Sign-up

ID

VAR-201805-0432


CVE

CVE-2018-11518


TITLE

HCL legacy IVR System input validation vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2018-006188

DESCRIPTION

A vulnerability allows a phreaking attack on HCL legacy IVR systems that do not use VoIP. These IVR systems rely on various frequencies of audio signals; based on the frequency, certain commands and functions are processed. Since these frequencies are accepted within a phone call, an attacker can record these frequencies and use them for service activations. This is a request-forgery issue when the required series of DTMF signals for a service activation is predictable (e.g., the IVR system does not speak a nonce to the caller). In this case, the IVR system accepts an activation request from a less-secure channel (any loudspeaker in the caller's physical environment) without verifying that the request was intended (it matches a nonce sent over a more-secure channel to the caller's earpiece). HCL legacy IVR There is an input validation vulnerability in the system.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Attackers can exploit this vulnerability to open services or obtain sensitive information

Trust: 1.71

sources: NVD: CVE-2018-11518 // JVNDB: JVNDB-2018-006188 // VULHUB: VHN-121385

AFFECTED PRODUCTS

vendor:hcltechmodel:legacy ivrscope:eqversion: -

Trust: 1.6

vendor:hclmodel:legacy ivrscope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2018-006188 // CNNVD: CNNVD-201805-1005 // NVD: CVE-2018-11518

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-11518
value: HIGH

Trust: 1.0

NVD: CVE-2018-11518
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201805-1005
value: MEDIUM

Trust: 0.6

VULHUB: VHN-121385
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2018-11518
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-121385
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2018-11518
baseSeverity: HIGH
baseScore: 8.1
vectorString: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: HIGH
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.2
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-121385 // JVNDB: JVNDB-2018-006188 // CNNVD: CNNVD-201805-1005 // NVD: CVE-2018-11518

PROBLEMTYPE DATA

problemtype:CWE-20

Trust: 1.9

sources: VULHUB: VHN-121385 // JVNDB: JVNDB-2018-006188 // NVD: CVE-2018-11518

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201805-1005

TYPE

input validation

Trust: 0.6

sources: CNNVD: CNNVD-201805-1005

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2018-006188

PATCH
title:Top Pageurl:https://www.hcltech.com/
Trust: 0.8
title:HCL legacy IVR System security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=81177
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2018-006188 // 
            
            
            
            CNNVD: CNNVD-201805-1005

EXTERNAL IDS
db:NVDid:CVE-2018-11518
Trust: 2.5
db:JVNDBid:JVNDB-2018-006188
Trust: 0.8
db:CNNVDid:CNNVD-201805-1005
Trust: 0.7
db:VULHUBid:VHN-121385
Trust: 0.1
sources:
            
            
            VULHUB: VHN-121385 // 
            
            
            
            JVNDB: JVNDB-2018-006188 // 
            
            
            
            CNNVD: CNNVD-201805-1005 // 
            
            
            
            NVD: CVE-2018-11518

REFERENCES
url:https://datarift.blogspot.com/2018/05/cve-2018-11518-abusing-ivr-systems.html
Trust: 2.5
url:http://virgil-cj.blogspot.com/2018/05/0day-legacy-ivr-lets-phreak.html
Trust: 1.7
url:https://twitter.com/mishradhiraj_/status/1001664204485652482
Trust: 1.7
url:https://twitter.com/mishradhiraj_/status/1001664440759091207
Trust: 1.7
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-11518
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2018-11518
Trust: 0.8
sources:
            
            
            VULHUB: VHN-121385 // 
            
            
            
            JVNDB: JVNDB-2018-006188 // 
            
            
            
            CNNVD: CNNVD-201805-1005 // 
            
            
            
            NVD: CVE-2018-11518

SOURCES
db:VULHUBid:VHN-121385
db:JVNDBid:JVNDB-2018-006188
db:CNNVDid:CNNVD-201805-1005
db:NVDid:CVE-2018-11518

LAST UPDATE DATE
2024-11-23T23:05:07.170000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-121385date:2018-07-20T00:00:00
db:JVNDBid:JVNDB-2018-006188date:2018-08-09T00:00:00
db:CNNVDid:CNNVD-201805-1005date:2018-05-31T00:00:00
db:NVDid:CVE-2018-11518date:2024-11-21T03:43:32.307

SOURCES RELEASE DATE
db:VULHUBid:VHN-121385date:2018-05-30T00:00:00
db:JVNDBid:JVNDB-2018-006188date:2018-08-09T00:00:00
db:CNNVDid:CNNVD-201805-1005date:2018-05-31T00:00:00
db:NVDid:CVE-2018-11518date:2018-05-30T20:29:00.250