CVE-2017-16923
Current Description
Command Injection vulnerability in app_data_center on Shenzhen Tenda Ac9 US_AC9V1.0BR_V15.03.05.14_multi_TD01, Ac9 ac9_kf_V15.03.05.19(6318_)_cn, Ac15 US_AC15V1.0BR_V15.03.05.18_multi_TD01, Ac15 US_AC15V1.0BR_V15.03.05.19_multi_TD01, Ac18 US_AC18V1.0BR_V15.03.05.05_multi_TD01, and Ac18 ac18_kf_V15.03.05.19(6318_)_cn devices allows remote unauthenticated attackers to execute arbitrary OS commands via a crafted cgi-bin/luci/usbeject?dev_name= GET request from the LAN. This occurs because the "sub_A6E8 usbeject_process_entry" function executes a system function with untrusted input.
Basic Data
| Published | November 21, 2017 |
|---|
| Last Modified | October 03, 2019 |
|---|
| Assigner | cve@mitre.org |
|---|
| Data Type | CVE |
|---|
| Data Format | MITRE |
|---|
| Data Version | 4.0 |
|---|
| Problem Type | CWE-78 |
|---|
| CVE Data Version | 4.0 |
|---|
Base Metric V2
| CVSS 2 - Version | 2.0 |
|---|
| CVSS 2 - Vector String | AV:A/AC:L/Au:N/C:C/I:C/A:C |
|---|
| CVSS 2 - Access Vector | ADJACENT_NETWORK |
|---|
| CVSS 2 - Access Complexity | LOW |
|---|
| CVSS 2 - Authentication | NONE |
|---|
| CVSS 2 - Confidentiality Impact | COMPLETE |
|---|
| CVSS 2 - Availability Impact | COMPLETE |
|---|
| CVSS 2 - Base Score | 8.3 |
|---|
| Severity | HIGH |
|---|
| Exploitability Score | 6.5 |
|---|
| Impact Score | 10.0 |
|---|
| Obtain All Privilege | false |
|---|
| Obtain User Privilege | false |
|---|
| Obtain Other Privilege | false |
|---|
Base Metric V3
| CVSS 3 - Version | 3.0 |
|---|
| CVSS 3 - Vector String | CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
|---|
| CVSS 3 - Attack Vector | ADJACENT_NETWORK |
|---|
| CVSS 3 - Attack Complexity | LOW |
|---|
| CVSS 3 - Privileges Required | NONE |
|---|
| CVSS 3 - User Interaction | NONE |
|---|
| CVSS 3 - Scope | UNCHANGED |
|---|
| CVSS 3 - Confidentiality Impact | HIGH |
|---|
| CVSS 3 - Integrity Impact | HIGH |
|---|
| CVSS 3 - Availability Impact | HIGH |
|---|
| CVSS 3 - Base Score | 8.8 |
|---|
| CVSS 3 - Base Severity | HIGH |
|---|
| Exploitability Score | 2.8 |
|---|
| Base Severity | HIGH |
|---|
Configurations
-
AND
-
OR - Configuration 1
| Cpe Version | Part | Vendor | Product | Version | Update | Edition | Language | SW Edition | Target SW | Target HW | Other | Version Start Including | Version End Including | Version Start Excluding | Version End Excluding |
|---|
| 2.3 | OS | Tenda | Ac9 Firmware | us_ac9v1.0br_v15.03.05.14_multi_td01 | * | * | * | * | * | * | * | � | � | � | � |
-
OR Running on/with:
| Cpe Version | Part | Vendor | Product | Version | Update | Edition | Language | SW Edition | Target SW | Target HW | Other | Version Start Including | Version End Including | Version Start Excluding | Version End Excluding |
|---|
| 2.3 | Hardware | Tenda | Ac9 | - | * | * | * | * | * | * | * | � | � | � | � |
-
AND
-
OR - Configuration 2
| Cpe Version | Part | Vendor | Product | Version | Update | Edition | Language | SW Edition | Target SW | Target HW | Other | Version Start Including | Version End Including | Version Start Excluding | Version End Excluding |
|---|
| 2.3 | OS | Tenda | Ac9 Firmware | ac9_kf_v15.03.05.19(6318_)_cn | * | * | * | * | * | * | * | � | � | � | � |
-
OR Running on/with:
| Cpe Version | Part | Vendor | Product | Version | Update | Edition | Language | SW Edition | Target SW | Target HW | Other | Version Start Including | Version End Including | Version Start Excluding | Version End Excluding |
|---|
| 2.3 | Hardware | Tenda | Ac9 | - | * | * | * | * | * | * | * | � | � | � | � |
-
AND
-
OR - Configuration 3
| Cpe Version | Part | Vendor | Product | Version | Update | Edition | Language | SW Edition | Target SW | Target HW | Other | Version Start Including | Version End Including | Version Start Excluding | Version End Excluding |
|---|
| 2.3 | OS | Tenda | Ac15 Firmware | us_ac15v1.0br_v15.03.05.18_multi_td01 | * | * | * | * | * | * | * | � | � | � | � |
-
OR Running on/with:
| Cpe Version | Part | Vendor | Product | Version | Update | Edition | Language | SW Edition | Target SW | Target HW | Other | Version Start Including | Version End Including | Version Start Excluding | Version End Excluding |
|---|
| 2.3 | Hardware | Tenda | Ac15 | - | * | * | * | * | * | * | * | � | � | � | � |
-
AND
-
OR - Configuration 4
| Cpe Version | Part | Vendor | Product | Version | Update | Edition | Language | SW Edition | Target SW | Target HW | Other | Version Start Including | Version End Including | Version Start Excluding | Version End Excluding |
|---|
| 2.3 | OS | Tenda | Ac15 Firmware | us_ac15v1.0br_v15.03.05.19_multi_td01 | * | * | * | * | * | * | * | � | � | � | � |
-
OR Running on/with:
| Cpe Version | Part | Vendor | Product | Version | Update | Edition | Language | SW Edition | Target SW | Target HW | Other | Version Start Including | Version End Including | Version Start Excluding | Version End Excluding |
|---|
| 2.3 | Hardware | Tenda | Ac15 | - | * | * | * | * | * | * | * | � | � | � | � |
-
AND
-
OR - Configuration 5
| Cpe Version | Part | Vendor | Product | Version | Update | Edition | Language | SW Edition | Target SW | Target HW | Other | Version Start Including | Version End Including | Version Start Excluding | Version End Excluding |
|---|
| 2.3 | OS | Tenda | Ac18 Firmware | us_ac18v1.0br_v15.03.05.05_multi_td01 | * | * | * | * | * | * | * | � | � | � | � |
-
OR Running on/with:
| Cpe Version | Part | Vendor | Product | Version | Update | Edition | Language | SW Edition | Target SW | Target HW | Other | Version Start Including | Version End Including | Version Start Excluding | Version End Excluding |
|---|
| 2.3 | Hardware | Tenda | Ac18 | - | * | * | * | * | * | * | * | � | � | � | � |
-
AND
-
OR - Configuration 6
| Cpe Version | Part | Vendor | Product | Version | Update | Edition | Language | SW Edition | Target SW | Target HW | Other | Version Start Including | Version End Including | Version Start Excluding | Version End Excluding |
|---|
| 2.3 | OS | Tenda | Ac18 Firmware | ac18_kf_v15.03.05.19(6318_)_cn | * | * | * | * | * | * | * | � | � | � | � |
-
OR Running on/with:
| Cpe Version | Part | Vendor | Product | Version | Update | Edition | Language | SW Edition | Target SW | Target HW | Other | Version Start Including | Version End Including | Version Start Excluding | Version End Excluding |
|---|
| 2.3 | Hardware | Tenda | Ac18 | - | * | * | * | * | * | * | * | � | � | � | � |
Vulnerable Software List
| Vendor | Product | Versions |
| Tenda
|
Ac9 Firmware |
ac9_kf_v15.03.05.19(6318_)_cn, us_ac9v1.0br_v15.03.05.14_multi_td01 |
| Tenda
|
Ac15 Firmware |
us_ac15v1.0br_v15.03.05.18_multi_td01, us_ac15v1.0br_v15.03.05.19_multi_td01 |
| Tenda
|
Ac18 Firmware |
ac18_kf_v15.03.05.19(6318_)_cn, us_ac18v1.0br_v15.03.05.05_multi_td01 |
References
| Name | Source | URL | Tags |
|---|
| https://github.com/Iolop/Poc/tree/master/Router/Tenda | https://github.com/Iolop/Poc/tree/master/Router/Tenda | MISC | Issue Tracking Third Party Advisory |
Follow @discotekdotca