Sign-up

ID

VAR-201904-0390


CVE

CVE-2019-9160


TITLE

Sangfor Sundray WLAN Controller Vulnerabilities related to the use of hard-coded credentials

Trust: 0.8

sources: JVNDB: JVNDB-2019-003492

DESCRIPTION

WAC on the Sangfor Sundray WLAN Controller version 3.7.4.2 and earlier has a backdoor account allowing a remote attacker to login to the system via SSH (on TCP port 22345) and escalate to root (because the password for root is the WebUI admin password concatenated with a static string). Sangfor Sundray WLAN Controller Contains a vulnerability in the use of hard-coded credentials.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Shenzhen Xinrui Network Technology Co., Ltd. is a wholly-owned subsidiary of Shenxinfu Group. It is a next-generation enterprise-class wireless, Internet of Things and switch solution manufacturer. Xinrui WAC has a weak password vulnerability. An attacker could use this vulnerability to gain administrative rights on the system. Sundray WLAN Controller (Sundray WAC) is a set of wireless LAN controller software from China Sundray Network Technology (Sundray) company. The vulnerability stems from the incorrect use of relevant cryptographic algorithms in the network system or product, resulting in incorrect encryption of content, weak encryption, and sensitive information stored in plain text

Trust: 2.34

sources: NVD: CVE-2019-9160 // JVNDB: JVNDB-2019-003492 // CNVD: CNVD-2019-07680 // VULHUB: VHN-160595 // VULMON: CVE-2019-9160

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2019-07680

AFFECTED PRODUCTS

vendor:xinruidzmodel:sundray wan controllerscope:lteversion:3.7.4.2

Trust: 1.0

vendor:xinruimodel:sundray wlan controllerscope:lteversion:3.7.4.2

Trust: 0.8

vendor:xinrui networkmodel:wac wireless controller softwarescope:lteversion:<=3.7.4.2

Trust: 0.6

sources: CNVD: CNVD-2019-07680 // JVNDB: JVNDB-2019-003492 // NVD: CVE-2019-9160

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-9160
value: CRITICAL

Trust: 1.0

NVD: CVE-2019-9160
value: CRITICAL

Trust: 0.8

CNVD: CNVD-2019-07680
value: HIGH

Trust: 0.6

CNNVD: CNNVD-201904-913
value: CRITICAL

Trust: 0.6

VULHUB: VHN-160595
value: HIGH

Trust: 0.1

VULMON: CVE-2019-9160
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2019-9160
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

CNVD: CNVD-2019-07680
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

VULHUB: VHN-160595
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2019-9160
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: CNVD: CNVD-2019-07680 // VULHUB: VHN-160595 // VULMON: CVE-2019-9160 // JVNDB: JVNDB-2019-003492 // CNNVD: CNNVD-201904-913 // NVD: CVE-2019-9160

PROBLEMTYPE DATA

problemtype:CWE-798

Trust: 1.9

sources: VULHUB: VHN-160595 // JVNDB: JVNDB-2019-003492 // NVD: CVE-2019-9160

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201904-913

TYPE

trust management problem

Trust: 0.6

sources: CNNVD: CNNVD-201904-913

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2019-003492

PATCH
title:Top Pageurl:http://en.xinruidz.com/
Trust: 0.8
title:Xinrui WAC has weak password vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/154601
Trust: 0.6
title:Sangfor Sundray WLAN Controller Fixes for encryption problem vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=91742
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2019-07680 // 
            
            
            
            JVNDB: JVNDB-2019-003492 // 
            
            
            
            CNNVD: CNNVD-201904-913

EXTERNAL IDS
db:CNVDid:CNVD-2019-07680
Trust: 3.2
db:NVDid:CVE-2019-9160
Trust: 2.6
db:JVNDBid:JVNDB-2019-003492
Trust: 0.8
db:CNNVDid:CNNVD-201904-913
Trust: 0.7
db:VULHUBid:VHN-160595
Trust: 0.1
db:VULMONid:CVE-2019-9160
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2019-07680 // 
            
            
            
            VULHUB: VHN-160595 // 
            
            
            
            VULMON: CVE-2019-9160 // 
            
            
            
            JVNDB: JVNDB-2019-003492 // 
            
            
            
            CNNVD: CNNVD-201904-913 // 
            
            
            
            NVD: CVE-2019-9160

REFERENCES
url:http://www.cnvd.org.cn/flaw/show/cnvd-2019-07680
Trust: 2.6
url:https://nvd.nist.gov/vuln/detail/cve-2019-9160
Trust: 1.4
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-9160
Trust: 0.8
url:https://cwe.mitre.org/data/definitions/798.html
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
sources:
            
            
            VULHUB: VHN-160595 // 
            
            
            
            VULMON: CVE-2019-9160 // 
            
            
            
            JVNDB: JVNDB-2019-003492 // 
            
            
            
            CNNVD: CNNVD-201904-913 // 
            
            
            
            NVD: CVE-2019-9160

SOURCES
db:CNVDid:CNVD-2019-07680
db:VULHUBid:VHN-160595
db:VULMONid:CVE-2019-9160
db:JVNDBid:JVNDB-2019-003492
db:CNNVDid:CNNVD-201904-913
db:NVDid:CVE-2019-9160

LAST UPDATE DATE
2024-11-23T22:55:37.786000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2019-07680date:2019-03-22T00:00:00
db:VULHUBid:VHN-160595date:2019-04-19T00:00:00
db:VULMONid:CVE-2019-9160date:2019-04-19T00:00:00
db:JVNDBid:JVNDB-2019-003492date:2019-05-17T00:00:00
db:CNNVDid:CNNVD-201904-913date:2019-04-22T00:00:00
db:NVDid:CVE-2019-9160date:2024-11-21T04:51:06.547

SOURCES RELEASE DATE
db:CNVDid:CNVD-2019-07680date:2019-04-12T00:00:00
db:VULHUBid:VHN-160595date:2019-04-18T00:00:00
db:VULMONid:CVE-2019-9160date:2019-04-18T00:00:00
db:JVNDBid:JVNDB-2019-003492date:2019-05-17T00:00:00
db:CNNVDid:CNNVD-201904-913date:2019-04-18T00:00:00
db:NVDid:CVE-2019-9160date:2019-04-18T22:29:00.577