Details of VAR-201906-0825

ID

VAR-201906-0825

CVE

CVE-2018-15557

TITLE

Telus Actiontec WEB6000Q Vulnerabilities related to authorization, authority, and access control in devices

Trust: 0.8

sources: JVNDB: JVNDB-2018-015777

DESCRIPTION

An issue was discovered in the Quantenna WiFi Controller on Telus Actiontec WEB6000Q v1.1.02.22 devices. An attacker can statically set his/her IP to anything on the 169.254.1.0/24 subnet, and obtain root access by connecting to 169.254.1.2 port 23 with telnet/netcat. Telus Actiontec WEB6000Q Devices have vulnerabilities related to authorization, permissions, and access control.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Actiontec WEB6000Q is a wireless extender from American Actiontec. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ### Device Details Discovered By: Andrew Klaus (andrew@aklaus.ca) Vendor: Actiontec (Telus Branded) Model: WEB6000Q Affected Firmware: 1.1.02.22 Reported: July 2018 CVE: CVE-2018-15555 (Main OS) CVE: CVE-2018-15556 (Quantenna OS) ### Summary of Findings Both “main” and “quantenna” have a UART header on the motherboard and each of them provide full shell + bootloader access. While the main OS has the credentials user: root pass: admin, the quantenna environment can be accessed with user: root with an empty password. I used a Raspberry Pi to interface with the UART header, but there are USB UART adapters to do the same thing. Once root access is obtained, TR-069 Updating can be fully disabled, preventing the vendor from pushing updates to the device. ### Proof of Concept Hooking up a Raspberry Pi's UART GPIO header to either UART header on the modem will give a login prompt. root/admin or root/(nopass) depending on which modem header connected to. ### Enabling SSH daemon on Main OS After retrieving a root shell on the main OS over UART, SSH can be enabled by running the following: # cli -s Device.X_ACTIONTEC_COM_RemoteLogin.Enable int 1 iptables -A INPUT -p tcp --dport 22 -j ACCEPT dropbear -p 22 -I 1800 & $ ssh 192.168.1.2 -l admin -oKexAlgorithms=+diffie-hellman-group1-sha1 admin@192.168.1.2's password: BusyBox v1.17.2 (2016-02-03 21:34:18 PST) built-in shell (ash) Enter 'help' for a list of built-in commands. # -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEE/rRUDraOzqmrp8tZoyRid8jQfpkFAlz9T5sACgkQoyRid8jQ fpnL1BAAi+Bu1xcK9thQ0AHqamY7DZ4qkP3dhFVUtW5q3hoJ4T3GOLTj/9RJLaOI J9FMvSMNAnTKtBcbTx4uvokRAbGLZEUPG1uk0Qu9wmC8tPliU0qHTCfU0vF2dFCI rrhmpaJhu4Y/AEIpjZXg1/5p5hIAQn5DfNUwu6p5VbDlRbktu5UELcFtvgnVi7Jq MUmNvPjbbxwfWlopb3kXASOh1SFLwe77AwmQmLQtIDknAyf2Ri9xfpf2wMGPqDTp WH3SzNCE+HkpHH8omSgnX+yA51KeGipUXWao3UnGvqdHp02TFz5OZIHhgzLk2AfX 6k78qy44DMegaUld9KQeW4OeVESxQqVu9goIjbRMIIlLKRsvz1BwTM+wBu74z2vU O8i1mzAPqloc8iIoIzLiu1dGzYTii4et6YMTq5GJiXL3PCTOJ8MR1/mxeebQwn9h ebsmkn0I06ruR37apz0WGBx0p7t158Pjzc954JoMLubQO8Isk/2G02wcekLLXjVj P2jxoJlnRplum7pKNQbfhAJ6VrGiyB9HY6VAarseqZzFLYJiL6u15EooKScVAg/0 ogZz/3G4m8yVZ37nnz64GNqZu/i18IRoPRGGfeYN/smKFhsKNtbw1JSWHk6VPTbN jlJLOXvQ9149zFlmJJHCxKiQ3FHvghgfgoi9W5J0Lg4Q+lqIriU= =POu3 -----END PGP SIGNATURE----- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ### Device Details Discovered By: Andrew Klaus (andrew@aklaus.ca) Vendor: Actiontec (Telus Branded) Model: WEB6000Q Affected Firmware: 1.1.02.22 Reported: July 2018 CVE: CVE-2018-15557 ### Summary of Findings Two instances of Linux run on the WEB6000Q. One is the “main” instance that runs the web management server, TR-069 daemon, etc., while the other is the "quantenna" management OS used to manage the wireless. By hardcoding an IP address in the 169.254.1.0/24 network, and being on the same layer 2 network, root telnet access can be obtained on the "quantenna" management environment by accessing: Host: 169.254.1.2 Port: 23 Login: root (no password prompted) -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEE/rRUDraOzqmrp8tZoyRid8jQfpkFAlz9T9cACgkQoyRid8jQ fpmyiw/+IOKANwITYMPOlXmvq4cY2ma8n5ckyeaLs2sEMTUM4OLg9Fnv7bqHxRs9 ++/sU7QPPjtMVhGIoehWqJgQp96zIV/x/JDxNlVvHn2IbYtOgSQOJ0uCxDvU7Tf5 khAmBtUSHMDq5qBlmPZxOUHnEEDjdx38OBt11Z9/yrSso5eJaXVsYs2SsEuLCzOq xH0VXi278VSx0mDVsAPT6GvAyYja+S23M49dhW48knQ9yBCt17Lhe1C04vcUNme0 GZQUUHKLBJl03mUgt91/pcRfqN+MlUMyyQiyi7w1fPQpTWONIArUM26XV+P9oLNu T08sh1vaAdaXim1AHpSURXX24TEsIYLW0Tb9SQVPMl1UZDcNq0ub9AdoAUuuXBWv nQ3jTCKlosH3GsIau1S3hlI8hoDF3li5e+bwt62JcqhI13pY1ZdcqZ+DHcbSGLN1 PW/CjPJxw05vamYzyZSgqS/FUlflzhboFp2s2/7XG8lBvt+pTQql5aYcxdcaZ1Sq TAGEXC3Kdb4BEQlqWuJNAlZWxeN6fhewb8IPDEJhdUZr2rGF9/1rmd3FlbwC6K2u 10o0lGrXVZ3hDnewwrBFNjLgvUj/nUtVlElkk1x/rsQnqDtnuKC4sS6xq9VO27Yo tW4gSB5LSjUcMVJyc0YbLjtYtd0mYem7l0dHjpnuqXst94GrHlk= =KDej -----END PGP SIGNATURE-----

Trust: 2.43

sources: NVD: CVE-2018-15557 // JVNDB: JVNDB-2018-015777 // CNVD: CNVD-2019-39179 // VULHUB: VHN-125828 // VULMON: CVE-2018-15557 // PACKETSTORM: 153262

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2019-39179

AFFECTED PRODUCTS

vendor:

actiontec

model:

web6000q

scope:

version:

1.1.02.22

Trust: 2.4

sources: CNVD: CNVD-2019-39179 // JVNDB: JVNDB-2018-015777 // NVD: CVE-2018-15557

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2018-15557
value:	HIGH
Trust: 1.0
NVD:	CVE-2018-15557
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2019-39179
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201906-1056
value:	HIGH
Trust: 0.6
VULHUB:	VHN-125828
value:	HIGH
Trust: 0.1
VULMON:	CVE-2018-15557
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2018-15557
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
CNVD:	CNVD-2019-39179
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-125828
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2018-15557
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	ADJACENT
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.0
Trust: 1.8

sources: CNVD: CNVD-2019-39179 // VULHUB: VHN-125828 // VULMON: CVE-2018-15557 // JVNDB: JVNDB-2018-015777 // CNNVD: CNNVD-201906-1056 // NVD: CVE-2018-15557

PROBLEMTYPE DATA

problemtype:	CWE-269	Trust: 1.1
problemtype:	CWE-264	Trust: 0.9

sources: VULHUB: VHN-125828 // JVNDB: JVNDB-2018-015777 // NVD: CVE-2018-15557

THREAT TYPE

remote or local

Trust: 0.6

sources: CNNVD: CNNVD-201906-1056

TYPE

permissions and access control issues

Trust: 0.6

sources: CNNVD: CNNVD-201906-1056

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-015777

PATCH

title:

WEB6000Q

url:

https://www.actiontec.com/products/home-networking/web6000q/

Trust: 0.8

sources: JVNDB: JVNDB-2018-015777

EXTERNAL IDS

db:	PACKETSTORM	id:	153262	Trust: 3.3
db:	NVD	id:	CVE-2018-15557	Trust: 3.3
db:	JVNDB	id:	JVNDB-2018-015777	Trust: 0.8
db:	CNNVD	id:	CNNVD-201906-1056	Trust: 0.7
db:	CNVD	id:	CNVD-2019-39179	Trust: 0.6
db:	VULHUB	id:	VHN-125828	Trust: 0.1
db:	VULMON	id:	CVE-2018-15557	Trust: 0.1

sources: CNVD: CNVD-2019-39179 // VULHUB: VHN-125828 // VULMON: CVE-2018-15557 // JVNDB: JVNDB-2018-015777 // PACKETSTORM: 153262 // CNNVD: CNNVD-201906-1056 // NVD: CVE-2018-15557

REFERENCES

url:	http://packetstormsecurity.com/files/153262/telus-actiontec-web6000q-privilege-escalation.html	Trust: 3.9
url:	http://seclists.org/fulldisclosure/2019/jun/2	Trust: 1.8
url:	https://nvd.nist.gov/vuln/detail/cve-2018-15557	Trust: 1.5
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-15557	Trust: 0.8
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-15555	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/269.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2018-15556	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2018-15555	Trust: 0.1

CREDITS

Andrew Klaus

Trust: 0.1

sources: PACKETSTORM: 153262

SOURCES

db:	CNVD	id:	CNVD-2019-39179
db:	VULHUB	id:	VHN-125828
db:	VULMON	id:	CVE-2018-15557
db:	JVNDB	id:	JVNDB-2018-015777
db:	PACKETSTORM	id:	153262
db:	CNNVD	id:	CNNVD-201906-1056
db:	NVD	id:	CVE-2018-15557

LAST UPDATE DATE

2024-11-23T22:11:59.161000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2019-39179	date:	2019-11-05T00:00:00
db:	VULHUB	id:	VHN-125828	date:	2020-08-24T00:00:00
db:	VULMON	id:	CVE-2018-15557	date:	2020-08-24T00:00:00
db:	JVNDB	id:	JVNDB-2018-015777	date:	2019-07-03T00:00:00
db:	CNNVD	id:	CNNVD-201906-1056	date:	2020-08-25T00:00:00
db:	NVD	id:	CVE-2018-15557	date:	2024-11-21T03:51:03.560

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2019-39179	date:	2019-11-05T00:00:00
db:	VULHUB	id:	VHN-125828	date:	2019-06-27T00:00:00
db:	VULMON	id:	CVE-2018-15557	date:	2019-06-27T00:00:00
db:	JVNDB	id:	JVNDB-2018-015777	date:	2019-07-03T00:00:00
db:	PACKETSTORM	id:	153262	date:	2019-06-12T18:39:04
db:	CNNVD	id:	CNNVD-201906-1056	date:	2019-06-27T00:00:00
db:	NVD	id:	CVE-2018-15557	date:	2019-06-27T17:15:11.270