CVE-2017-16936

Current Description

Directory Traversal vulnerability in app_data_center on Shenzhen Tenda Ac9 US_AC9V1.0BR_V15.03.05.14_multi_TD01, Ac9 ac9_kf_V15.03.05.19(6318_)_cn, Ac15 US_AC15V1.0BR_V15.03.05.18_multi_TD01, Ac15 US_AC15V1.0BR_V15.03.05.19_multi_TD01, Ac18 US_AC18V1.0BR_V15.03.05.05_multi_TD01, and Ac18 ac18_kf_V15.03.05.19(6318_)_cn devices allows remote unauthenticated attackers to read arbitrary files via a cgi-bin/luci/request?op=1&path= URI that uses directory traversal sequences after a /usb/ substring.

Basic Data

PublishedNovember 24, 2017
Last ModifiedDecember 12, 2017
Assignercve@mitre.org
Data TypeCVE
Data FormatMITRE
Data Version4.0
Problem TypeCWE-22
CVE Data Version4.0

Base Metric V2

CVSS 2 - Version2.0
CVSS 2 - Vector StringAV:A/AC:L/Au:N/C:P/I:N/A:N
CVSS 2 - Access VectorADJACENT_NETWORK
CVSS 2 - Access ComplexityLOW
CVSS 2 - AuthenticationNONE
CVSS 2 - Confidentiality ImpactPARTIAL
CVSS 2 - Availability ImpactNONE
CVSS 2 - Base Score3.3
SeverityLOW
Exploitability Score6.5
Impact Score2.9
Obtain All Privilegefalse
Obtain User Privilegefalse
Obtain Other Privilegefalse

Base Metric V3

CVSS 3 - Version3.0
CVSS 3 - Vector StringCVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS 3 - Attack VectorADJACENT_NETWORK
CVSS 3 - Attack ComplexityLOW
CVSS 3 - Privileges RequiredNONE
CVSS 3 - User InteractionNONE
CVSS 3 - ScopeUNCHANGED
CVSS 3 - Confidentiality ImpactHIGH
CVSS 3 - Integrity ImpactNONE
CVSS 3 - Availability ImpactNONE
CVSS 3 - Base Score6.5
CVSS 3 - Base SeverityMEDIUM
Exploitability Score2.8
Base SeverityMEDIUM

Configurations

  • AND
    • OR - Configuration 1
      Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
      2.3OSTendaAc9 Firmwareus_ac9v1.0br_v15.03.05.14_multi_td01*******
    • OR Running on/with:
      Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
      2.3HardwareTendaAc9-*******
  • AND
    • OR - Configuration 2
      Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
      2.3OSTendaAc9 Firmwareac9_kf_v15.03.05.19(6318_)_cn*******
    • OR Running on/with:
      Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
      2.3HardwareTendaAc9-*******
  • AND
    • OR - Configuration 3
      Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
      2.3OSTendaAc15 Firmwareus_ac15v1.0br_v15.03.05.18_multi_td01*******
    • OR Running on/with:
      Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
      2.3HardwareTendaAc15-*******
  • AND
    • OR - Configuration 4
      Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
      2.3OSTendaAc15 Firmwareus_ac15v1.0br_v15.03.05.19_multi_td01*******
    • OR Running on/with:
      Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
      2.3HardwareTendaAc15-*******
  • AND
    • OR - Configuration 5
      Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
      2.3OSTendaAc18 Firmwareus_ac18v1.0br_v15.03.05.05_multi_td01*******
    • OR Running on/with:
      Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
      2.3HardwareTendaAc18-*******
  • AND
    • OR - Configuration 6
      Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
      2.3OSTendaAc18 Firmwareac18_kf_v15.03.05.19(6318_)_cn*******
    • OR Running on/with:
      Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
      2.3HardwareTendaAc18-*******

Vulnerable Software List

VendorProductVersions
Tenda Ac9 Firmware ac9_kf_v15.03.05.19(6318_)_cn, us_ac9v1.0br_v15.03.05.14_multi_td01
Tenda Ac15 Firmware us_ac15v1.0br_v15.03.05.18_multi_td01, us_ac15v1.0br_v15.03.05.19_multi_td01
Tenda Ac18 Firmware ac18_kf_v15.03.05.19(6318_)_cn, us_ac18v1.0br_v15.03.05.05_multi_td01

References

NameSourceURLTags
https://github.com/Iolop/Poc/tree/master/Router/Tendahttps://github.com/Iolop/Poc/tree/master/Router/TendaMISCIssue Tracking Third Party Advisory