Details of VAR-200906-0439

ID

VAR-200906-0439

CVE

CVE-2009-2073

TITLE

Linksys WRT160N Wireless Router Cross-Site Request Forgery Vulnerability

Trust: 0.9

sources: BID: 34448 // CNNVD: CNNVD-200906-264

DESCRIPTION

Cross-site request forgery (CSRF) vulnerability in Linksys WRT160N wireless router hardware 1 and firmware 1.02.2 allows remote attackers to hijack the authentication of other users for unspecified requests via unknown vectors, as demonstrated using administrator privileges and actions. The Linksys WRT160N wireless router is prone to a cross-site request-forgery vulnerability. Successful exploits can run privileged commands on the affected device, including enabling remote access to the web administration interface. This may lead to further network-based attacks. Linksys WRT160N running firmware 1.02.2 is vulnerable. WRT160N is the latest 802.11n wireless router launched by Linksy. ---------------------------------------------------------------------- Secunia is pleased to announce the release of the annual Secunia report for 2008. Highlights from the 2008 report: * Vulnerability Research * Software Inspection Results * Secunia Research Highlights * Secunia Advisory Statistics Request the full 2008 Report here: http://secunia.com/advisories/try_vi/request_2008_report/ Stay Secure, Secunia ---------------------------------------------------------------------- TITLE: Linksys WRT160N Cross-Site Request Forgery Vulnerability SECUNIA ADVISORY ID: SA34625 VERIFY ADVISORY: http://secunia.com/advisories/34625/ DESCRIPTION: Russ McRee has reported a vulnerability in Linksys WRT160N, which can be exploited by malicious people to conduct cross-site request forgery attacks. The administrative web interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform administrative actions when a logged in administrator is tricked into visiting a malicious web page. Other versions may also be affected. SOLUTION: Do not browse untrusted web sites while being logged in to the administrative web interface. PROVIDED AND/OR DISCOVERED BY: Russ McRee, HolisticInfoSec ORIGINAL ADVISORY: http://holisticinfosec.org/content/view/109/45/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Trust: 2.07

sources: NVD: CVE-2009-2073 // JVNDB: JVNDB-2009-003505 // BID: 34448 // VULHUB: VHN-39519 // PACKETSTORM: 76504

AFFECTED PRODUCTS

vendor:	cisco	model:	wrt160n	scope:	eq	version:	1.02.2	Trust: 1.6
vendor:	cisco	model:	linksys wrt160n	scope:	eq	version:	hardware 1 and firmware 1.02.2	Trust: 0.8
vendor:	linksys	model:	wrt160n	scope:	eq	version:	0	Trust: 0.3

sources: BID: 34448 // JVNDB: JVNDB-2009-003505 // CNNVD: CNNVD-200906-264 // NVD: CVE-2009-2073

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2009-2073
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2009-2073
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-200906-264
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-39519
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2009-2073
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-39519
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: VULHUB: VHN-39519 // JVNDB: JVNDB-2009-003505 // CNNVD: CNNVD-200906-264 // NVD: CVE-2009-2073

PROBLEMTYPE DATA

problemtype:

CWE-352

Trust: 1.9

sources: VULHUB: VHN-39519 // JVNDB: JVNDB-2009-003505 // NVD: CVE-2009-2073

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-200906-264

TYPE

cross-site request forgery

Trust: 0.6

sources: CNNVD: CNNVD-200906-264

CONFIGURATIONS

sources: JVNDB: JVNDB-2009-003505

PATCH

title:

Top Page

url:

https://www.cisco.com/

Trust: 0.8

sources: JVNDB: JVNDB-2009-003505

EXTERNAL IDS

db:	NVD	id:	CVE-2009-2073	Trust: 2.8
db:	BID	id:	34448	Trust: 2.0
db:	SECUNIA	id:	34625	Trust: 1.8
db:	OSVDB	id:	53414	Trust: 1.7
db:	VUPEN	id:	ADV-2009-0982	Trust: 1.7
db:	JVNDB	id:	JVNDB-2009-003505	Trust: 0.8
db:	XF	id:	49775	Trust: 0.6
db:	XF	id:	160	Trust: 0.6
db:	CNNVD	id:	CNNVD-200906-264	Trust: 0.6
db:	VULHUB	id:	VHN-39519	Trust: 0.1
db:	PACKETSTORM	id:	76504	Trust: 0.1

sources: VULHUB: VHN-39519 // BID: 34448 // JVNDB: JVNDB-2009-003505 // PACKETSTORM: 76504 // CNNVD: CNNVD-200906-264 // NVD: CVE-2009-2073

REFERENCES

url:	http://holisticinfosec.org/content/view/109/45/	Trust: 2.1
url:	http://www.securityfocus.com/bid/34448	Trust: 1.7
url:	http://www.osvdb.org/53414	Trust: 1.7
url:	http://secunia.com/advisories/34625	Trust: 1.7
url:	http://www.vupen.com/english/advisories/2009/0982	Trust: 1.7
url:	https://exchange.xforce.ibmcloud.com/vulnerabilities/49775	Trust: 1.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-2073	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2009-2073	Trust: 0.8
url:	http://xforce.iss.net/xforce/xfdb/49775	Trust: 0.6
url:	http://www.linksys.com/	Trust: 0.3
url:	http://secunia.com/advisories/try_vi/request_2008_report/	Trust: 0.1
url:	http://secunia.com/advisories/secunia_security_advisories/	Trust: 0.1
url:	http://secunia.com/advisories/34625/	Trust: 0.1
url:	http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org	Trust: 0.1
url:	http://secunia.com/advisories/about_secunia_advisories/	Trust: 0.1

sources: VULHUB: VHN-39519 // BID: 34448 // JVNDB: JVNDB-2009-003505 // PACKETSTORM: 76504 // CNNVD: CNNVD-200906-264 // NVD: CVE-2009-2073

CREDITS

Russ McRee

Trust: 0.9

sources: BID: 34448 // CNNVD: CNNVD-200906-264

SOURCES

db:	VULHUB	id:	VHN-39519
db:	BID	id:	34448
db:	JVNDB	id:	JVNDB-2009-003505
db:	PACKETSTORM	id:	76504
db:	CNNVD	id:	CNNVD-200906-264
db:	NVD	id:	CVE-2009-2073

LAST UPDATE DATE

2025-04-10T23:00:36.885000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-39519	date:	2017-08-17T00:00:00
db:	BID	id:	34448	date:	2015-04-13T21:11:00
db:	JVNDB	id:	JVNDB-2009-003505	date:	2012-06-26T00:00:00
db:	CNNVD	id:	CNNVD-200906-264	date:	2009-06-23T00:00:00
db:	NVD	id:	CVE-2009-2073	date:	2025-04-09T00:30:58.490

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-39519	date:	2009-06-15T00:00:00
db:	BID	id:	34448	date:	2009-04-09T00:00:00
db:	JVNDB	id:	JVNDB-2009-003505	date:	2012-06-26T00:00:00
db:	PACKETSTORM	id:	76504	date:	2009-04-09T13:21:31
db:	CNNVD	id:	CNNVD-200906-264	date:	2009-04-09T00:00:00
db:	NVD	id:	CVE-2009-2073	date:	2009-06-15T19:30:05.780