Design/Logic Flaw

2020-08-0419:15:00

PRIOn knowledge base

www.prio-n.com

7.6 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

12.6%

JSON

An issue was discovered on Swisscom Internet Box 2, Internet Box Standard, Internet Box Plus prior to 10.04.38, Internet Box 3 prior to 11.01.20, and Internet Box light prior to 08.06.06. Given the (user-configurable) credentials for the local Web interface or physical access to a device’s plus or reset button, an attacker can create a user with elevated privileges on the Sysbus-API. This can then be used to modify local or remote SSH access, thus allowing a login session as the superuser.

CPENameOperatorVersion
internet-box_2_firmwarelt10.04.38
internet-box_3_firmwarelt11.01.20
internet-box_light_firmwarelt08.06.06
internet-box_plus_firmwarelt10.04.38
internet-box_standard_firmwarelt10.04.38

Name	Operator	Version
internet-box_2_firmware	lt	10.04.38
internet-box_3_firmware	lt	11.01.20
internet-box_light_firmware	lt	08.06.06
internet-box_plus_firmware	lt	10.04.38
internet-box_standard_firmware	lt	10.04.38