Details of VAR-201909-0036

ID

VAR-201909-0036

CVE

CVE-2019-6005

TITLE

Smart TV Box fails to restrict access permissions

Trust: 0.8

sources: JVNDB: JVNDB-2019-000053

DESCRIPTION

Smart TV Box firmware version prior to 1300 allows remote attackers to bypass access restriction to conduct arbitrary operations on the device without user's intent, such as installing arbitrary software or changing the device settings via Android Debug Bridge port 5555/TCP. When a cable television provider sets up Smart TV Box at an individual residence, direct access from outside to the LAN side interface of Smart TV Box is disabled. However if the original setting is changed later, for example, LAN side interface connection to internet directly is enabled, access to Android Debug Bridge via port 5555/TCP of LAN side interface becomes enabled. Yoshiki Mori and Masaki Kubo of Cybersecurity Laboratory, National Institute of Information and Communications Technology reported this vulnerability to IPA

Trust: 2.16

sources: NVD: CVE-2019-6005 // JVNDB: JVNDB-2019-000053 // CNVD: CNVD-2019-29564

IOT TAXONOMY

category:

['IoT']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2019-29564

AFFECTED PRODUCTS

vendor:	kddi	model:	smart tv box	scope:	lt	version:	1300	Trust: 1.6
vendor:	kddi	model:	smart tv box	scope:	eq	version:	firmware version prior to 1300	Trust: 0.8

sources: CNVD: CNVD-2019-29564 // JVNDB: JVNDB-2019-000053 // NVD: CVE-2019-6005

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-6005
value:	CRITICAL
Trust: 1.0
IPA:	JVNDB-2019-000053
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2019-29564
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201908-1927
value:	CRITICAL
Trust: 0.6

nvd@nist.gov:	CVE-2019-6005
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
IPA:	JVNDB-2019-000053
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
CNVD:	CNVD-2019-29564
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2019-6005
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.1
Trust: 1.0
IPA:	JVNDB-2019-000053
baseSeverity:	HIGH
baseScore:	7.3
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	LOW
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2019-29564 // JVNDB: JVNDB-2019-000053 // CNNVD: CNNVD-201908-1927 // NVD: CVE-2019-6005

PROBLEMTYPE DATA

problemtype:	NVD-CWE-noinfo	Trust: 1.0
problemtype:	CWE-Other	Trust: 0.8

sources: JVNDB: JVNDB-2019-000053 // NVD: CVE-2019-6005

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201908-1927

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-201908-1927

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-000053

PATCH

title:	KDDI CORPORATION website	url:	https://news.kddi.com/kddi/cable-service/smart-tv-box/201902273642.html	Trust: 0.8
title:	Patch for KDDI Smart TV Box Access Control Error Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/178017	Trust: 0.6
title:	KDDI Smart TV Box Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=96979	Trust: 0.6

sources: CNVD: CNVD-2019-29564 // JVNDB: JVNDB-2019-000053 // CNNVD: CNNVD-201908-1927

EXTERNAL IDS

db:	NVD	id:	CVE-2019-6005	Trust: 3.0
db:	JVN	id:	JVN17127920	Trust: 2.4
db:	JVNDB	id:	JVNDB-2019-000053	Trust: 1.4
db:	CNVD	id:	CNVD-2019-29564	Trust: 0.6
db:	CNNVD	id:	CNNVD-201908-1927	Trust: 0.6

sources: CNVD: CNVD-2019-29564 // JVNDB: JVNDB-2019-000053 // CNNVD: CNNVD-201908-1927 // NVD: CVE-2019-6005

REFERENCES

url:	http://jvn.jp/en/jp/jvn17127920/index.html	Trust: 2.4
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-6005	Trust: 1.4
url:	https://nvd.nist.gov/vuln/detail/cve-2019-6005	Trust: 1.4
url:	https://jvndb.jvn.jp/en/contents/2019/jvndb-2019-000053.html	Trust: 0.6

sources: CNVD: CNVD-2019-29564 // JVNDB: JVNDB-2019-000053 // CNNVD: CNNVD-201908-1927 // NVD: CVE-2019-6005

SOURCES

db:	CNVD	id:	CNVD-2019-29564
db:	JVNDB	id:	JVNDB-2019-000053
db:	CNNVD	id:	CNNVD-201908-1927
db:	NVD	id:	CVE-2019-6005

LAST UPDATE DATE

2024-11-23T22:25:47.654000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2019-29564	date:	2019-09-05T00:00:00
db:	JVNDB	id:	JVNDB-2019-000053	date:	2019-10-08T00:00:00
db:	CNNVD	id:	CNNVD-201908-1927	date:	2020-08-25T00:00:00
db:	NVD	id:	CVE-2019-6005	date:	2024-11-21T04:45:54.090

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2019-29564	date:	2019-08-30T00:00:00
db:	JVNDB	id:	JVNDB-2019-000053	date:	2019-08-23T00:00:00
db:	CNNVD	id:	CNNVD-201908-1927	date:	2019-08-23T00:00:00
db:	NVD	id:	CVE-2019-6005	date:	2019-09-12T17:15:14.500