CVSS2
Attack Vector
ADJACENT_NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:A/AC:M/Au:N/C:C/I:C/A:C
EPSS
Percentile
75.9%
ZyXEL Wireless N300 NetUSB Router NBG-419N running firmware version 1.00(BFQ.6)C0, and possibly earlier versions, is susceptible to multiple vulnerabilities. Other device models that use similar firmware may also be vulnerable.
ZyXEL Wireless N300 NetUSB Router NBG-419N running firmware version 1.00(BFQ.6)C0, and possibly earlier versions, has been reported to contain multiple vulnerabilities.
**CWE-425: Direct Request -**CVE-2014-0353
Authentication for content located in any subdirectory of the web root may be bypassed by escaping the “/” characters in the URL. For example, curl -v "http://<deviceip>/local%2Fadvance%2Fwlan.asp"
CWE-259: Use of Hard-coded Password** -**CVE-2014-0354
A hard-coded password of qweasdzxc may be used to login to the index.asp page.
**CWE-121: Stack-based Buffer Overflow -**CVE-2014-0355
The checkWeather
function is vulnerable to a buffer overflow when parsing the forecastrss
xml file provided from hxxp://weather.yahooapis.com/forecastrss. The vulnerability may be triggered with the following XML content: <yweather:condition text="Partly Cloudy" code="47" temp="<overflow data goes here>"
. An attacker would need a man-in-the middle vantage point to exploit this vulnerability and the user would need to access index.asp in a web browser to trigger the download.
The detectWeather
function is vulnerable to a buffer overflow of the WeatherCity
and WeatherDegree
variables.
The UpnpAddRunRLQoS()
, UpnpDeleteRunRLQoS()
, and UpnpDeletePortCheckType()
functions are reported to be vulnerable to a buffer overflow vulnerability.
The udps
command SET COUNTRY
is reported to be vulnerable to command injection and a buffer overflow.
**CWE-78: Improper Neutralization of Special Elements used in an OS Command -**CVE-2014-0356
The detectWeather()
, set_language()
, SystemCommand()
, and NTPSyncWithHost()
functions in management.c
are reported to be vulnerable to command injection.
The udps
commands SET COUNTRY
, SET WLAN SSID
, SET WLAN CHANNEL
, SET WLAN STATUS
, SET WLAN COUNTRY
are reported to be vulnerable to command injection. The udps process is only accessible from the LAN side.
The CVSS score below was calculated for CVE-2014-0356.
A remote unauthenticated attacker on the local area network may be able to inject arbitrary commands or run arbitrary code.
We are currently unaware of a practical solution to this problem. Please consider the following workarounds.
Restrict Access
As a general good security practice, only allow connections from trusted hosts and networks. Do not enable remote management of the device on the WAN interface.
939260
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: January 23, 2014 Updated: March 10, 2014
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Group | Score | Vector |
---|---|---|
Base | 7.9 | AV:A/AC:M/Au:N/C:C/I:C/A:C |
Temporal | 5.7 | E:U/RL:W/RC:UC |
Environmental | 5.7 | CDP:ND/TD:H/CR:ND/IR:ND/AR:ND |
Thanks to the reporter who wishes to remain anonymous for reporting this vulnerability.
This document was written by Jared Allar.
CVE IDs: | CVE-2014-0353, CVE-2014-0354, CVE-2014-0355, CVE-2014-0356 |
---|---|
Date Public: | 2014-03-10 Date First Published: |