CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
Low
EPSS
Percentile
46.4%
Multiple AVM FRITZ!Box devices are prone to a DNS rebinding protection bypass.
# Copyright (C) 2020 Greenbone Networks GmbH
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-or-later
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
CPE = "cpe:/o:avm:fritz%21_os";
if(description)
{
script_oid("1.3.6.1.4.1.25623.1.0.108950");
script_version("2021-08-11T08:56:08+0000");
script_cve_id("CVE-2020-26887");
script_tag(name:"cvss_base", value:"4.6");
script_tag(name:"cvss_base_vector", value:"AV:L/AC:L/Au:N/C:P/I:P/A:P");
script_tag(name:"last_modification", value:"2021-08-11 08:56:08 +0000 (Wed, 11 Aug 2021)");
script_tag(name:"severity_vector", value:"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
script_tag(name:"severity_origin", value:"NVD");
script_tag(name:"severity_date", value:"2020-11-03 01:36:00 +0000 (Tue, 03 Nov 2020)");
script_tag(name:"creation_date", value:"2020-10-20 05:45:25 +0000 (Tue, 20 Oct 2020)");
script_name("AVM FRITZ!Box DNS Rebinding Protection Bypass (CVE-2020-26887)");
script_category(ACT_GATHER_INFO);
script_family("General");
script_copyright("Copyright (C) 2020 Greenbone Networks GmbH");
script_dependencies("gb_avm_fritz_box_detect.nasl");
script_mandatory_keys("avm/fritz/model", "avm/fritz/firmware_version");
script_xref(name:"URL", value:"https://en.avm.de/service/security-information-about-updates/");
script_xref(name:"URL", value:"https://www.redteam-pentesting.de/en/advisories/rt-sa-2020-003/-fritz-box-dns-rebinding-protection-bypass");
script_tag(name:"summary", value:"Multiple AVM FRITZ!Box devices are prone to a DNS rebinding protection bypass.");
script_tag(name:"insight", value:"FRITZ!Box router devices employ a protection mechanism against DNS rebinding
attacks. If a DNS answer points to an IP address in the private network range of the router, the answer is
suppressed. Suppose the FRITZ!Box routers DHCP server is in its default configuration and serves the private
IP range of 192.168.178.1/24. If a DNS request is made by a connected device, which resolves to an IPv4 address
in the configured private IP range (for example 192.168.178.20) an empty answer is returned. However, if
instead the DNS answer contains an AAAA-record with the same private IP address in its IPv6 representation
(::ffff:192.168.178.20) it is returned successfully. Furthermore, DNS requests which resolve to the loopback
address 127.0.0.1 or the special address 0.0.0.0 can be retrieved, too.");
script_tag(name:"impact", value:"The flaw allows to resolve DNS answers that point to IP addresses in the
private local network, despite the DNS rebinding protection mechanism.");
script_tag(name:"affected", value:"- AVM FRITZ!Box 6490 and 6590 running AVM FRITZ!OS before version 7.20
- Other AVM FRITZ!Box devices running AVM FRITZ!OS before version 7.21");
script_tag(name:"vuldetect", value:"Check the AVM FRITZ!OS version.");
script_tag(name:"solution", value:"Update to AVM FRITZ!OS 7.20 / 7.21 or later.");
script_tag(name:"qod_type", value:"remote_banner");
script_tag(name:"solution_type", value:"VendorFix");
exit(0);
}
include("version_func.inc");
include("host_details.inc");
if( ! fw_version = get_app_version( cpe:CPE, nofork:TRUE ) )
exit( 0 );
if( ! model = get_kb_item( "avm/fritz/model" ) )
exit( 0 );
if( model =~ "6[45]90" )
patch = "7.20";
else
patch = "7.21";
if( version_is_less( version:fw_version, test_version:patch ) ) {
report = 'Model: ' + model + '\n';
report += 'Installed Firmware: ' + fw_version + '\n';
report += 'Fixed Firmware: ' + patch;
security_message( port:0, data:report );
exit( 0 );
}
exit( 99 );
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
Low
EPSS
Percentile
46.4%