Sign-up

ID

VAR-201909-0693


CVE

CVE-2019-13140


TITLE

Inteno Group EG200 Configuration Error Vulnerability

Trust: 1.2

sources: CNVD: CNVD-2019-33123 // CNNVD: CNNVD-201909-765

DESCRIPTION

Inteno EG200 EG200-WU7P1U_ADAMO3.16.4-190226_1650 routers have a JUCI ACL misconfiguration that allows the "user" account to extract the 3DES key via JSON commands to ubus. The 3DES key is used to decrypt the provisioning file provided by Adamo Telecom on a public URL via cleartext HTTP. Inteno EG200 Routers contain information disclosure vulnerabilities due to differences in responses to security-related processing.Information may be obtained. The Inteno Group EG200 is a home gateway device from Inteno Group, Sweden. A configuration error vulnerability exists in the Inteno Group EG200 EG200-WU7P1U_ADAMO3.16.4-190226_1650 version, which can be exploited by an attacker to extract 3DES keys using JSON commands

Trust: 2.25

sources: NVD: CVE-2019-13140 // JVNDB: JVNDB-2019-009426 // CNVD: CNVD-2019-33123 // VULHUB: VHN-144957

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2019-33123

AFFECTED PRODUCTS

vendor:intenogroupmodel:eg200scope:eqversion:eg200-wu7p1u_adamo3.16.4-190226_1650

Trust: 1.0

vendor:intenomodel:eg200scope:eqversion:eg200-wu7p1u_adamo3.16.4-190226_1650

Trust: 0.8

vendor:intenomodel:group eg200 eg200-wu7p1u adamo3.16.4-190226 1650scope: - version: -

Trust: 0.6

sources: CNVD: CNVD-2019-33123 // JVNDB: JVNDB-2019-009426 // NVD: CVE-2019-13140

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-13140
value: MEDIUM

Trust: 1.0

NVD: CVE-2019-13140
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2019-33123
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201909-765
value: MEDIUM

Trust: 0.6

VULHUB: VHN-144957
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2019-13140
severity: MEDIUM
baseScore: 4.0
vectorString: AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 8.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

NVD: CVE-2019-13140
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

CNVD: CNVD-2019-33123
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

VULHUB: VHN-144957
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2019-13140
baseSeverity: MEDIUM
baseScore: 6.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 3.6
version: 3.1

Trust: 1.0

NVD: CVE-2019-13140
baseSeverity: MEDIUM
baseScore: 6.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2019-33123 // VULHUB: VHN-144957 // JVNDB: JVNDB-2019-009426 // CNNVD: CNNVD-201909-765 // NVD: CVE-2019-13140

PROBLEMTYPE DATA

problemtype:CWE-552

Trust: 1.0

problemtype:CWE-203

Trust: 0.9

sources: VULHUB: VHN-144957 // JVNDB: JVNDB-2019-009426 // NVD: CVE-2019-13140

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201909-765

TYPE

configuration error

Trust: 0.6

sources: CNNVD: CNNVD-201909-765

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2019-009426

EXPLOIT AVAILABILITY
sources:
            
            
            VULHUB: VHN-144957

PATCH
title:EG200url:https://www.intenogroup.com/products/gateways/eg200/
Trust: 0.8
title:Inteno Group EG200 Configuration Error Vulnerability Patchurl:https://www.cnvd.org.cn/patchInfo/show/182201
Trust: 0.6
title:Inteno Group EG200 Fixes for configuration error vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=98302
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2019-33123 // 
            
            
            
            JVNDB: JVNDB-2019-009426 // 
            
            
            
            CNNVD: CNNVD-201909-765

EXTERNAL IDS
db:NVDid:CVE-2019-13140
Trust: 3.1
db:PACKETSTORMid:154494
Trust: 3.1
db:EXPLOIT-DBid:47390
Trust: 2.3
db:JVNDBid:JVNDB-2019-009426
Trust: 0.8
db:CNNVDid:CNNVD-201909-765
Trust: 0.7
db:CNVDid:CNVD-2019-33123
Trust: 0.6
db:VULHUBid:VHN-144957
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2019-33123 // 
            
            
            
            VULHUB: VHN-144957 // 
            
            
            
            JVNDB: JVNDB-2019-009426 // 
            
            
            
            CNNVD: CNNVD-201909-765 // 
            
            
            
            NVD: CVE-2019-13140

REFERENCES
url:http://packetstormsecurity.com/files/154494/inteno-iopsys-gateway-3des-key-extraction-improper-access.html
Trust: 3.1
url:https://www.exploit-db.com/exploits/47390
Trust: 2.3
url:https://twitter.com/gerardfuguet/status/1169298861782896642
Trust: 2.3
url:https://www.exploit-db.com/docs/47397
Trust: 1.7
url:https://nvd.nist.gov/vuln/detail/cve-2019-13140
Trust: 1.4
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-13140
Trust: 0.8
sources:
            
            
            CNVD: CNVD-2019-33123 // 
            
            
            
            VULHUB: VHN-144957 // 
            
            
            
            JVNDB: JVNDB-2019-009426 // 
            
            
            
            CNNVD: CNNVD-201909-765 // 
            
            
            
            NVD: CVE-2019-13140

CREDITS
Gerard Fuguet
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-201909-765

SOURCES
db:CNVDid:CNVD-2019-33123
db:VULHUBid:VHN-144957
db:JVNDBid:JVNDB-2019-009426
db:CNNVDid:CNNVD-201909-765
db:NVDid:CVE-2019-13140

LAST UPDATE DATE
2024-11-23T22:11:50.249000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2019-33123date:2019-09-26T00:00:00
db:VULHUBid:VHN-144957date:2019-09-18T00:00:00
db:JVNDBid:JVNDB-2019-009426date:2019-09-20T00:00:00
db:CNNVDid:CNNVD-201909-765date:2022-04-01T00:00:00
db:NVDid:CVE-2019-13140date:2024-11-21T04:24:16.807

SOURCES RELEASE DATE
db:CNVDid:CNVD-2019-33123date:2019-09-26T00:00:00
db:VULHUBid:VHN-144957date:2019-09-16T00:00:00
db:JVNDBid:JVNDB-2019-009426date:2019-09-20T00:00:00
db:CNNVDid:CNNVD-201909-765date:2019-09-16T00:00:00
db:NVDid:CVE-2019-13140date:2019-09-16T17:15:13.277