Sign-up

ID

VAR-201710-0074


CVE

CVE-2016-5791


TITLE

JanTek JTC-200 Unauthorized Access Vulnerability

Trust: 0.8

sources: IVD: 5a33fb15-6543-4df8-914e-2f593d80cac4 // CNVD: CNVD-2017-32099

DESCRIPTION

An Improper Authentication issue was discovered in JanTek JTC-200, all versions. The improper authentication could provide an undocumented BusyBox Linux shell accessible over the TELNET service without any authentication. JanTek JTC-200 Contains an authentication vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. The JanTekJTC-200 is a TCP/IP converter (serial server) from JanTek Technology. An unauthorized access vulnerability exists in JanTekJTC-200. JanTek JTC-200 is prone to a cross-site request-forgery vulnerability and an authentication-bypass vulnerability. An attacker can exploit these issues to bypass the authentication mechanism and perform unauthorized actions. This may aid in further attacks. An attacker could exploit this vulnerability to gain access to the BusyBox Linux shell. Vendor: JanTek Equipment: JTC-200 Vulnerabilities: Cross-site Request Forgery, Improper Authentication Advisory URL: https://ipositivesecurity.com/2017/10/28/ics-jantek-jtc-200-rs232-net-converter-advisory-published/ ICS-CERT Advisory https://ics-cert.us-cert.gov/advisories/ICSA-17-283-02 CVE-ID CVE-2016-5789 CVE-2016-5791 Detailed Proof of Concept: https://ipositivesecurity.com/2016/07/05/rs232-net-converter-model-jtc-200-multiple-vulnerabilities/ ------------------------ AFFECTED PRODUCTS ------------------------ The following versions of JTC-200, a TCP/IP converter, are affected: JTC-200 all versions. ------------------------ BACKGROUND ------------------------ Critical Infrastructure Sectors: Critical Manufacturing Countries/Areas Deployed: Europe and Asia Company Headquarters Location: Taiwan ------------------------ IMPACT ------------------------ Successful exploitation of these vulnerabilities allow for remote code execution on the device with elevated privileges. ------------------------ VULNERABILITY OVERVIEW ------------------------ CROSS-SITE REQUEST FORGERY (CSRF) CWE-352 An attacker could perform actions with the same permissions as a victim user, provided the victim has an active session and is induced to trigger the malicious request. A CVSS v3 base score of 8.0 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H). A CVSS v3 base score of 9.8 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). --------- Trying IP... Connected to IP. Escape character is '^]'. BusyBox v0.60.4 (2008.02.21-16:59+0000) Built-in shell (msh) Enter 'help' for a list of built-in commands. # BusyBox v0.60.4 (2008.02.21-16:59+0000) multi-call binary Usage: busybox [function] [arguments]... or: [function] [arguments]... BusyBox is a multi-call binary that combines many common Unix utilities into a single executable. Most people will create a link to busybox for each function they wish to use, and BusyBox will act like whatever it was invoked as. Currently defined functions: [, busybox, cat, cp, df, hostname, ifconfig, init, kill, killall, ls, mkdir, mknod, mount, msh, mv, ping, ps, pwd, rm, sh, test, touch, vi # # ls bin dev etc nfs proc swap usb var # cd etc # ls ConfigPage WRConfig.ini config inetd.conf inittab ppp protocols rc resolv.conf services # cat inetd.conf telnet stream tcpnowait root /bin/telnetd # --------- ------------------------ Technical Details ------------------------ https://ipositivesecurity.com/2016/07/05/rs232-net-converter-model-jtc-200-multiple-vulnerabilities/ +++++ Best Regards, Karn Ganeshen

Trust: 2.88

sources: NVD: CVE-2016-5791 // JVNDB: JVNDB-2016-008848 // CNVD: CNVD-2017-32099 // BID: 101224 // IVD: 5a33fb15-6543-4df8-914e-2f593d80cac4 // VULHUB: VHN-94610 // VULMON: CVE-2016-5791 // PACKETSTORM: 144816

IOT TAXONOMY

category:['ICS', 'Network device']sub_category: -

Trust: 0.6

category:['ICS']sub_category: -

Trust: 0.2

sources: IVD: 5a33fb15-6543-4df8-914e-2f593d80cac4 // CNVD: CNVD-2017-32099

AFFECTED PRODUCTS

vendor:jantekmodel:jtc-200scope: - version: -

Trust: 1.2

vendor:jantekmodel:jtc-200scope:eqversion:*

Trust: 1.0

vendor:jantekmodel:jtc-200scope:eqversion: -

Trust: 0.8

vendor:jantekmodel:jtc-200scope:eqversion:0

Trust: 0.3

vendor:jtc 200model: - scope:eqversion:*

Trust: 0.2

sources: IVD: 5a33fb15-6543-4df8-914e-2f593d80cac4 // CNVD: CNVD-2017-32099 // BID: 101224 // JVNDB: JVNDB-2016-008848 // CNNVD: CNNVD-201710-529 // NVD: CVE-2016-5791

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2016-5791
value: CRITICAL

Trust: 1.0

NVD: CVE-2016-5791
value: CRITICAL

Trust: 0.8

CNVD: CNVD-2017-32099
value: HIGH

Trust: 0.6

CNNVD: CNNVD-201710-529
value: CRITICAL

Trust: 0.6

IVD: 5a33fb15-6543-4df8-914e-2f593d80cac4
value: CRITICAL

Trust: 0.2

VULHUB: VHN-94610
value: HIGH

Trust: 0.1

VULMON: CVE-2016-5791
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2016-5791
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

CNVD: CNVD-2017-32099
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: 5a33fb15-6543-4df8-914e-2f593d80cac4
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

VULHUB: VHN-94610
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2016-5791
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: IVD: 5a33fb15-6543-4df8-914e-2f593d80cac4 // CNVD: CNVD-2017-32099 // VULHUB: VHN-94610 // VULMON: CVE-2016-5791 // JVNDB: JVNDB-2016-008848 // CNNVD: CNNVD-201710-529 // NVD: CVE-2016-5791

PROBLEMTYPE DATA

problemtype:CWE-287

Trust: 1.9

sources: VULHUB: VHN-94610 // JVNDB: JVNDB-2016-008848 // NVD: CVE-2016-5791

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201710-529

TYPE

authorization issue

Trust: 0.6

sources: CNNVD: CNNVD-201710-529

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2016-008848

PATCH
title:Top Pageurl:http://www.jantek.com/
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2016-008848

EXTERNAL IDS
db:NVDid:CVE-2016-5791
Trust: 3.8
db:ICS CERTid:ICSA-17-283-02
Trust: 3.6
db:CNVDid:CNVD-2017-32099
Trust: 0.8
db:CNNVDid:CNNVD-201710-529
Trust: 0.8
db:JVNDBid:JVNDB-2016-008848
Trust: 0.8
db:BIDid:101224
Trust: 0.4
db:IVDid:5A33FB15-6543-4DF8-914E-2F593D80CAC4
Trust: 0.2
db:PACKETSTORMid:144816
Trust: 0.2
db:VULHUBid:VHN-94610
Trust: 0.1
db:VULMONid:CVE-2016-5791
Trust: 0.1
sources:
            
            
            IVD: 5a33fb15-6543-4df8-914e-2f593d80cac4 // 
            
            
            
            CNVD: CNVD-2017-32099 // 
            
            
            
            VULHUB: VHN-94610 // 
            
            
            
            VULMON: CVE-2016-5791 // 
            
            
            
            BID: 101224 // 
            
            
            
            JVNDB: JVNDB-2016-008848 // 
            
            
            
            PACKETSTORM: 144816 // 
            
            
            
            CNNVD: CNNVD-201710-529 // 
            
            
            
            NVD: CVE-2016-5791

REFERENCES
url:https://ics-cert.us-cert.gov/advisories/icsa-17-283-02
Trust: 3.6
url:https://nvd.nist.gov/vuln/detail/cve-2016-5791
Trust: 0.9
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-5791
Trust: 0.8
url:http://www.jantek.com.tw
Trust: 0.3
url:http://www.jantek.com.tw/en/product/73
Trust: 0.3
url:https://cwe.mitre.org/data/definitions/287.html
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
url:https://packetstormsecurity.com/files/144816/jantek-jtc-200-rs232-net-connector-csrf-missing-authentication.html
Trust: 0.1
url:https://www.securityfocus.com/bid/101224
Trust: 0.1
url:https://ipositivesecurity.com/2017/10/28/ics-jantek-jtc-200-rs232-net-converter-advisory-published/
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2016-5789
Trust: 0.1
url:https://ipositivesecurity.com/2016/07/05/rs232-net-converter-model-jtc-200-multiple-vulnerabilities/
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2017-32099 // 
            
            
            
            VULHUB: VHN-94610 // 
            
            
            
            VULMON: CVE-2016-5791 // 
            
            
            
            BID: 101224 // 
            
            
            
            JVNDB: JVNDB-2016-008848 // 
            
            
            
            PACKETSTORM: 144816 // 
            
            
            
            CNNVD: CNNVD-201710-529 // 
            
            
            
            NVD: CVE-2016-5791

CREDITS
Karn Ganeshan
Trust: 0.3
sources:
            
            
            BID: 101224

SOURCES
db:IVDid:5a33fb15-6543-4df8-914e-2f593d80cac4
db:CNVDid:CNVD-2017-32099
db:VULHUBid:VHN-94610
db:VULMONid:CVE-2016-5791
db:BIDid:101224
db:JVNDBid:JVNDB-2016-008848
db:PACKETSTORMid:144816
db:CNNVDid:CNNVD-201710-529
db:NVDid:CVE-2016-5791

LAST UPDATE DATE
2025-04-20T23:23:35.592000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2017-32099date:2017-10-31T00:00:00
db:VULHUBid:VHN-94610date:2017-11-03T00:00:00
db:VULMONid:CVE-2016-5791date:2017-11-03T00:00:00
db:BIDid:101224date:2017-12-19T22:36:00
db:JVNDBid:JVNDB-2016-008848date:2017-11-10T00:00:00
db:CNNVDid:CNNVD-201710-529date:2017-10-18T00:00:00
db:NVDid:CVE-2016-5791date:2025-04-20T01:37:25.860

SOURCES RELEASE DATE
db:IVDid:5a33fb15-6543-4df8-914e-2f593d80cac4date:2017-10-31T00:00:00
db:CNVDid:CNVD-2017-32099date:2017-10-31T00:00:00
db:VULHUBid:VHN-94610date:2017-10-13T00:00:00
db:VULMONid:CVE-2016-5791date:2017-10-13T00:00:00
db:BIDid:101224date:2017-10-10T00:00:00
db:JVNDBid:JVNDB-2016-008848date:2017-11-10T00:00:00
db:PACKETSTORMid:144816date:2017-10-31T13:33:33
db:CNNVDid:CNNVD-201710-529date:2017-10-18T00:00:00
db:NVDid:CVE-2016-5791date:2017-10-13T03:29:00.240