory, VDB Entry
ics-cert@hq.dhs.gov	https://ics-cert.us-cert.gov/advisories/ICSA-18-221-02	Third Party Advisory, US Government Resource
af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/bid/105053	Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	https://ics-cert.us-cert.gov/advisories/ICSA-18-221-02	Third Party Advisory, US Government Resource

Impacted products

	Vendor	Product	Version
	netcommwireless	nwl-25_firmware	*
	netcommwireless	nwl-25	-

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:netcommwireless:nwl-25_firmware:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "1B81519F-EB05-44C4-B556-3AB37712C5EE",
              "versionEndIncluding": "2.0.29.11",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:netcommwireless:nwl-25:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "2C98F89F-1D4D-4B1C-A4C2-FD4CC4B5F5A1",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "NetComm Wireless G LTE Light Industrial M2M Router (NWL-25) with firmware 2.0.29.11 and prior. The device allows access to configuration files and profiles without authenticating the user."
    },
    {
      "lang": "es",
      "value": "NetComm Wireless G LTE Light Industrial M2M Router (NWL-25) con firmware en versiones 2.0.29.11 y anteriores. El dispositivo permite el acceso a los archivos de configuraci\u00f3n y perfiles sin autenticar el usuario."
    }
  ],
  "id": "CVE-2018-14782",
  "lastModified": "2024-11-21T03:49:46.880",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 5.0,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.0"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2018-08-10T19:29:00.490",
  "references": [
    {
      "source": "ics-cert@hq.dhs.gov",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securityfocus.com/bid/105053"
    },
    {
      "source": "ics-cert@hq.dhs.gov",
      "tags": [
        "Third Party Advisory",
        "US Government Resource"
      ],
      "url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-221-02"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securityfocus.com/bid/105053"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory",
        "US Government Resource"
      ],
      "url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-221-02"
    }
  ],
  "sourceIdentifier": "ics-cert@hq.dhs.gov",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-200"
        }
      ],
      "source": "ics-cert@hq.dhs.gov",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-287"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

NetComm Wireless G LTE Light Industrial M2M Router (NWL-25) with firmware 2.0.29.11 and prior. The device allows access to configuration files and profiles without authenticating the user. An information disclosure vulnerability exists in NetCommNWL-25 using firmware version 2.0.29.11 and earlier, which could allow an attacker to gain access to a configuration file without authentication. Multiple information disclosure Vulnerabilities. 2. An cross-site request forgery vulnerability. 3. An cross-site scripting vulnerability. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials and gain access to sensitive information. Failed exploit attempts will likely result in denial of service conditions

Show details on source website

JSON

To clipboard

{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "exploit_availability": {
      "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-201808-0371",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "nwl-25",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "netcommwireless",
        "version": "2.0.29.11"
      },
      {
        "model": "wireless g lte light industrial m2m router",
        "scope": "lte",
        "trust": 0.8,
        "vendor": "netcomm",
        "version": "2.0.29.11"
      },
      {
        "model": "wireless 4g lte light industrial m2m router",
        "scope": "lte",
        "trust": 0.6,
        "vendor": "netcomm",
        "version": "\u003c=2.0.29.11"
      },
      {
        "model": "nwl-25",
        "scope": "eq",
        "trust": 0.6,
        "vendor": "netcommwireless",
        "version": "2.0.29.11"
      },
      {
        "model": "wireless 4g lte light industrial m2m router",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "netcomm",
        "version": "2.0.29.11"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2019-10270"
      },
      {
        "db": "BID",
        "id": "105053"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-008975"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201808-285"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-14782"
      }
    ]
  },
  "configurations": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/configurations#",
      "children": {
        "@container": "@list"
      },
      "cpe_match": {
        "@container": "@list"
      },
      "data": {
        "@container": "@list"
      },
      "nodes": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "cpe_match": [
              {
                "cpe22Uri": "cpe:/o:netcommwireless:nwl-25_firmware",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-008975"
      }
    ]
  },
  "credits": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/credits#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Aditya K. Sood",
    "sources": [
      {
        "db": "BID",
        "id": "105053"
      }
    ],
    "trust": 0.3
  },
  "cve": "CVE-2018-14782",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [
          {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "nvd@nist.gov",
            "availabilityImpact": "NONE",
            "baseScore": 5.0,
            "confidentialityImpact": "PARTIAL",
            "exploitabilityScore": 10.0,
            "id": "CVE-2018-14782",
            "impactScore": 2.9,
            "integrityImpact": "NONE",
            "severity": "MEDIUM",
            "trust": 1.8,
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
            "version": "2.0"
          },
          {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "CNVD",
            "availabilityImpact": "NONE",
            "baseScore": 5.0,
            "confidentialityImpact": "PARTIAL",
            "exploitabilityScore": 10.0,
            "id": "CNVD-2019-10270",
            "impactScore": 2.9,
            "integrityImpact": "NONE",
            "severity": "MEDIUM",
            "trust": 0.6,
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
            "version": "2.0"
          },
          {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "VULHUB",
            "availabilityImpact": "NONE",
            "baseScore": 5.0,
            "confidentialityImpact": "PARTIAL",
            "exploitabilityScore": 10.0,
            "id": "VHN-124976",
            "impactScore": 2.9,
            "integrityImpact": "NONE",
            "severity": "MEDIUM",
            "trust": 0.1,
            "vectorString": "AV:N/AC:L/AU:N/C:P/I:N/A:N",
            "version": "2.0"
          }
        ],
        "cvssV3": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "author": "nvd@nist.gov",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "exploitabilityScore": 3.9,
            "id": "CVE-2018-14782",
            "impactScore": 3.6,
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "trust": 1.0,
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.0"
          },
          {
            "attackComplexity": "Low",
            "attackVector": "Network",
            "author": "NVD",
            "availabilityImpact": "Low",
            "baseScore": 7.5,
            "baseSeverity": "High",
            "confidentialityImpact": "High",
            "exploitabilityScore": null,
            "id": "CVE-2018-14782",
            "impactScore": null,
            "integrityImpact": "Low",
            "privilegesRequired": "None",
            "scope": "Unchanged",
            "trust": 0.8,
            "userInteraction": "None",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
            "version": "3.0"
          }
        ],
        "severity": [
          {
            "author": "nvd@nist.gov",
            "id": "CVE-2018-14782",
            "trust": 1.0,
            "value": "HIGH"
          },
          {
            "author": "NVD",
            "id": "CVE-2018-14782",
            "trust": 0.8,
            "value": "High"
          },
          {
            "author": "CNVD",
            "id": "CNVD-2019-10270",
            "trust": 0.6,
            "value": "MEDIUM"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-201808-285",
            "trust": 0.6,
            "value": "HIGH"
          },
          {
            "author": "VULHUB",
            "id": "VHN-124976",
            "trust": 0.1,
            "value": "MEDIUM"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2019-10270"
      },
      {
        "db": "VULHUB",
        "id": "VHN-124976"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-008975"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201808-285"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-14782"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "NetComm Wireless G LTE Light Industrial M2M Router (NWL-25) with firmware 2.0.29.11 and prior. The device allows access to configuration files and profiles without authenticating the user. An information disclosure vulnerability exists in NetCommNWL-25 using firmware version 2.0.29.11 and earlier, which could allow an attacker to gain access to a configuration file without authentication. Multiple information disclosure Vulnerabilities. \n2. An cross-site request forgery vulnerability. \n3. An cross-site scripting vulnerability. \nAn attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials and gain access to sensitive information. Failed exploit attempts will likely result in denial of service conditions",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2018-14782"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-008975"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2019-10270"
      },
      {
        "db": "BID",
        "id": "105053"
      },
      {
        "db": "VULHUB",
        "id": "VHN-124976"
      }
    ],
    "trust": 2.52
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "NVD",
        "id": "CVE-2018-14782",
        "trust": 3.4
      },
      {
        "db": "ICS CERT",
        "id": "ICSA-18-221-02",
        "trust": 2.8
      },
      {
        "db": "BID",
        "id": "105053",
        "trust": 2.0
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-008975",
        "trust": 0.8
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201808-285",
        "trust": 0.7
      },
      {
        "db": "CNVD",
        "id": "CNVD-2019-10270",
        "trust": 0.6
      },
      {
        "db": "VULHUB",
        "id": "VHN-124976",
        "trust": 0.1
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2019-10270"
      },
      {
        "db": "VULHUB",
        "id": "VHN-124976"
      },
      {
        "db": "BID",
        "id": "105053"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-008975"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201808-285"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-14782"
      }
    ]
  },
  "id": "VAR-201808-0371",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2019-10270"
      },
      {
        "db": "VULHUB",
        "id": "VHN-124976"
      }
    ],
    "trust": 1.3948052
  },
  "iot_taxonomy": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "category": [
          "Network device"
        ],
        "sub_category": null,
        "trust": 0.6
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2019-10270"
      }
    ]
  },
  "last_update_date": "2024-11-23T21:52:55.536000Z",
  "patch": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/patch#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "title": "Top Page",
        "trust": 0.8,
        "url": "https://www.netcommwireless.com/"
      },
      {
        "title": "Patch for NetCommNWL-25 Information Disclosure Vulnerability",
        "trust": 0.6,
        "url": "https://www.cnvd.org.cn/patchInfo/show/158875"
      },
      {
        "title": "NetComm Wireless G LTE Light Industrial M2M Router(NWL-25) Security vulnerabilities",
        "trust": 0.6,
        "url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=83911"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2019-10270"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-008975"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201808-285"
      }
    ]
  },
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "CWE-287",
        "trust": 1.9
      },
      {
        "problemtype": "CWE-200",
        "trust": 1.0
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-124976"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-008975"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-14782"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 2.8,
        "url": "https://ics-cert.us-cert.gov/advisories/icsa-18-221-02"
      },
      {
        "trust": 1.7,
        "url": "http://www.securityfocus.com/bid/105053"
      },
      {
        "trust": 1.4,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2018-14782"
      },
      {
        "trust": 0.8,
        "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-14782"
      },
      {
        "trust": 0.3,
        "url": "https://www.netcommwireless.com/"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2019-10270"
      },
      {
        "db": "VULHUB",
        "id": "VHN-124976"
      },
      {
        "db": "BID",
        "id": "105053"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-008975"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201808-285"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-14782"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "CNVD",
        "id": "CNVD-2019-10270"
      },
      {
        "db": "VULHUB",
        "id": "VHN-124976"
      },
      {
        "db": "BID",
        "id": "105053"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-008975"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201808-285"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-14782"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2019-04-17T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2019-10270"
      },
      {
        "date": "2018-08-10T00:00:00",
        "db": "VULHUB",
        "id": "VHN-124976"
      },
      {
        "date": "2018-08-09T00:00:00",
        "db": "BID",
        "id": "105053"
      },
      {
        "date": "2018-11-05T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2018-008975"
      },
      {
        "date": "2018-08-13T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201808-285"
      },
      {
        "date": "2018-08-10T19:29:00.490000",
        "db": "NVD",
        "id": "CVE-2018-14782"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2019-04-17T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2019-10270"
      },
      {
        "date": "2019-10-09T00:00:00",
        "db": "VULHUB",
        "id": "VHN-124976"
      },
      {
        "date": "2018-08-09T00:00:00",
        "db": "BID",
        "id": "105053"
      },
      {
        "date": "2018-11-05T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2018-008975"
      },
      {
        "date": "2019-10-17T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201808-285"
      },
      {
        "date": "2024-11-21T03:49:46.880000",
        "db": "NVD",
        "id": "CVE-2018-14782"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "remote",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-201808-285"
      }
    ],
    "trust": 0.6
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "NetComm Wireless G LTE Light Industrial M2M Router Authentication vulnerability",
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-008975"
      }
    ],
    "trust": 0.8
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "authorization issue",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-201808-285"
      }
    ],
    "trust": 0.6
  }
}

ICSA-18-221-02

Vulnerability from csaf_cisa

Published

2018-08-09 00:00

Modified

2018-08-09 00:00

Summary

NetComm Wireless 4G LTE Light Industrial M2M Router

Notes

CISA Disclaimer

This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov

Legal Notice

All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.

Risk evaluation

Successful exploitation of these vulnerabilities could allow for the exposure of sensitive information.

Critical infrastructure sectors

Communications

Countries/areas deployed

Worldwide

Company headquarters location

Australia

Recommended Practices

NCCIC recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

Recommended Practices

NCCIC reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.NCCIC also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Recommended Practices

Additional mitigation guidance and recommended practices are publicly available on the ICS-CERT website in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to NCCIC for tracking and correlation against other incidents.

Exploitability

No known public exploits specifically target these vulnerabilities.

JSON

To clipboard

{
  "document": {
    "acknowledgments": [
      {
        "names": [
          "Aditya K. Sood"
        ],
        "summary": "reporting these vulnerabilities to NCCIC"
      }
    ],
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Disclosure is not limited",
      "tlp": {
        "label": "WHITE",
        "url": "https://us-cert.cisa.gov/tlp/"
      }
    },
    "lang": "en-US",
    "notes": [
      {
        "category": "general",
        "text": "This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov",
        "title": "CISA Disclaimer"
      },
      {
        "category": "legal_disclaimer",
        "text": "All information products included in https://us-cert.cisa.gov/ics are provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.",
        "title": "Legal Notice"
      },
      {
        "category": "summary",
        "text": "Successful exploitation of these vulnerabilities could allow for the exposure of sensitive information.",
        "title": "Risk evaluation"
      },
      {
        "category": "other",
        "text": "Communications",
        "title": "Critical infrastructure sectors"
      },
      {
        "category": "other",
        "text": "Worldwide",
        "title": "Countries/areas deployed"
      },
      {
        "category": "other",
        "text": "Australia",
        "title": "Company headquarters location"
      },
      {
        "category": "general",
        "text": "NCCIC recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "NCCIC reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.NCCIC also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "Additional mitigation guidance and recommended practices are publicly available on the ICS-CERT website in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to NCCIC for tracking and correlation against other incidents.",
        "title": "Recommended Practices"
      },
      {
        "category": "other",
        "text": "No known public exploits specifically target these vulnerabilities.",
        "title": "Exploitability"
      }
    ],
    "publisher": {
      "category": "coordinator",
      "contact_details": "Email: CISAservicedesk@cisa.dhs.gov;\n Toll Free: 1-888-282-0870",
      "name": "CISA",
      "namespace": "https://www.cisa.gov/"
    },
    "references": [
      {
        "category": "self",
        "summary": "ICS Advisory ICSA-18-221-02 JSON",
        "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/OT/white/2018/icsa-18-221-02.json"
      },
      {
        "category": "self",
        "summary": "ICS Advisory ICSA-18-221-02 Web Version",
        "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-18-221-02"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/uscert/ics/alerts/ICS-ALERT-10-301-01"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/uscert/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/uscert/ics/tips/ICS-TIP-12-146-01B"
      }
    ],
    "title": "NetComm Wireless 4G LTE Light Industrial M2M Router",
    "tracking": {
      "current_release_date": "2018-08-09T00:00:00.000000Z",
      "generator": {
        "engine": {
          "name": "CISA CSAF Generator",
          "version": "1.0.0"
        }
      },
      "id": "ICSA-18-221-02",
      "initial_release_date": "2018-08-09T00:00:00.000000Z",
      "revision_history": [
        {
          "date": "2018-08-09T00:00:00.000000Z",
          "legacy_version": "Initial",
          "number": "1",
          "summary": "ICSA-18-221-02 NetComm Wireless 4G LTE Light Industrial M2M Router"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c=2.0.29.11",
                "product": {
                  "name": "4G LTE Light Industrial M2M Router (NWL-25) with: firmware 2.0.29.11 and prior",
                  "product_id": "CSAFPID-0001"
                }
              }
            ],
            "category": "product_name",
            "name": "4G LTE Light Industrial M2M Router (NWL-25) with"
          }
        ],
        "category": "vendor",
        "name": "NetComm Wireless"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2018-14782",
      "cwe": {
        "id": "CWE-200",
        "name": "Exposure of Sensitive Information to an Unauthorized Actor"
      },
      "notes": [
        {
          "category": "summary",
          "text": "The device allowsaccess to configuration files and profiles without authenticating the user.CVE-2018-14782 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).",
          "title": "Vulnerability Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "web.nvd.nist.gov",
          "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-14782"
        },
        {
          "category": "external",
          "summary": "www.first.org",
          "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
        }
      ],
      "remediations": [
        {
          "category": "mitigation",
          "details": "NetComm Wireless has released a new firmware version to mitigate the vulnerabilities. Affected users may download the firmware from: https://support.netcommwireless.com/product/nwl-25#Firmware",
          "product_ids": [
            "CSAFPID-0001"
          ],
          "url": "https://support.netcommwireless.com/product/nwl-25#Firmware"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.0"
          },
          "products": [
            "CSAFPID-0001"
          ]
        }
      ]
    },
    {
      "cve": "CVE-2018-14783",
      "cwe": {
        "id": "CWE-352",
        "name": "Cross-Site Request Forgery (CSRF)"
      },
      "notes": [
        {
          "category": "summary",
          "text": "A cross-site request forgery condition can occur, allowing an attacker to change passwords of the device remotely.CVE-2018-14783 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).",
          "title": "Vulnerability Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "web.nvd.nist.gov",
          "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-14783"
        },
        {
          "category": "external",
          "summary": "www.first.org",
          "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
        }
      ],
      "remediations": [
        {
          "category": "mitigation",
          "details": "NetComm Wireless has released a new firmware version to mitigate the vulnerabilities. Affected users may download the firmware from: https://support.netcommwireless.com/product/nwl-25#Firmware",
          "product_ids": [
            "CSAFPID-0001"
          ],
          "url": "https://support.netcommwireless.com/product/nwl-25#Firmware"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "products": [
            "CSAFPID-0001"
          ]
        }
      ]
    },
    {
      "cve": "CVE-2018-14784",
      "cwe": {
        "id": "CWE-79",
        "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
      },
      "notes": [
        {
          "category": "summary",
          "text": "The device is vulnerable to several cross-site scripting attacks, allowing a remote attacker to run arbitrary code on the device.CVE-2018-14784 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).",
          "title": "Vulnerability Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "web.nvd.nist.gov",
          "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-14784"
        },
        {
          "category": "external",
          "summary": "www.first.org",
          "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
        }
      ],
      "remediations": [
        {
          "category": "mitigation",
          "details": "NetComm Wireless has released a new firmware version to mitigate the vulnerabilities. Affected users may download the firmware from: https://support.netcommwireless.com/product/nwl-25#Firmware",
          "product_ids": [
            "CSAFPID-0001"
          ],
          "url": "https://support.netcommwireless.com/product/nwl-25#Firmware"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "products": [
            "CSAFPID-0001"
          ]
        }
      ]
    },
    {
      "cve": "CVE-2018-14785",
      "cwe": {
        "id": "CWE-548",
        "name": "Exposure of Information Through Directory Listing"
      },
      "notes": [
        {
          "category": "summary",
          "text": "The directory of the device is listed openly without authentication.CVE-2018-14785 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).",
          "title": "Vulnerability Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "web.nvd.nist.gov",
          "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-14785"
        },
        {
          "category": "external",
          "summary": "www.first.org",
          "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
        }
      ],
      "remediations": [
        {
          "category": "mitigation",
          "details": "NetComm Wireless has released a new firmware version to mitigate the vulnerabilities. Affected users may download the firmware from: https://support.netcommwireless.com/product/nwl-25#Firmware",
          "product_ids": [
            "CSAFPID-0001"
          ],
          "url": "https://support.netcommwireless.com/product/nwl-25#Firmware"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "products": [
            "CSAFPID-0001"
          ]
        }
      ]
    }
  ]
}

icsa-18-221-02

Vulnerability from csaf_cisa

Published

2018-08-09 00:00

Modified

2018-08-09 00:00

Summary

NetComm Wireless 4G LTE Light Industrial M2M Router

Notes

CISA Disclaimer

This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov

Legal Notice

Risk evaluation

Successful exploitation of these vulnerabilities could allow for the exposure of sensitive information.

Critical infrastructure sectors

Communications

Countries/areas deployed

Worldwide

Company headquarters location

Australia

Recommended Practices

NCCIC recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

Recommended Practices

Exploitability

No known public exploits specifically target these vulnerabilities.

JSON

To clipboard

{
  "document": {
    "acknowledgments": [
      {
        "names": [
          "Aditya K. Sood"
        ],
        "summary": "reporting these vulnerabilities to NCCIC"
      }
    ],
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Disclosure is not limited",
      "tlp": {
        "label": "WHITE",
        "url": "https://us-cert.cisa.gov/tlp/"
      }
    },
    "lang": "en-US",
    "notes": [
      {
        "category": "general",
        "text": "This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov",
        "title": "CISA Disclaimer"
      },
      {
        "category": "legal_disclaimer",
        "text": "All information products included in https://us-cert.cisa.gov/ics are provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.",
        "title": "Legal Notice"
      },
      {
        "category": "summary",
        "text": "Successful exploitation of these vulnerabilities could allow for the exposure of sensitive information.",
        "title": "Risk evaluation"
      },
      {
        "category": "other",
        "text": "Communications",
        "title": "Critical infrastructure sectors"
      },
      {
        "category": "other",
        "text": "Worldwide",
        "title": "Countries/areas deployed"
      },
      {
        "category": "other",
        "text": "Australia",
        "title": "Company headquarters location"
      },
      {
        "category": "general",
        "text": "NCCIC recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "NCCIC reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.NCCIC also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "Additional mitigation guidance and recommended practices are publicly available on the ICS-CERT website in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to NCCIC for tracking and correlation against other incidents.",
        "title": "Recommended Practices"
      },
      {
        "category": "other",
        "text": "No known public exploits specifically target these vulnerabilities.",
        "title": "Exploitability"
      }
    ],
    "publisher": {
      "category": "coordinator",
      "contact_details": "Email: CISAservicedesk@cisa.dhs.gov;\n Toll Free: 1-888-282-0870",
      "name": "CISA",
      "namespace": "https://www.cisa.gov/"
    },
    "references": [
      {
        "category": "self",
        "summary": "ICS Advisory ICSA-18-221-02 JSON",
        "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/OT/white/2018/icsa-18-221-02.json"
      },
      {
        "category": "self",
        "summary": "ICS Advisory ICSA-18-221-02 Web Version",
        "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-18-221-02"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/uscert/ics/alerts/ICS-ALERT-10-301-01"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/uscert/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/uscert/ics/tips/ICS-TIP-12-146-01B"
      }
    ],
    "title": "NetComm Wireless 4G LTE Light Industrial M2M Router",
    "tracking": {
      "current_release_date": "2018-08-09T00:00:00.000000Z",
      "generator": {
        "engine": {
          "name": "CISA CSAF Generator",
          "version": "1.0.0"
        }
      },
      "id": "ICSA-18-221-02",
      "initial_release_date": "2018-08-09T00:00:00.000000Z",
      "revision_history": [
        {
          "date": "2018-08-09T00:00:00.000000Z",
          "legacy_version": "Initial",
          "number": "1",
          "summary": "ICSA-18-221-02 NetComm Wireless 4G LTE Light Industrial M2M Router"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c=2.0.29.11",
                "product": {
                  "name": "4G LTE Light Industrial M2M Router (NWL-25) with: firmware 2.0.29.11 and prior",
                  "product_id": "CSAFPID-0001"
                }
              }
            ],
            "category": "product_name",
            "name": "4G LTE Light Industrial M2M Router (NWL-25) with"
          }
        ],
        "category": "vendor",
        "name": "NetComm Wireless"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2018-14782",
      "cwe": {
        "id": "CWE-200",
        "name": "Exposure of Sensitive Information to an Unauthorized Actor"
      },
      "notes": [
        {
          "category": "summary",
          "text": "The device allowsaccess to configuration files and profiles without authenticating the user.CVE-2018-14782 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).",
          "title": "Vulnerability Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "web.nvd.nist.gov",
          "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-14782"
        },
        {
          "category": "external",
          "summary": "www.first.org",
          "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
        }
      ],
      "remediations": [
        {
          "category": "mitigation",
          "details": "NetComm Wireless has released a new firmware version to mitigate the vulnerabilities. Affected users may download the firmware from: https://support.netcommwireless.com/product/nwl-25#Firmware",
          "product_ids": [
            "CSAFPID-0001"
          ],
          "url": "https://support.netcommwireless.com/product/nwl-25#Firmware"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.0"
          },
          "products": [
            "CSAFPID-0001"
          ]
        }
      ]
    },
    {
      "cve": "CVE-2018-14783",
      "cwe": {
        "id": "CWE-352",
        "name": "Cross-Site Request Forgery (CSRF)"
      },
      "notes": [
        {
          "category": "summary",
          "text": "A cross-site request forgery condition can occur, allowing an attacker to change passwords of the device remotely.CVE-2018-14783 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).",
          "title": "Vulnerability Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "web.nvd.nist.gov",
          "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-14783"
        },
        {
          "category": "external",
          "summary": "www.first.org",
          "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
        }
      ],
      "remediations": [
        {
          "category": "mitigation",
          "details": "NetComm Wireless has released a new firmware version to mitigate the vulnerabilities. Affected users may download the firmware from: https://support.netcommwireless.com/product/nwl-25#Firmware",
          "product_ids": [
            "CSAFPID-0001"
          ],
          "url": "https://support.netcommwireless.com/product/nwl-25#Firmware"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "products": [
            "CSAFPID-0001"
          ]
        }
      ]
    },
    {
      "cve": "CVE-2018-14784",
      "cwe": {
        "id": "CWE-79",
        "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
      },
      "notes": [
        {
          "category": "summary",
          "text": "The device is vulnerable to several cross-site scripting attacks, allowing a remote attacker to run arbitrary code on the device.CVE-2018-14784 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).",
          "title": "Vulnerability Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "web.nvd.nist.gov",
          "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-14784"
        },
        {
          "category": "external",
          "summary": "www.first.org",
          "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
        }
      ],
      "remediations": [
        {
          "category": "mitigation",
          "details": "NetComm Wireless has released a new firmware version to mitigate the vulnerabilities. Affected users may download the firmware from: https://support.netcommwireless.com/product/nwl-25#Firmware",
          "product_ids": [
            "CSAFPID-0001"
          ],
          "url": "https://support.netcommwireless.com/product/nwl-25#Firmware"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "products": [
            "CSAFPID-0001"
          ]
        }
      ]
    },
    {
      "cve": "CVE-2018-14785",
      "cwe": {
        "id": "CWE-548",
        "name": "Exposure of Information Through Directory Listing"
      },
      "notes": [
        {
          "category": "summary",
          "text": "The directory of the device is listed openly without authentication.CVE-2018-14785 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).",
          "title": "Vulnerability Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "web.nvd.nist.gov",
          "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-14785"
        },
        {
          "category": "external",
          "summary": "www.first.org",
          "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
        }
      ],
      "remediations": [
        {
          "category": "mitigation",
          "details": "NetComm Wireless has released a new firmware version to mitigate the vulnerabilities. Affected users may download the firmware from: https://support.netcommwireless.com/product/nwl-25#Firmware",
          "product_ids": [
            "CSAFPID-0001"
          ],
          "url": "https://support.netcommwireless.com/product/nwl-25#Firmware"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "products": [
            "CSAFPID-0001"
          ]
        }
      ]
    }
  ]
}

ghsa-c9h3-cr9m-xr3g

Vulnerability from github

Published

2022-05-13 01:34

Modified

2022-05-13 01:34

Severity ?

7.5 (High) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

NetComm Wireless G LTE Light Industrial M2M Router (NWL-25) with firmware 2.0.29.11 and prior. The device allows access to configuration files and profiles without authenticating the user.

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2018-14782"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-08-10T19:29:00Z",
    "severity": "HIGH"
  },
  "details": "NetComm Wireless G LTE Light Industrial M2M Router (NWL-25) with firmware 2.0.29.11 and prior. The device allows access to configuration files and profiles without authenticating the user.",
  "id": "GHSA-c9h3-cr9m-xr3g",
  "modified": "2022-05-13T01:34:28Z",
  "published": "2022-05-13T01:34:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14782"
    },
    {
      "type": "WEB",
      "url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-221-02"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/105053"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

cnvd-2019-10270

Vulnerability from cnvd

Title

NetComm NWL-25信息泄露漏洞

Description

NetComm NWL-25是一款4G LTE工业级M2M路由器。使用2.0.29.11及更早版本固件的NetComm NWL-25存在信息泄露漏洞，攻击者可利用该漏洞无需认证即可访问配置文件。

Severity

中

Patch Name

NetComm NWL-25信息泄露漏洞的补丁

Patch Description

NetComm NWL-25是一款4G LTE工业级M2M路由器。使用2.0.29.11及更早版本固件的NetComm NWL-25存在信息泄露漏洞，攻击者可利用该漏洞无需认证即可访问配置文件。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://support.netcommwireless.com/product/nwl-25#Firmware

Reference

https://nvd.nist.gov/vuln/detail/CVE-2018-14782

Impacted products

Name
NetComm Wireless 4G LTE Light Industrial M2M Router <=2.0.29.11

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2018-14782"
    }
  },
  "description": "NetComm NWL-25\u662f\u4e00\u6b3e4G LTE\u5de5\u4e1a\u7ea7M2M\u8def\u7531\u5668\u3002\n\n\u4f7f\u75282.0.29.11\u53ca\u66f4\u65e9\u7248\u672c\u56fa\u4ef6\u7684NetComm NWL-25\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u65e0\u9700\u8ba4\u8bc1\u5373\u53ef\u8bbf\u95ee\u914d\u7f6e\u6587\u4ef6\u3002",
  "discovererName": "Aditya K. Sood",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://support.netcommwireless.com/product/nwl-25#Firmware",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2019-10270",
  "openTime": "2019-04-17",
  "patchDescription": "NetComm NWL-25\u662f\u4e00\u6b3e4G LTE\u5de5\u4e1a\u7ea7M2M\u8def\u7531\u5668\u3002\r\n\r\n\u4f7f\u75282.0.29.11\u53ca\u66f4\u65e9\u7248\u672c\u56fa\u4ef6\u7684NetComm NWL-25\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u65e0\u9700\u8ba4\u8bc1\u5373\u53ef\u8bbf\u95ee\u914d\u7f6e\u6587\u4ef6\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "NetComm NWL-25\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "NetComm Wireless 4G LTE Light Industrial M2M Router \u003c=2.0.29.11"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2018-14782",
  "serverity": "\u4e2d",
  "submitTime": "2018-08-13",
  "title": "NetComm NWL-25\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2018-14782 (GCVE-0-2018-14782)

Vulnerability from cvelistv5

gsd-2018-14782

Vulnerability from gsd

fkie_cve-2018-14782

Vulnerability from fkie_nvd

var-201808-0371

Vulnerability from variot

ICSA-18-221-02

Vulnerability from csaf_cisa

icsa-18-221-02

Vulnerability from csaf_cisa

ghsa-c9h3-cr9m-xr3g

Vulnerability from github

cnvd-2019-10270

Vulnerability from cnvd

Tags

Sightings

Nomenclature