Details of VAR-201908-0326

ID

VAR-201908-0326

CVE

CVE-2019-15513

TITLE

OpenWrt libuci and Motorola Vulnerability related to input validation on devices

Trust: 0.8

sources: JVNDB: JVNDB-2019-008608

DESCRIPTION

An issue was discovered in OpenWrt libuci (aka Library for the Unified Configuration Interface) before 15.05.1 as used on Motorola CX2L MWR04L 1.01 and C1 MWR03 1.01 devices. /tmp/.uci/network locking is mishandled after reception of a long SetWanSettings command, leading to a device hang. Both Motorola CX2L MWR04L and Motorola C1 MWR03 are wireless routers produced by Motorola. OpenWrt libuci in Motorola CX2L MWR04L version 1.01 and Motorola C1 MWR03 version 1.01 has an input validation error vulnerability, which is caused by the program not properly handling the lock of /tmp/.uci/network after receiving a long SetWanSettings command. An attacker could exploit this vulnerability to hang the device

Trust: 1.71

sources: NVD: CVE-2019-15513 // JVNDB: JVNDB-2019-008608 // VULHUB: VHN-147567

AFFECTED PRODUCTS

vendor:	motorola	model:	c1 mwr03	scope:	eq	version:	1.01	Trust: 1.8
vendor:	motorola	model:	cx2l mwr04l	scope:	eq	version:	1.01	Trust: 1.8
vendor:	openwrt	model:	libuci	scope:	eq	version:	-	Trust: 1.0
vendor:	openwrt	model:	libuci	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2019-008608 // NVD: CVE-2019-15513

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-15513
value:	HIGH
Trust: 1.0
NVD:	CVE-2019-15513
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201908-1869
value:	HIGH
Trust: 0.6
VULHUB:	VHN-147567
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2019-15513
severity:	HIGH
baseScore:	7.8
vectorString:	AV:N/AC:L/AU:N/C:N/I:N/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-147567
severity:	HIGH
baseScore:	7.8
vectorString:	AV:N/AC:L/AU:N/C:N/I:N/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2019-15513
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.0
Trust: 1.8

sources: VULHUB: VHN-147567 // JVNDB: JVNDB-2019-008608 // CNNVD: CNNVD-201908-1869 // NVD: CVE-2019-15513

PROBLEMTYPE DATA

problemtype:	CWE-667	Trust: 1.1
problemtype:	CWE-20	Trust: 0.9

sources: VULHUB: VHN-147567 // JVNDB: JVNDB-2019-008608 // NVD: CVE-2019-15513

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201908-1869

TYPE

input validation error

Trust: 0.6

sources: CNNVD: CNNVD-201908-1869

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-008608

PATCH

title:	トップページ	url:	https://www.motorolasolutions.com/ja_jp.html?geo=redirect	Trust: 0.8
title:	libuci	url:	https://openwrt.org/packages/pkgdata_lede17_1/libuci	Trust: 0.8

sources: JVNDB: JVNDB-2019-008608

EXTERNAL IDS

db:	NVD	id:	CVE-2019-15513	Trust: 2.5
db:	JVNDB	id:	JVNDB-2019-008608	Trust: 0.8
db:	CNNVD	id:	CNNVD-201908-1869	Trust: 0.7
db:	VULHUB	id:	VHN-147567	Trust: 0.1

sources: VULHUB: VHN-147567 // JVNDB: JVNDB-2019-008608 // CNNVD: CNNVD-201908-1869 // NVD: CVE-2019-15513

REFERENCES

url:	https://github.com/teamseri0us/pocs/blob/master/iot/morouter/motorola%e8%b7%af%e7%94%b1%e5%99%a8%e6%96%87%e4%bb%b6%e8%a7%a3%e9%94%81%e6%bc%8f%e6%b4%9e.pdf	Trust: 2.5
url:	https://lists.infradead.org/pipermail/openwrt-devel/2019-november/019736.html	Trust: 1.7
url:	https://lists.openwrt.org/pipermail/openwrt-devel/2019-november/025453.html	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2019-15513	Trust: 1.4
url:	https://git.openwrt.org/?p=project/uci.git%3ba=commitdiff%3bh=19e29ffc15dbd958e8e6a648ee0982c68353516f	Trust: 1.0
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-15513	Trust: 0.8
url:	https://git.openwrt.org/?p=project/uci.git;a=commitdiff;h=19e29ffc15dbd958e8e6a648ee0982c68353516f	Trust: 0.7

sources: VULHUB: VHN-147567 // JVNDB: JVNDB-2019-008608 // CNNVD: CNNVD-201908-1869 // NVD: CVE-2019-15513

SOURCES

db:	VULHUB	id:	VHN-147567
db:	JVNDB	id:	JVNDB-2019-008608
db:	CNNVD	id:	CNNVD-201908-1869
db:	NVD	id:	CVE-2019-15513

LAST UPDATE DATE

2024-11-23T22:29:59.065000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-147567	date:	2020-08-24T00:00:00
db:	JVNDB	id:	JVNDB-2019-008608	date:	2019-09-04T00:00:00
db:	CNNVD	id:	CNNVD-201908-1869	date:	2021-01-04T00:00:00
db:	NVD	id:	CVE-2019-15513	date:	2024-11-21T04:28:54.167

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-147567	date:	2019-08-23T00:00:00
db:	JVNDB	id:	JVNDB-2019-008608	date:	2019-09-04T00:00:00
db:	CNNVD	id:	CNNVD-201908-1869	date:	2019-08-23T00:00:00
db:	NVD	id:	CVE-2019-15513	date:	2019-08-23T07:15:10.200