CVE-2018-17532 (GCVE-0-2018-17532)

Vulnerability from cvelistv5

Published

2018-10-15 19:00

Modified

2024-08-05 10:47

Severity ?

CWE

Summary

Teltonika RUT9XX routers with firmware before 00.04.233 are prone to multiple unauthenticated OS command injection vulnerabilities in autologin.cgi and hotspotlogin.cgi due to insufficient user input sanitization. This allows remote attackers to execute arbitrary commands with root privileges.

References

URL	Tags
cve@mitre.org	http://packetstormsecurity.com/files/149777/Teltonika-RUT9XX-Unauthenticated-OS-Command-Injection.html	Exploit, Third Party Advisory, VDB Entry
cve@mitre.org	http://seclists.org/fulldisclosure/2018/Oct/27	Exploit, Mailing List, Third Party Advisory
cve@mitre.org	https://github.com/sbaresearch/advisories/tree/public/2018/SBA-ADV-20180319-01_Teltonika_OS_Command_Injection	Exploit, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://packetstormsecurity.com/files/149777/Teltonika-RUT9XX-Unauthenticated-OS-Command-Injection.html	Exploit, Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	http://seclists.org/fulldisclosure/2018/Oct/27	Exploit, Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/sbaresearch/advisories/tree/public/2018/SBA-ADV-20180319-01_Teltonika_OS_Command_Injection	Exploit, Third Party Advisory

Impacted products

	Vendor	Product	Version
	n/a	n/a	Version: n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T10:47:05.059Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "20181011 [SBA-ADV-20180319-01] CVE-2018-17532: Teltonika RUT9XX Unauthenticated OS Command Injection",
            "tags": [
              "mailing-list",
              "x_refsource_FULLDISC",
              "x_transferred"
            ],
            "url": "http://seclists.org/fulldisclosure/2018/Oct/27"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/149777/Teltonika-RUT9XX-Unauthenticated-OS-Command-Injection.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/sbaresearch/advisories/tree/public/2018/SBA-ADV-20180319-01_Teltonika_OS_Command_Injection"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2018-10-11T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Teltonika RUT9XX routers with firmware before 00.04.233 are prone to multiple unauthenticated OS command injection vulnerabilities in autologin.cgi and hotspotlogin.cgi due to insufficient user input sanitization. This allows remote attackers to execute arbitrary commands with root privileges."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-10-15T18:57:01",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "name": "20181011 [SBA-ADV-20180319-01] CVE-2018-17532: Teltonika RUT9XX Unauthenticated OS Command Injection",
          "tags": [
            "mailing-list",
            "x_refsource_FULLDISC"
          ],
          "url": "http://seclists.org/fulldisclosure/2018/Oct/27"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://packetstormsecurity.com/files/149777/Teltonika-RUT9XX-Unauthenticated-OS-Command-Injection.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/sbaresearch/advisories/tree/public/2018/SBA-ADV-20180319-01_Teltonika_OS_Command_Injection"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2018-17532",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Teltonika RUT9XX routers with firmware before 00.04.233 are prone to multiple unauthenticated OS command injection vulnerabilities in autologin.cgi and hotspotlogin.cgi due to insufficient user input sanitization. This allows remote attackers to execute arbitrary commands with root privileges."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "20181011 [SBA-ADV-20180319-01] CVE-2018-17532: Teltonika RUT9XX Unauthenticated OS Command Injection",
              "refsource": "FULLDISC",
              "url": "http://seclists.org/fulldisclosure/2018/Oct/27"
            },
            {
              "name": "http://packetstormsecurity.com/files/149777/Teltonika-RUT9XX-Unauthenticated-OS-Command-Injection.html",
              "refsource": "MISC",
              "url": "http://packetstormsecurity.com/files/149777/Teltonika-RUT9XX-Unauthenticated-OS-Command-Injection.html"
            },
            {
              "name": "https://github.com/sbaresearch/advisories/tree/public/2018/SBA-ADV-20180319-01_Teltonika_OS_Command_Injection",
              "refsource": "MISC",
              "url": "https://github.com/sbaresearch/advisories/tree/public/2018/SBA-ADV-20180319-01_Teltonika_OS_Command_Injection"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2018-17532",
    "datePublished": "2018-10-15T19:00:00",
    "dateReserved": "2018-09-25T00:00:00",
    "dateUpdated": "2024-08-05T10:47:05.059Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2018-17532\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2018-10-15T19:29:01.617\",\"lastModified\":\"2024-11-21T03:54:33.640\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Teltonika RUT9XX routers with firmware before 00.04.233 are prone to multiple unauthenticated OS command injection vulnerabilities in autologin.cgi and hotspotlogin.cgi due to insufficient user input sanitization. This allows remote attackers to execute arbitrary commands with root privileges.\"},{\"lang\":\"es\",\"value\":\"Los routers Teltonika RUT9XX con firmware en versiones anteriores a la 00.04.233 son propensos a sufrir m\u00faltiples vulnerabilidades de inyecci\u00f3n de comandos del sistema operativo sin autenticar en autologin.cgi y hotspotlogin.cgi debido al saneamiento insuficiente de entradas de usuario. Esto permite que los atacantes remotos ejecuten comandos arbitrarios con privilegios root.\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:C/I:C/A:C\",\"baseScore\":10.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"COMPLETE\",\"integrityImpact\":\"COMPLETE\",\"availabilityImpact\":\"COMPLETE\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":10.0,\"impactScore\":10.0,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-78\"}]}],\"configurations\":[{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:teltonika:rut900_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"00.04.233\",\"matchCriteriaId\":\"1FAF23FC-E917-4BF6-91EA-3841C8A85072\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:teltonika:rut900:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D9D1E794-1212-43CC-BA30-551EE45FA646\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:teltonika:rut950_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"00.04.233\",\"matchCriteriaId\":\"B1125937-EF97-4862-B975-73EA8D3E1F6F\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:teltonika:rut950:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4CE17C85-9A69-41FB-AB96-0DCAB72309A0\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:teltonika:rut955_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"00.04.233\",\"matchCriteriaId\":\"BC247689-3C29-44DB-8F36-70732EB5BBFF\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:teltonika:rut955:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"6F29C3F1-DFAF-433A-8B1E-4BD2A8DF6C1E\"}]}]}],\"references\":[{\"url\":\"http://packetstormsecurity.com/files/149777/Teltonika-RUT9XX-Unauthenticated-OS-Command-Injection.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Exploit\",\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://seclists.org/fulldisclosure/2018/Oct/27\",\"source\":\"cve@mitre.org\",\"tags\":[\"Exploit\",\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/sbaresearch/advisories/tree/public/2018/SBA-ADV-20180319-01_Teltonika_OS_Command_Injection\",\"source\":\"cve@mitre.org\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"http://packetstormsecurity.com/files/149777/Teltonika-RUT9XX-Unauthenticated-OS-Command-Injection.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://seclists.org/fulldisclosure/2018/Oct/27\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/sbaresearch/advisories/tree/public/2018/SBA-ADV-20180319-01_Teltonika_OS_Command_Injection\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]}]}}"
  }
}

fkie_cve-2018-17532

Vulnerability from fkie_nvd

Published

2018-10-15 19:29

Modified

2024-11-21 03:54

Severity ?

9.8 (Critical) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
cve@mitre.org	http://packetstormsecurity.com/files/149777/Teltonika-RUT9XX-Unauthenticated-OS-Command-Injection.html	Exploit, Third Party Advisory, VDB Entry
cve@mitre.org	http://seclists.org/fulldisclosure/2018/Oct/27	Exploit, Mailing List, Third Party Advisory
cve@mitre.org	https://github.com/sbaresearch/advisories/tree/public/2018/SBA-ADV-20180319-01_Teltonika_OS_Command_Injection	Exploit, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://packetstormsecurity.com/files/149777/Teltonika-RUT9XX-Unauthenticated-OS-Command-Injection.html	Exploit, Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	http://seclists.org/fulldisclosure/2018/Oct/27	Exploit, Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/sbaresearch/advisories/tree/public/2018/SBA-ADV-20180319-01_Teltonika_OS_Command_Injection	Exploit, Third Party Advisory

Impacted products

Vendor	Product	Version
teltonika	rut900_firmware	*
teltonika	rut900	-
teltonika	rut950_firmware	*
teltonika	rut950	-
teltonika	rut955_firmware	*
teltonika	rut955	-

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:teltonika:rut900_firmware:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "1FAF23FC-E917-4BF6-91EA-3841C8A85072",
              "versionEndExcluding": "00.04.233",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:teltonika:rut900:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "D9D1E794-1212-43CC-BA30-551EE45FA646",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:teltonika:rut950_firmware:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "B1125937-EF97-4862-B975-73EA8D3E1F6F",
              "versionEndExcluding": "00.04.233",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:teltonika:rut950:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "4CE17C85-9A69-41FB-AB96-0DCAB72309A0",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:teltonika:rut955_firmware:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "BC247689-3C29-44DB-8F36-70732EB5BBFF",
              "versionEndExcluding": "00.04.233",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:teltonika:rut955:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "6F29C3F1-DFAF-433A-8B1E-4BD2A8DF6C1E",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Teltonika RUT9XX routers with firmware before 00.04.233 are prone to multiple unauthenticated OS command injection vulnerabilities in autologin.cgi and hotspotlogin.cgi due to insufficient user input sanitization. This allows remote attackers to execute arbitrary commands with root privileges."
    },
    {
      "lang": "es",
      "value": "Los routers Teltonika RUT9XX con firmware en versiones anteriores a la 00.04.233 son propensos a sufrir m\u00faltiples vulnerabilidades de inyecci\u00f3n de comandos del sistema operativo sin autenticar en autologin.cgi y hotspotlogin.cgi debido al saneamiento insuficiente de entradas de usuario. Esto permite que los atacantes remotos ejecuten comandos arbitrarios con privilegios root."
    }
  ],
  "id": "CVE-2018-17532",
  "lastModified": "2024-11-21T03:54:33.640",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "HIGH",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "COMPLETE",
          "baseScore": 10.0,
          "confidentialityImpact": "COMPLETE",
          "integrityImpact": "COMPLETE",
          "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 10.0,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.0"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2018-10-15T19:29:01.617",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Exploit",
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://packetstormsecurity.com/files/149777/Teltonika-RUT9XX-Unauthenticated-OS-Command-Injection.html"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Exploit",
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://seclists.org/fulldisclosure/2018/Oct/27"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://github.com/sbaresearch/advisories/tree/public/2018/SBA-ADV-20180319-01_Teltonika_OS_Command_Injection"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://packetstormsecurity.com/files/149777/Teltonika-RUT9XX-Unauthenticated-OS-Command-Injection.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://seclists.org/fulldisclosure/2018/Oct/27"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://github.com/sbaresearch/advisories/tree/public/2018/SBA-ADV-20180319-01_Teltonika_OS_Command_Injection"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-78"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

ghsa-9936-24wm-39mx

Vulnerability from github

Published

2022-05-14 01:54

Modified

2022-05-14 01:54

Severity ?

9.8 (Critical) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2018-17532"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-78"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-10-15T19:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "Teltonika RUT9XX routers with firmware before 00.04.233 are prone to multiple unauthenticated OS command injection vulnerabilities in autologin.cgi and hotspotlogin.cgi due to insufficient user input sanitization. This allows remote attackers to execute arbitrary commands with root privileges.",
  "id": "GHSA-9936-24wm-39mx",
  "modified": "2022-05-14T01:54:36Z",
  "published": "2022-05-14T01:54:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-17532"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sbaresearch/advisories/tree/public/2018/SBA-ADV-20180319-01_Teltonika_OS_Command_Injection"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/149777/Teltonika-RUT9XX-Unauthenticated-OS-Command-Injection.html"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2018/Oct/27"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

gsd-2018-17532

Vulnerability from gsd

Modified

2023-12-13 01:22

Details

Aliases

CVE-2018-17532

Aliases

CVE-2018-17532

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2018-17532",
    "description": "Teltonika RUT9XX routers with firmware before 00.04.233 are prone to multiple unauthenticated OS command injection vulnerabilities in autologin.cgi and hotspotlogin.cgi due to insufficient user input sanitization. This allows remote attackers to execute arbitrary commands with root privileges.",
    "id": "GSD-2018-17532",
    "references": [
      "https://packetstormsecurity.com/files/cve/CVE-2018-17532"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2018-17532"
      ],
      "details": "Teltonika RUT9XX routers with firmware before 00.04.233 are prone to multiple unauthenticated OS command injection vulnerabilities in autologin.cgi and hotspotlogin.cgi due to insufficient user input sanitization. This allows remote attackers to execute arbitrary commands with root privileges.",
      "id": "GSD-2018-17532",
      "modified": "2023-12-13T01:22:30.961745Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@mitre.org",
        "ID": "CVE-2018-17532",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Teltonika RUT9XX routers with firmware before 00.04.233 are prone to multiple unauthenticated OS command injection vulnerabilities in autologin.cgi and hotspotlogin.cgi due to insufficient user input sanitization. This allows remote attackers to execute arbitrary commands with root privileges."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "20181011 [SBA-ADV-20180319-01] CVE-2018-17532: Teltonika RUT9XX Unauthenticated OS Command Injection",
            "refsource": "FULLDISC",
            "url": "http://seclists.org/fulldisclosure/2018/Oct/27"
          },
          {
            "name": "http://packetstormsecurity.com/files/149777/Teltonika-RUT9XX-Unauthenticated-OS-Command-Injection.html",
            "refsource": "MISC",
            "url": "http://packetstormsecurity.com/files/149777/Teltonika-RUT9XX-Unauthenticated-OS-Command-Injection.html"
          },
          {
            "name": "https://github.com/sbaresearch/advisories/tree/public/2018/SBA-ADV-20180319-01_Teltonika_OS_Command_Injection",
            "refsource": "MISC",
            "url": "https://github.com/sbaresearch/advisories/tree/public/2018/SBA-ADV-20180319-01_Teltonika_OS_Command_Injection"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:teltonika:rut900_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndExcluding": "00.04.233",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:teltonika:rut900:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:teltonika:rut950_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndExcluding": "00.04.233",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:teltonika:rut950:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:teltonika:rut955_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndExcluding": "00.04.233",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:teltonika:rut955:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2018-17532"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Teltonika RUT9XX routers with firmware before 00.04.233 are prone to multiple unauthenticated OS command injection vulnerabilities in autologin.cgi and hotspotlogin.cgi due to insufficient user input sanitization. This allows remote attackers to execute arbitrary commands with root privileges."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-78"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/sbaresearch/advisories/tree/public/2018/SBA-ADV-20180319-01_Teltonika_OS_Command_Injection",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Third Party Advisory"
              ],
              "url": "https://github.com/sbaresearch/advisories/tree/public/2018/SBA-ADV-20180319-01_Teltonika_OS_Command_Injection"
            },
            {
              "name": "20181011 [SBA-ADV-20180319-01] CVE-2018-17532: Teltonika RUT9XX Unauthenticated OS Command Injection",
              "refsource": "FULLDISC",
              "tags": [
                "Exploit",
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "http://seclists.org/fulldisclosure/2018/Oct/27"
            },
            {
              "name": "http://packetstormsecurity.com/files/149777/Teltonika-RUT9XX-Unauthenticated-OS-Command-Injection.html",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Third Party Advisory",
                "VDB Entry"
              ],
              "url": "http://packetstormsecurity.com/files/149777/Teltonika-RUT9XX-Unauthenticated-OS-Command-Injection.html"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "COMPLETE",
            "baseScore": 10.0,
            "confidentialityImpact": "COMPLETE",
            "integrityImpact": "COMPLETE",
            "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 10.0,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "HIGH",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2018-11-30T14:12Z",
      "publishedDate": "2018-10-15T19:29Z"
    }
  }
}

cnvd-2019-18494

Vulnerability from cnvd

Title: Teltonika RUT9XX OS命令注入漏洞

Description:

Teltonika RUT9XX routers (又称LuCI)是立陶宛Teltonika公司的一款路由器产品。

固件版本低于00.04.233的Teltonika RUT9XX中的autologin.cgi和hotspotlogin.cgi存在OS命令注入漏洞，远程攻击者可利用该漏洞以root权限执行任意命令。

Severity: 高

Patch Name: Teltonika RUT9XX OS命令注入漏洞的补丁

Patch Description:

Teltonika RUT9XX routers (又称LuCI)是立陶宛Teltonika公司的一款路由器产品。

固件版本低于00.04.233的Teltonika RUT9XX中的autologin.cgi和hotspotlogin.cgi存在OS命令注入漏洞，远程攻击者可利用该漏洞以root权限执行任意命令。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

厂商已发布了漏洞修复程序，请及时关注更新： https://teltonika.lt/product/rut955/

Reference: https://nvd.nist.gov/vuln/detail/CVE-2018-17532

Impacted products

Name
Teltonika RUT9XX <00.04.233

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2018-17532"
    }
  },
  "description": "Teltonika RUT9XX routers (\u53c8\u79f0LuCI)\u662f\u7acb\u9676\u5b9bTeltonika\u516c\u53f8\u7684\u4e00\u6b3e\u8def\u7531\u5668\u4ea7\u54c1\u3002\n\n\u56fa\u4ef6\u7248\u672c\u4f4e\u4e8e00.04.233\u7684Teltonika RUT9XX\u4e2d\u7684autologin.cgi\u548chotspotlogin.cgi\u5b58\u5728OS\u547d\u4ee4\u6ce8\u5165\u6f0f\u6d1e\uff0c\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u4ee5root\u6743\u9650\u6267\u884c\u4efb\u610f\u547d\u4ee4\u3002",
  "discovererName": "unknown",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://teltonika.lt/product/rut955/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2019-18494",
  "openTime": "2019-06-19",
  "patchDescription": "Teltonika RUT9XX routers (\u53c8\u79f0LuCI)\u662f\u7acb\u9676\u5b9bTeltonika\u516c\u53f8\u7684\u4e00\u6b3e\u8def\u7531\u5668\u4ea7\u54c1\u3002\r\n\r\n\u56fa\u4ef6\u7248\u672c\u4f4e\u4e8e00.04.233\u7684Teltonika RUT9XX\u4e2d\u7684autologin.cgi\u548chotspotlogin.cgi\u5b58\u5728OS\u547d\u4ee4\u6ce8\u5165\u6f0f\u6d1e\uff0c\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u4ee5root\u6743\u9650\u6267\u884c\u4efb\u610f\u547d\u4ee4\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Teltonika RUT9XX OS\u547d\u4ee4\u6ce8\u5165\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Teltonika RUT9XX \u003c00.04.233"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2018-17532",
  "serverity": "\u9ad8",
  "submitTime": "2018-10-16",
  "title": "Teltonika RUT9XX OS\u547d\u4ee4\u6ce8\u5165\u6f0f\u6d1e"
}

var-201810-0455

Vulnerability from variot

Identifier : SBA-ADV-20180319-01
Type of Vulnerability : OS Command Injection
Software/Product Name : Teltonika RUT955
Vendor : Teltonika
Affected Versions : Firmware RUT9XX_R_00.04.172 and probably prior
Fixed in Version : RUT9XX_R_00.04.233
CVE ID : CVE-2018-17532
CVSSv3 Vector : CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSSv3 Base Score : 9.8 (Critical)

Vendor Description

RUT955 is a highly reliable and secure LTE router with I/O, GNSS and RS232/RS485 for professional applications. Router delivers high performance, mission-critical cellular communication and GPS location capabilities.

Source: https://teltonika.lt/product/rut955/

Impact

An attacker can fully compromise the device, by exploiting the vulnerabilities documented in this advisory. Sensitive data stored or transmitted via the device might get exposed through this attack.

We recommend upgrading to version RUT9XX_R_00.04.233 or newer, which includes fixes for the vulnerabilities described in this advisory. The scripts are part of the coova-chilli captive portal. However, the vulnerabilities are exploitable regardless of the device configuration, even if no captive portal is configured.

More concretely, the following parameters are vulnerable:

/cgi-bin/autologin.cgi
reply
uamport
challenge
userurl
res
reason
If res=success
- uamip
- uamport
- userurl
/cgi-bin/hotspotlogin.cgi
If send=1
- uamip
- TelNum
- challenge
- uamport
- userurl
If button=1 or (res=wispr and UserName=1)
- uamport
- uamip
If res=success or res=already or res=popup2
- uamip
- uamport
If res=logoff or res=popup3
- uamip
- uamport

The affected scripts use these parameters to build OS commands via string concatenation without proper sanitization.

The vulnerabilities are located in the source files hotspotlogin.cgi and landing_page_functions.lua, which is included from autologin.cgi and hotspotlogin.cgi.

For example, it provides the function getParam, which directly passes the argument to io.popen:

lua [...] function getParam(string) local h = io.popen(string) local t = h:read() h:close() return t end [...]

landing_page_functions.lua also provides the functions debug and get_ifname, which use os.execute and getParam in an insecure way:

lua [...] function debug(string) if debug_enable == 1 then os.execute("/usr/bin/logger -t hotspotlogin.cgi \""..string.."\"") end end [...] function get_ifname(ip) local result = getParam(format("ip addr | grep \"%s\"", ip)) local tun = string.match(result, "(tun%d+)") local ifname = "wlan0" [...]

For example, hotspotlogin.cgi makes use of the functions get_ifname and getParam. Occasionally, it also insecurely uses os.execute directly:

```lua [...] if send and send ~= "" and tel_num then local ifname = get_ifname(uamip) local pass = generate_code(ifname) or "0000" tel_num = tel_num:gsub("%%2B", "+") local exists = getParam("grep \"" ..tel_num.. "\" /etc/chilli/" .. ifname .. "/smsusers") local user = string.format("%s", pass) local uri = os.getenv("REQUEST_URI") local message = string.format("%s Password - %s \n Link - http://%s%s?challenge=%s&uamport=%s&uamip=%s&userurl=%s&UserName=%s&button=1", tel_num, pass, uamip, uri, challenge, uamport, uamip, userurl, pass) local smsotp_mesg=string.format("%s;%s", tel_num, pass) message = getParam(string.format("/usr/sbin/gsmctl -Ss \"%s\"", message))

    if message == "OK" then
            os.execute("echo \""..smsotp_mesg.."\" >> /tmp/smsotp.log")
            sms = "sent"
            if exists then
                    os.execute("sed -i 's/" ..exists.. "/" ..user.. "/g' /etc/chilli/" .. ifname .. "/smsusers")
            else
                    os.execute("echo \"" ..user.. "\" >>/etc/chilli/" .. ifname .. "/smsusers")
            end

[...] ```

In one of the first lines of the above code snippet, hotspotlogin.cgi calls get_ifname with unsanitized user input from the parameter uamip. A few lines later it calls getParam with unsanitized user input from the parameter TelNum. In a further call to getParam it uses more unsanitized user input.

There are futher locations that call insecure functions like debug and get_ifname either directly or indirectly with user input from the scripts autologin.cgi and hotspotlogin.cgi.

Proof-of-Concept

For example, an attacker can exploit this vulnerability by manipulating the uamip parameter:

sh curl -v -o /dev/null "http://$IP/cgi-bin/hotspotlogin.cgi" -d 'send=1&uamip="; id >/tmp/test #'

The device executes the commands with root privileges:

```bash

cat /tmp/test

uid=0(root) gid=0(root) ```

Timeline

2018-03-19 identification of vulnerability in version RUT9XX_R_00.04.84
2018-04-10 detailed analysis of version RUT9XX_R_00.04.161
2018-04-16 re-test of version RUT9XX_R_00.04.172
2018-04-16 initial vendor contact through public address
2018-04-18 vendor response with security contact
2018-04-19 disclosed vulnerability to vendor security contact
2018-04-26 vendor released fix in version RUT9XX_R_00.04.233
2018-07-09 re-test of version RUT9XX_R_00.05.00.5
2018-09-25 request CVE from MITRE
2018-09-26 MITRE assigned CVE-2018-17532
2018-10-11 public disclosure

References

Firmware Changelog: https://wiki.teltonika.lt/index.php?title=RUT9xx_Firmware

Credits

David Gnedt (SBA Research)

Show details on source website

JSON

To clipboard

{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "exploit_availability": {
      "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-201810-0455",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "rut900",
        "scope": "lt",
        "trust": 1.8,
        "vendor": "teltonika",
        "version": "00.04.233"
      },
      {
        "model": "rut950",
        "scope": "lt",
        "trust": 1.8,
        "vendor": "teltonika",
        "version": "00.04.233"
      },
      {
        "model": "rut955",
        "scope": "lt",
        "trust": 1.8,
        "vendor": "teltonika",
        "version": "00.04.233"
      },
      {
        "model": "rut9xx",
        "scope": "lt",
        "trust": 0.6,
        "vendor": "teltonika",
        "version": "00.04.233"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2019-18494"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-011063"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-17532"
      }
    ]
  },
  "configurations": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/configurations#",
      "children": {
        "@container": "@list"
      },
      "cpe_match": {
        "@container": "@list"
      },
      "data": {
        "@container": "@list"
      },
      "nodes": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "cpe_match": [
              {
                "cpe22Uri": "cpe:/o:teltonika:rut900_firmware",
                "vulnerable": true
              },
              {
                "cpe22Uri": "cpe:/o:teltonika:rut950_firmware",
                "vulnerable": true
              },
              {
                "cpe22Uri": "cpe:/o:teltonika:rut955_firmware",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-011063"
      }
    ]
  },
  "credits": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/credits#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "David Gnedt",
    "sources": [
      {
        "db": "PACKETSTORM",
        "id": "149777"
      }
    ],
    "trust": 0.1
  },
  "cve": "CVE-2018-17532",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [
          {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "nvd@nist.gov",
            "availabilityImpact": "COMPLETE",
            "baseScore": 10.0,
            "confidentialityImpact": "COMPLETE",
            "exploitabilityScore": 10.0,
            "id": "CVE-2018-17532",
            "impactScore": 10.0,
            "integrityImpact": "COMPLETE",
            "severity": "HIGH",
            "trust": 1.9,
            "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
            "version": "2.0"
          },
          {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "CNVD",
            "availabilityImpact": "COMPLETE",
            "baseScore": 10.0,
            "confidentialityImpact": "COMPLETE",
            "exploitabilityScore": 10.0,
            "id": "CNVD-2019-18494",
            "impactScore": 10.0,
            "integrityImpact": "COMPLETE",
            "severity": "HIGH",
            "trust": 0.6,
            "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
            "version": "2.0"
          }
        ],
        "cvssV3": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "author": "nvd@nist.gov",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "exploitabilityScore": 3.9,
            "id": "CVE-2018-17532",
            "impactScore": 5.9,
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "trust": 1.8,
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          }
        ],
        "severity": [
          {
            "author": "nvd@nist.gov",
            "id": "CVE-2018-17532",
            "trust": 1.0,
            "value": "CRITICAL"
          },
          {
            "author": "NVD",
            "id": "CVE-2018-17532",
            "trust": 0.8,
            "value": "Critical"
          },
          {
            "author": "CNVD",
            "id": "CNVD-2019-18494",
            "trust": 0.6,
            "value": "HIGH"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-201810-710",
            "trust": 0.6,
            "value": "CRITICAL"
          },
          {
            "author": "VULMON",
            "id": "CVE-2018-17532",
            "trust": 0.1,
            "value": "HIGH"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2019-18494"
      },
      {
        "db": "VULMON",
        "id": "CVE-2018-17532"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-011063"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201810-710"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-17532"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Teltonika RUT9XX routers with firmware before 00.04.233 are prone to multiple unauthenticated OS command injection vulnerabilities in autologin.cgi and hotspotlogin.cgi due to insufficient user input sanitization. This allows remote attackers to execute arbitrary commands with root privileges. TeltonikaRUT9XXrouters (also known as LuCI) is a router product from Teltonika, Lithuania. \n\n* **Identifier**            : SBA-ADV-20180319-01\n* **Type of Vulnerability** : OS Command Injection\n* **Software/Product Name** : [Teltonika RUT955](https://teltonika.lt/product/rut955/)\n* **Vendor**                : [Teltonika](https://teltonika.lt/)\n* **Affected Versions**     : Firmware RUT9XX_R_00.04.172 and probably prior\n* **Fixed in Version**      : RUT9XX_R_00.04.233\n* **CVE ID**                : CVE-2018-17532\n* **CVSSv3 Vector**         : CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n* **CVSSv3 Base Score**     : 9.8 (Critical)\n\n## Vendor Description ##\n\n\u003e RUT955 is a highly reliable and secure LTE router with I/O, GNSS and\n\u003e RS232/RS485 for professional applications. Router delivers high\n\u003e performance, mission-critical cellular communication and GPS location\n\u003e capabilities. \n\nSource: \u003chttps://teltonika.lt/product/rut955/\u003e\n\n## Impact ##\n\nAn attacker can fully compromise the device, by exploiting the\nvulnerabilities documented in this advisory. Sensitive data stored or\ntransmitted via the device might get exposed through this attack. \n\nWe recommend upgrading to version RUT9XX_R_00.04.233 or newer, which\nincludes fixes for the vulnerabilities described in this advisory. The scripts are\npart of the coova-chilli captive portal. However, the vulnerabilities\nare exploitable regardless of the device configuration, even if no\ncaptive portal is configured. \n\nMore concretely, the following parameters are vulnerable:\n\n* `/cgi-bin/autologin.cgi`\n  * reply\n  * uamport\n  * challenge\n  * userurl\n  * res\n  * reason\n  * *If* res=success\n    * uamip\n    * uamport\n    * userurl\n* `/cgi-bin/hotspotlogin.cgi`\n  * *If* send=1\n    * uamip\n    * TelNum\n    * challenge\n    * uamport\n    * userurl\n  * *If* button=1 or (res=wispr and UserName=1)\n    * uamport\n    * uamip\n  * *If* res=success or res=already or res=popup2\n    * uamip\n    * uamport\n  * *If* res=logoff or res=popup3\n    * uamip\n    * uamport\n\nThe affected scripts use these parameters to build OS commands via\nstring concatenation without proper sanitization. \n\nThe vulnerabilities are located in the source files `hotspotlogin.cgi`\nand `landing_page_functions.lua`, which is included from `autologin.cgi`\nand `hotspotlogin.cgi`. \n\nFor example, it provides the function `getParam`, which directly passes\nthe argument to `io.popen`:\n\n```lua\n[...]\nfunction getParam(string)\n        local h = io.popen(string)\n        local t = h:read()\n        h:close()\n        return t\nend\n[...]\n```\n\n`landing_page_functions.lua` also provides the functions `debug` and\n`get_ifname`, which use `os.execute` and `getParam` in an insecure way:\n\n```lua\n[...]\nfunction debug(string)\n        if debug_enable == 1 then\n                os.execute(\"/usr/bin/logger -t hotspotlogin.cgi \\\"\"..string..\"\\\"\")\n        end\nend\n[...]\nfunction get_ifname(ip)\n        local result = getParam(format(\"ip addr | grep \\\"%s\\\"\", ip))\n        local tun = string.match(result, \"(tun%d+)\")\n        local ifname = \"wlan0\"\n[...]\n```\n\nFor example, `hotspotlogin.cgi` makes use of the functions `get_ifname` and\n`getParam`. Occasionally, it also insecurely uses `os.execute` directly:\n\n```lua\n[...]\nif send and send ~= \"\" and tel_num then\n        local ifname = get_ifname(uamip)\n        local pass = generate_code(ifname) or \"0000\"\n        tel_num = tel_num:gsub(\"%%2B\", \"+\")\n        local exists = getParam(\"grep \\\"\" ..tel_num.. \"\\\" /etc/chilli/\" .. ifname .. \"/smsusers\")\n        local user = string.format(\"%s\", pass)\n        local uri = os.getenv(\"REQUEST_URI\")\n        local message = string.format(\"%s Password - %s  \\n Link - http://%s%s?challenge=%s\u0026uamport=%s\u0026uamip=%s\u0026userurl=%s\u0026UserName=%s\u0026button=1\", tel_num, pass, uamip, uri, challenge, uamport, uamip, userurl, pass)\n        local smsotp_mesg=string.format(\"%s;%s\", tel_num, pass)\n        message = getParam(string.format(\"/usr/sbin/gsmctl -Ss \\\"%s\\\"\", message))\n\n        if message == \"OK\" then\n                os.execute(\"echo \\\"\"..smsotp_mesg..\"\\\" \u003e\u003e /tmp/smsotp.log\")\n                sms = \"sent\"\n                if exists then\n                        os.execute(\"sed -i \u0027s/\" ..exists.. \"/\" ..user.. \"/g\u0027 /etc/chilli/\" .. ifname .. \"/smsusers\")\n                else\n                        os.execute(\"echo \\\"\" ..user.. \"\\\" \u003e\u003e/etc/chilli/\" .. ifname .. \"/smsusers\")\n                end\n[...]\n```\n\nIn one of the first lines of the above code snippet, `hotspotlogin.cgi`\ncalls `get_ifname` with unsanitized user input from the parameter\n`uamip`. A few lines later it calls `getParam` with unsanitized user\ninput from the parameter `TelNum`. In a further call to `getParam` it\nuses more unsanitized user input. \n\nThere are futher locations that call insecure functions like `debug`\nand `get_ifname` either directly or indirectly with user input from the\nscripts `autologin.cgi` and `hotspotlogin.cgi`. \n\n## Proof-of-Concept ##\n\nFor example, an attacker can exploit this vulnerability by manipulating\nthe `uamip` parameter:\n\n```sh\ncurl -v -o /dev/null \"http://$IP/cgi-bin/hotspotlogin.cgi\" -d \u0027send=1\u0026uamip=\"; id \u003e/tmp/test #\u0027\n```\n\nThe device executes the commands with root privileges:\n\n```bash\n# cat /tmp/test\nuid=0(root) gid=0(root)\n```\n\n## Timeline ##\n\n* `2018-03-19` identification of vulnerability in version RUT9XX_R_00.04.84\n* `2018-04-10` detailed analysis of version RUT9XX_R_00.04.161\n* `2018-04-16` re-test of version RUT9XX_R_00.04.172\n* `2018-04-16` initial vendor contact through public address\n* `2018-04-18` vendor response with security contact\n* `2018-04-19` disclosed vulnerability to vendor security contact\n* `2018-04-26` vendor released fix in version RUT9XX_R_00.04.233\n* `2018-07-09` re-test of version RUT9XX_R_00.05.00.5\n* `2018-09-25` request CVE from MITRE\n* `2018-09-26` MITRE assigned CVE-2018-17532\n* `2018-10-11` public disclosure\n\n## References ##\n\n* Firmware Changelog: \u003chttps://wiki.teltonika.lt/index.php?title=RUT9xx_Firmware\u003e\n\n## Credits ##\n\n* David Gnedt ([SBA Research](https://www.sba-research.org/))\n",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2018-17532"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-011063"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2019-18494"
      },
      {
        "db": "VULMON",
        "id": "CVE-2018-17532"
      },
      {
        "db": "PACKETSTORM",
        "id": "149777"
      }
    ],
    "trust": 2.34
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "NVD",
        "id": "CVE-2018-17532",
        "trust": 3.2
      },
      {
        "db": "PACKETSTORM",
        "id": "149777",
        "trust": 2.6
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-011063",
        "trust": 0.8
      },
      {
        "db": "CNVD",
        "id": "CNVD-2019-18494",
        "trust": 0.6
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201810-710",
        "trust": 0.6
      },
      {
        "db": "VULMON",
        "id": "CVE-2018-17532",
        "trust": 0.1
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2019-18494"
      },
      {
        "db": "VULMON",
        "id": "CVE-2018-17532"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-011063"
      },
      {
        "db": "PACKETSTORM",
        "id": "149777"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201810-710"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-17532"
      }
    ]
  },
  "id": "VAR-201810-0455",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2019-18494"
      }
    ],
    "trust": 1.6
  },
  "iot_taxonomy": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "category": [
          "Network device"
        ],
        "sub_category": null,
        "trust": 0.6
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2019-18494"
      }
    ]
  },
  "last_update_date": "2024-11-23T22:12:19.248000Z",
  "patch": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/patch#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "title": "Top Page",
        "trust": 0.8,
        "url": "http://teltonika.lt/"
      },
      {
        "title": "TeltonikaRUT9XXOS command injection vulnerability patch",
        "trust": 0.6,
        "url": "https://www.cnvd.org.cn/patchInfo/show/163899"
      },
      {
        "title": "Teltonika RUT9XX Repair measures for router operating system command injection vulnerability",
        "trust": 0.6,
        "url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=85807"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2019-18494"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-011063"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201810-710"
      }
    ]
  },
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "CWE-78",
        "trust": 1.8
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-011063"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-17532"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 2.5,
        "url": "http://packetstormsecurity.com/files/149777/teltonika-rut9xx-unauthenticated-os-command-injection.html"
      },
      {
        "trust": 1.8,
        "url": "https://github.com/sbaresearch/advisories/tree/public/2018/sba-adv-20180319-01_teltonika_os_command_injection"
      },
      {
        "trust": 1.8,
        "url": "http://seclists.org/fulldisclosure/2018/oct/27"
      },
      {
        "trust": 1.5,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2018-17532"
      },
      {
        "trust": 0.8,
        "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-17532"
      },
      {
        "trust": 0.1,
        "url": "https://cwe.mitre.org/data/definitions/78.html"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov"
      },
      {
        "trust": 0.1,
        "url": "https://teltonika.lt/)"
      },
      {
        "trust": 0.1,
        "url": "https://teltonika.lt/product/rut955/)"
      },
      {
        "trust": 0.1,
        "url": "http://%s%s?challenge=%s\u0026uamport=%s\u0026uamip=%s\u0026userurl=%s\u0026username=%s\u0026button=1\","
      },
      {
        "trust": 0.1,
        "url": "https://teltonika.lt/product/rut955/\u003e"
      },
      {
        "trust": 0.1,
        "url": "http://$ip/cgi-bin/hotspotlogin.cgi\""
      },
      {
        "trust": 0.1,
        "url": "https://wiki.teltonika.lt/index.php?title=rut9xx_firmware\u003e"
      },
      {
        "trust": 0.1,
        "url": "https://www.sba-research.org/))"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2019-18494"
      },
      {
        "db": "VULMON",
        "id": "CVE-2018-17532"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-011063"
      },
      {
        "db": "PACKETSTORM",
        "id": "149777"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201810-710"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-17532"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "CNVD",
        "id": "CNVD-2019-18494"
      },
      {
        "db": "VULMON",
        "id": "CVE-2018-17532"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-011063"
      },
      {
        "db": "PACKETSTORM",
        "id": "149777"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201810-710"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-17532"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2019-06-19T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2019-18494"
      },
      {
        "date": "2018-10-15T00:00:00",
        "db": "VULMON",
        "id": "CVE-2018-17532"
      },
      {
        "date": "2019-01-04T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2018-011063"
      },
      {
        "date": "2018-10-12T16:16:15",
        "db": "PACKETSTORM",
        "id": "149777"
      },
      {
        "date": "2018-10-16T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201810-710"
      },
      {
        "date": "2018-10-15T19:29:01.617000",
        "db": "NVD",
        "id": "CVE-2018-17532"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2019-06-19T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2019-18494"
      },
      {
        "date": "2018-11-30T00:00:00",
        "db": "VULMON",
        "id": "CVE-2018-17532"
      },
      {
        "date": "2019-01-04T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2018-011063"
      },
      {
        "date": "2018-10-16T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201810-710"
      },
      {
        "date": "2024-11-21T03:54:33.640000",
        "db": "NVD",
        "id": "CVE-2018-17532"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "remote",
    "sources": [
      {
        "db": "PACKETSTORM",
        "id": "149777"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201810-710"
      }
    ],
    "trust": 0.7
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Teltonika RUT9XX In router firmware  OS Command injection vulnerability",
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-011063"
      }
    ],
    "trust": 0.8
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "operating system commend injection",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-201810-710"
      }
    ],
    "trust": 0.6
  }
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2018-17532 (GCVE-0-2018-17532)

Vulnerability from cvelistv5

fkie_cve-2018-17532

Vulnerability from fkie_nvd

ghsa-9936-24wm-39mx

Vulnerability from github

gsd-2018-17532

Vulnerability from gsd

cnvd-2019-18494

Vulnerability from cnvd

var-201810-0455

Vulnerability from variot

Vendor Description

Impact

Proof-of-Concept

cat /tmp/test

Timeline

References

Credits

Tags

Sightings

Nomenclature