Philippine Long Distance Telephone SpeedSurf 504AN and Kasda KW58293 contain multiple vulnerabilities

Overview

The Phillipine Long Distance Telephone (PLDT) company provides internet access in the Phillippines. The SpeedSurf 504AN and Kasda KW58293 modems distributed by PLDT contain multiple vulnerabilities. The BaudTec ADSL2+ Router may also be affected.

Description

PLDT provides SpeedSurf 504AN, firmware version GAN9.8U26-4-TX-R6B018-PH.EN, and the Kasda KW58293, to customers for internet access. These devices contains multiple vulnerabilities.

CWE-352: Cross-Site Request Forgery (CSRF) - CVE-2015-5991

The form2WlanSetup.cgi page does not properly authenticate that administrative actions are being performed on purpose. An attacker may lure a user behind the router to click a malicious link when performs administrative actions such as changing the device’s network settings.

CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) - CVE-2015-5992

The form2WlanSetup.cgi page contains an “ssid” parameter which is vulnerable to cross-site scripting.

CWE-120: Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’) - CVE-2015-5993

The form2ping.cgi page may be used to send PING requests. An attacker may use this page to inject a large string (more than 1874 characters) in the parameter “ipaddr” with a POST request which may cause a denial of service on the router. The router requires manual rebooting to recover.

CWE-798: Use of Hard-coded Credentials

Both modems contain a hard-coded account named adminpldt with a hard-coded password. For more information, please see VU#950576.

The reporter also states that the BaudTec (300Mbps WLAN ADSL2+ Router) with firmware version RNR4_A72T_PLD_0.19 may also be vulnerable to the above vulnerabilities.

The CVSS score below is based on CVE-2015-5991.

---

Impact

A remote attacker may utilize these credentials to gain administrator access to the device. A remote attacker may also be able to cause a denial of service.

---

Solution

The CERT/CC is currently unaware of a practical solution to this problem.

---

Vendor Information

525276

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Philippine Long Distance Telephone Affected

Notified: June 02, 2015 Updated: August 28, 2015

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

CVSS Metrics

Group	Score	Vector
Base	7.4	AV:A/AC:M/Au:S/C:C/I:C/A:C
Temporal	6.3	E:POC/RL:U/RC:UR
Environmental	4.7	CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

Acknowledgements

Thanks to Eskie Cirrus James Maquilang for reporting this vulnerability to us.

This document was written by Garret Wassermann.

Other Information

CVE IDs:	CVE-2015-5991, CVE-2015-5992, CVE-2015-5993
Date Public:	2015-08-31 Date First Published: