Details of VAR-201403-0345

ID

VAR-201403-0345

CVE

CVE-2014-1599

TITLE

SFR Box Router firmware cross-site scripting vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2014-001600

DESCRIPTION

Multiple cross-site scripting (XSS) vulnerabilities in the SFR Box router with firmware NB6-MAIN-R3.3.4 allow remote attackers to inject arbitrary web script or HTML via unspecified parameters to (1) dns, (2) dhcp, (3) nat, (4) route, or (5) lan in network/; or (6) wifi/config. The SFR Box router is a router device. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. SFR BOX NB6-MAIN-R3.3.4 is vulnerable; other versions may also be affected. CVE-2014-1599 39 Type-1 XSS in SFR ADSL/Fiber Box. SFR is the french Vodafone (estimated DSL user base of 5.2 Million). * affected product: SFR BOX NB6-MAIN-R3.3.4 * vulnerabilities: /network/dns 5 non-filtered Type-1 XSS /network/dhcp 6 non-filtered Type-1 XSS /network/nat 7 non-filtered Type-1 XSS /network/route 12 non-filtered Type-1 XSS /wifi/config 1 non-filtered Type-1 XSS /network/lan 8 non-filtered Type-1 XSS * exploitation hypotheses: - user already logged-in (or tricked by SE techniques to authenticate) - ip address of the SFR Box router is known (most users use the default settings: 192.168.1.1/24) * #number of attack vectors: 39 Type-1 XSS * exploitation scenario: If a user is tricked into authenticating into its interface, an attacker can XSS the user, and thus getting read and write access to the router configuration webpages. Such as scenario is mainly possible due to: - non filtered reflections (mainly Type-1 / reflected) - lack of Content Security Policy Moreover, no anti-CSRF token such as view-states are present, thus there is the possibility of modifying the routing tables even without an XSS, if the user is authenticated in the box. A non limitative list of actions include: - getting authentication credentials (wireless, DSL credentials) - rebooting the router - modifying the route table (thus possibility of content injection if an attacker controlled server is on the route) - DDOSing a target with numerous XSS'ed clients * timeline: - 2013-12-21: discovery - 2014-01-06: notification to vendor, ask for patch release - 2014-01-06: vendor acknowledges but does not answer on the patching timeframe - 2014-01-20: request for update or planned date of patch release - 2014-02-25: public disclosure

Trust: 2.61

sources: NVD: CVE-2014-1599 // JVNDB: JVNDB-2014-001600 // CNVD: CNVD-2014-01595 // BID: 65973 // VULHUB: VHN-69538 // PACKETSTORM: 125546

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2014-01595

AFFECTED PRODUCTS

vendor:	sfr	model:	box router	scope:	eq	version:	nb6-main-r3.3.4	Trust: 1.6
vendor:	sfr	model:	box router	scope:	eq	version:	-	Trust: 1.0
vendor:	sfr	model:	box	scope:	-	version:	-	Trust: 0.8
vendor:	sfr	model:	box	scope:	eq	version:	nb6-main-r3.3.4	Trust: 0.8
vendor:	sfr	model:	box router nb6-main-r3.3.4	scope:	-	version:	-	Trust: 0.6

sources: CNVD: CNVD-2014-01595 // JVNDB: JVNDB-2014-001600 // CNNVD: CNNVD-201403-158 // NVD: CVE-2014-1599

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2014-1599
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2014-1599
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2014-01595
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201403-158
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-69538
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2014-1599
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2014-01595
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-69538
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: CNVD: CNVD-2014-01595 // VULHUB: VHN-69538 // JVNDB: JVNDB-2014-001600 // CNNVD: CNNVD-201403-158 // NVD: CVE-2014-1599

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.9

sources: VULHUB: VHN-69538 // JVNDB: JVNDB-2014-001600 // NVD: CVE-2014-1599

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201403-158

TYPE

xss

Trust: 0.7

sources: PACKETSTORM: 125546 // CNNVD: CNNVD-201403-158

CONFIGURATIONS

sources: JVNDB: JVNDB-2014-001600

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-69538

PATCH

title:

Top Page

url:

http://www.sfr.fr/

Trust: 0.8

sources: JVNDB: JVNDB-2014-001600

EXTERNAL IDS

db:	NVD	id:	CVE-2014-1599	Trust: 3.5
db:	BID	id:	65973	Trust: 2.0
db:	JVNDB	id:	JVNDB-2014-001600	Trust: 0.8
db:	CNNVD	id:	CNNVD-201403-158	Trust: 0.7
db:	CNVD	id:	CNVD-2014-01595	Trust: 0.6
db:	BUGTRAQ	id:	20140305 CVE-2014-1599 - 39 TYPE-1 XSS IN SFR DSL/FIBER BOX	Trust: 0.6
db:	PACKETSTORM	id:	125546	Trust: 0.2
db:	VULHUB	id:	VHN-69538	Trust: 0.1

sources: CNVD: CNVD-2014-01595 // VULHUB: VHN-69538 // BID: 65973 // JVNDB: JVNDB-2014-001600 // PACKETSTORM: 125546 // CNNVD: CNNVD-201403-158 // NVD: CVE-2014-1599

REFERENCES

url:	http://www.securityfocus.com/archive/1/archive/1/531349/100/0/threaded	Trust: 2.0
url:	http://www.securityfocus.com/bid/65973	Trust: 1.1
url:	http://www.securityfocus.com/archive/1/531349/100/0/threaded	Trust: 1.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-1599	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-1599	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2014-1599	Trust: 0.1

sources: CNVD: CNVD-2014-01595 // VULHUB: VHN-69538 // JVNDB: JVNDB-2014-001600 // PACKETSTORM: 125546 // CNNVD: CNNVD-201403-158 // NVD: CVE-2014-1599

CREDITS

alejandr0.w3b.p0wn3r

Trust: 0.4

sources: BID: 65973 // PACKETSTORM: 125546

SOURCES

db:	CNVD	id:	CNVD-2014-01595
db:	VULHUB	id:	VHN-69538
db:	BID	id:	65973
db:	JVNDB	id:	JVNDB-2014-001600
db:	PACKETSTORM	id:	125546
db:	CNNVD	id:	CNNVD-201403-158
db:	NVD	id:	CVE-2014-1599

LAST UPDATE DATE

2025-04-13T23:23:55.956000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2014-01595	date:	2014-03-12T00:00:00
db:	VULHUB	id:	VHN-69538	date:	2018-10-09T00:00:00
db:	BID	id:	65973	date:	2014-04-08T00:48:00
db:	JVNDB	id:	JVNDB-2014-001600	date:	2014-03-11T00:00:00
db:	CNNVD	id:	CNNVD-201403-158	date:	2014-03-11T00:00:00
db:	NVD	id:	CVE-2014-1599	date:	2025-04-12T10:46:40.837

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2014-01595	date:	2014-03-12T00:00:00
db:	VULHUB	id:	VHN-69538	date:	2014-03-09T00:00:00
db:	BID	id:	65973	date:	2014-02-25T00:00:00
db:	JVNDB	id:	JVNDB-2014-001600	date:	2014-03-11T00:00:00
db:	PACKETSTORM	id:	125546	date:	2014-03-05T18:13:00
db:	CNNVD	id:	CNNVD-201403-158	date:	2014-03-11T00:00:00
db:	NVD	id:	CVE-2014-1599	date:	2014-03-09T13:16:56.773