Details of VAR-201904-0583

ID

VAR-201904-0583

CVE

CVE-2018-17565

TITLE

Grandstream GXP16xx VoIP phone Command injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2018-015175

DESCRIPTION

Shell Metacharacter Injection in the SSH configuration interface on Grandstream GXP16xx VoIP 1.0.4.128 phones allows attackers to execute arbitrary system commands and gain a root shell. Grandstream GXP16xx VoIP phone Contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Grandstream GXP16xx VoIP is a 16XX series IP phone of Grandstream. The SSH configuration page in Grandstream GXP16xx VoIP version 1.0.4.128 has an operating system command injection vulnerability. The vulnerability stems from the fact that the network system or product does not correctly filter special characters, commands, etc. in the process of constructing executable commands of the operating system from external input data. Attackers can exploit this vulnerability to execute illegal operating system commands

Trust: 1.8

sources: NVD: CVE-2018-17565 // JVNDB: JVNDB-2018-015175 // VULHUB: VHN-128037 // VULMON: CVE-2018-17565

AFFECTED PRODUCTS

vendor:	grandstream	model:	gxp1610	scope:	eq	version:	1.0.4.128	Trust: 1.8
vendor:	grandstream	model:	gxp1615	scope:	eq	version:	1.0.4.128	Trust: 1.8
vendor:	grandstream	model:	gxp1620	scope:	eq	version:	1.0.4.128	Trust: 1.8
vendor:	grandstream	model:	gxp1625	scope:	eq	version:	1.0.4.128	Trust: 1.8
vendor:	grandstream	model:	gxp1628	scope:	eq	version:	1.0.4.128	Trust: 1.8
vendor:	grandstream	model:	gxp1630	scope:	eq	version:	1.0.4.128	Trust: 1.8

sources: JVNDB: JVNDB-2018-015175 // NVD: CVE-2018-17565

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2018-17565
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2018-17565
value:	CRITICAL
Trust: 0.8
CNNVD:	CNNVD-201904-034
value:	CRITICAL
Trust: 0.6
VULHUB:	VHN-128037
value:	HIGH
Trust: 0.1
VULMON:	CVE-2018-17565
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2018-17565
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
VULHUB:	VHN-128037
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2018-17565
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.0
Trust: 1.8

sources: VULHUB: VHN-128037 // VULMON: CVE-2018-17565 // JVNDB: JVNDB-2018-015175 // CNNVD: CNNVD-201904-034 // NVD: CVE-2018-17565

PROBLEMTYPE DATA

problemtype:	CWE-78	Trust: 1.1
problemtype:	CWE-77	Trust: 0.9

sources: VULHUB: VHN-128037 // JVNDB: JVNDB-2018-015175 // NVD: CVE-2018-17565

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201904-034

TYPE

operating system commend injection

Trust: 0.6

sources: CNNVD: CNNVD-201904-034

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-015175

PATCH

title:	Important Firmware News (HD IP Phones)	url:	http://grandstream.com/support/firmware	Trust: 0.8
title:	Grandstream GXP16xx VoIP Fixes for command injection vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=90946	Trust: 0.6

sources: JVNDB: JVNDB-2018-015175 // CNNVD: CNNVD-201904-034

EXTERNAL IDS

db:	NVD	id:	CVE-2018-17565	Trust: 2.6
db:	JVNDB	id:	JVNDB-2018-015175	Trust: 0.8
db:	CNNVD	id:	CNNVD-201904-034	Trust: 0.7
db:	VULHUB	id:	VHN-128037	Trust: 0.1
db:	VULMON	id:	CVE-2018-17565	Trust: 0.1

sources: VULHUB: VHN-128037 // VULMON: CVE-2018-17565 // JVNDB: JVNDB-2018-015175 // CNNVD: CNNVD-201904-034 // NVD: CVE-2018-17565

REFERENCES

url:	http://grandstream.com/support/firmware	Trust: 1.8
url:	https://iridiumxor.wordpress.com/2019/01/03/three-simple-cves-for-a-good-voip-phone/	Trust: 1.8
url:	https://nvd.nist.gov/vuln/detail/cve-2018-17565	Trust: 1.4
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-17565	Trust: 0.8
url:	http://www.iridiumxor.blog/2019/01/three-simple-cves-for-a-good-voip-phone/	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/78.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: VULHUB: VHN-128037 // VULMON: CVE-2018-17565 // JVNDB: JVNDB-2018-015175 // CNNVD: CNNVD-201904-034 // NVD: CVE-2018-17565

SOURCES

db:	VULHUB	id:	VHN-128037
db:	VULMON	id:	CVE-2018-17565
db:	JVNDB	id:	JVNDB-2018-015175
db:	CNNVD	id:	CNNVD-201904-034
db:	NVD	id:	CVE-2018-17565

LAST UPDATE DATE

2024-11-23T22:33:56.852000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-128037	date:	2019-10-03T00:00:00
db:	VULMON	id:	CVE-2018-17565	date:	2019-10-03T00:00:00
db:	JVNDB	id:	JVNDB-2018-015175	date:	2019-05-09T00:00:00
db:	CNNVD	id:	CNNVD-201904-034	date:	2020-05-22T00:00:00
db:	NVD	id:	CVE-2018-17565	date:	2024-11-21T03:54:36.980

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-128037	date:	2019-04-01T00:00:00
db:	VULMON	id:	CVE-2018-17565	date:	2019-04-01T00:00:00
db:	JVNDB	id:	JVNDB-2018-015175	date:	2019-05-09T00:00:00
db:	CNNVD	id:	CNNVD-201904-034	date:	2019-04-01T00:00:00
db:	NVD	id:	CVE-2018-17565	date:	2019-04-01T21:29:26.077