Details of VAR-201701-0497

ID

VAR-201701-0497

CVE

CVE-2016-10116

TITLE

plural NETGEAR Arlo Vulnerability to obtain access rights in products

Trust: 0.8

sources: JVNDB: JVNDB-2016-006594

DESCRIPTION

NETGEAR Arlo base stations with firmware 1.7.5_6178 and earlier, Arlo Q devices with firmware 1.8.0_5551 and earlier, and Arlo Q Plus devices with firmware 1.8.1_6094 and earlier use a pattern of adjective, noun, and three-digit number for the customized password, which makes it easier for remote attackers to obtain access via a dictionary attack. NETGEARArlobasestations and so on are products of NETGEAR. ArloQcameras and ArloQPluscameras are wireless webcam devices; Arlobasestations is a base station used by ArloQcameras and ArloQPluscameras. A remote attacker can exploit this vulnerability to obtain sensitive information. This may aid in further attacks. NETGEAR Arlo Q cameras (model number VMC3040) running firmware version 1.8.0_5551 or prior versions are affected. NETGEAR Arlo Q Plus cameras (model number VMC3040s) running firmware version 1.8.1_6094 or prior versions are affected. Arlo Q cameras and Arlo Q Plus cameras are wireless network camera devices; Arlo base stations are a base station used by Arlo Q cameras and Arlo Q Plus cameras

Trust: 2.52

sources: NVD: CVE-2016-10116 // JVNDB: JVNDB-2016-006594 // CNVD: CNVD-2017-00164 // BID: 95266 // VULHUB: VHN-88860

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2017-00164

AFFECTED PRODUCTS

vendor:	netgear	model:	arlo q camera	scope:	lte	version:	1.8.0_5551	Trust: 1.0
vendor:	netgear	model:	arlo base station	scope:	lte	version:	1.7.5_6178	Trust: 1.0
vendor:	netgear	model:	arlo q plus camera	scope:	lte	version:	1.8.1_6094	Trust: 1.0
vendor:	netgear	model:	arlo q plus 1.8.1 6094	scope:	-	version:	-	Trust: 0.9
vendor:	netgear	model:	arlo q 1.8.0 5551	scope:	-	version:	-	Trust: 0.9
vendor:	netgear	model:	arlo base station 1.7.5 6178	scope:	-	version:	-	Trust: 0.9
vendor:	net gear	model:	arlo q plus	scope:	lte	version:	1.8.1_6094	Trust: 0.8
vendor:	net gear	model:	arlo q	scope:	lte	version:	1.8.0_5551	Trust: 0.8
vendor:	net gear	model:	arlo base station	scope:	lte	version:	1.7.5_6178	Trust: 0.8
vendor:	net gear	model:	vmb30x0	scope:	-	version:	-	Trust: 0.8
vendor:	net gear	model:	vmc3040	scope:	-	version:	-	Trust: 0.8
vendor:	net gear	model:	vmc3040s	scope:	-	version:	-	Trust: 0.8
vendor:	net gear	model:	vmk3xx0	scope:	-	version:	-	Trust: 0.8
vendor:	net gear	model:	vms3xx0	scope:	-	version:	-	Trust: 0.8
vendor:	netgear	model:	arlo q camera	scope:	eq	version:	1.8.0_5551	Trust: 0.6
vendor:	netgear	model:	arlo base station	scope:	eq	version:	1.7.5_6178	Trust: 0.6
vendor:	netgear	model:	arlo q plus camera	scope:	eq	version:	1.8.1_6094	Trust: 0.6

sources: CNVD: CNVD-2017-00164 // BID: 95266 // JVNDB: JVNDB-2016-006594 // CNNVD: CNNVD-201701-014 // NVD: CVE-2016-10116

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2016-10116
value:	HIGH
Trust: 1.0
NVD:	CVE-2016-10116
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2017-00164
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201701-014
value:	CRITICAL
Trust: 0.6
VULHUB:	VHN-88860
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2016-10116
severity:	HIGH
baseScore:	9.3
vectorString:	AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.6
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2017-00164
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-88860
severity:	HIGH
baseScore:	9.3
vectorString:	AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.6
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2016-10116
baseSeverity:	HIGH
baseScore:	8.1
vectorString:	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.2
impactScore:	5.9
version:	3.0
Trust: 1.8

sources: CNVD: CNVD-2017-00164 // VULHUB: VHN-88860 // JVNDB: JVNDB-2016-006594 // CNNVD: CNNVD-201701-014 // NVD: CVE-2016-10116

PROBLEMTYPE DATA

problemtype:

CWE-264

Trust: 1.9

sources: VULHUB: VHN-88860 // JVNDB: JVNDB-2016-006594 // NVD: CVE-2016-10116

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201701-014

TYPE

permissions and access control

Trust: 0.6

sources: CNNVD: CNNVD-201701-014

CONFIGURATIONS

sources: JVNDB: JVNDB-2016-006594

PATCH

title:	Arlo WiFi Default Password Security Vulnerability	url:	http://kb.netgear.com/30731/Arlo-WiFi-Default-Password-Security-Vulnerability	Trust: 0.8
title:	Patches for multiple NETGEAR device information disclosure vulnerabilities	url:	https://www.cnvd.org.cn/patchInfo/show/87578	Trust: 0.6
title:	Multiple NETGEAR Repair measures for device security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=66760	Trust: 0.6

sources: CNVD: CNVD-2017-00164 // JVNDB: JVNDB-2016-006594 // CNNVD: CNNVD-201701-014

EXTERNAL IDS

db:	NVD	id:	CVE-2016-10116	Trust: 3.4
db:	BID	id:	95266	Trust: 2.0
db:	JVNDB	id:	JVNDB-2016-006594	Trust: 0.8
db:	CNNVD	id:	CNNVD-201701-014	Trust: 0.7
db:	CNVD	id:	CNVD-2017-00164	Trust: 0.6
db:	VULHUB	id:	VHN-88860	Trust: 0.1

sources: CNVD: CNVD-2017-00164 // VULHUB: VHN-88860 // BID: 95266 // JVNDB: JVNDB-2016-006594 // CNNVD: CNNVD-201701-014 // NVD: CVE-2016-10116

REFERENCES

url:	http://blog.newskysecurity.com/2016/09/brute-force-vulnerability-netgear-arlo/	Trust: 3.1
url:	http://kb.netgear.com/30731/arlo-wifi-default-password-security-vulnerability	Trust: 2.0
url:	http://www.securityfocus.com/bid/95266	Trust: 1.7
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-10116	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-10116	Trust: 0.8
url:	http://www.netgear.com	Trust: 0.3

sources: CNVD: CNVD-2017-00164 // VULHUB: VHN-88860 // BID: 95266 // JVNDB: JVNDB-2016-006594 // CNNVD: CNNVD-201701-014 // NVD: CVE-2016-10116

CREDITS

The vendor reported the issue.

Trust: 0.3

sources: BID: 95266

SOURCES

db:	CNVD	id:	CNVD-2017-00164
db:	VULHUB	id:	VHN-88860
db:	BID	id:	95266
db:	JVNDB	id:	JVNDB-2016-006594
db:	CNNVD	id:	CNNVD-201701-014
db:	NVD	id:	CVE-2016-10116

LAST UPDATE DATE

2025-04-13T23:34:58.391000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2017-00164	date:	2017-01-06T00:00:00
db:	VULHUB	id:	VHN-88860	date:	2017-01-11T00:00:00
db:	BID	id:	95266	date:	2017-01-12T01:09:00
db:	JVNDB	id:	JVNDB-2016-006594	date:	2017-01-13T00:00:00
db:	CNNVD	id:	CNNVD-201701-014	date:	2017-01-05T00:00:00
db:	NVD	id:	CVE-2016-10116	date:	2025-04-12T10:46:40.837

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2017-00164	date:	2017-01-06T00:00:00
db:	VULHUB	id:	VHN-88860	date:	2017-01-04T00:00:00
db:	BID	id:	95266	date:	2017-01-04T00:00:00
db:	JVNDB	id:	JVNDB-2016-006594	date:	2017-01-13T00:00:00
db:	CNNVD	id:	CNNVD-201701-014	date:	2017-01-05T00:00:00
db:	NVD	id:	CVE-2016-10116	date:	2017-01-04T08:59:00.193