Sign-up

ID

VAR-202002-0270


CVE

CVE-2019-12511


TITLE

NETGEAR Nighthawk X10-R9000 In OS Command injection vulnerabilities

Trust: 0.8

sources: JVNDB: JVNDB-2019-014700

DESCRIPTION

In NETGEAR Nighthawk X10-R9000 prior to 1.0.4.26, an attacker may execute arbitrary system commands as root by sending a specially-crafted MAC address to the "NETGEAR Genie" SOAP endpoint at AdvancedQoS:GetCurrentBandwidthByMAC. Although this requires QoS being enabled, advanced QoS being enabled, and a valid authentication JWT, additional vulnerabilities (CVE-2019-12510) allow an attacker to interact with the entire SOAP API without authentication. Additionally, DNS rebinding techniques may be used to exploit this vulnerability remotely. Exploiting this vulnerability is somewhat involved. The following limitations apply to the payload and must be overcome for successful exploitation: - No more than 17 characters may be used. - At least one colon must be included to prevent mangling. - A single-quote and meta-character must be used to break out of the existing command. - Parent command remnants after the injection point must be dealt with. - The payload must be in all-caps. Despite these limitations, it is still possible to gain access to an interactive root shell via this vulnerability. Since the web server assigns certain HTTP headers to environment variables with all-caps names, it is possible to insert a payload into one such header and reference the subsequent environment variable in the injection point. NETGEAR Nighthawk X10-R9000 To OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. NETGEAR Nighthawk X10-R9000 is a wireless router from NETGEAR. The vulnerability stems from the fact that the network system or product did not properly filter the special elements in the process of constructing executable commands from external input data. An attacker could use this vulnerability to execute an illegal command

Trust: 2.16

sources: NVD: CVE-2019-12511 // JVNDB: JVNDB-2019-014700 // CNVD: CNVD-2020-13467

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2020-13467

AFFECTED PRODUCTS

vendor:netgearmodel:nighthawk x10-r9000scope:ltversion:1.0.4.26

Trust: 1.6

vendor:netgearmodel:nighthawk x10 r9000scope:eqversion:1.0.4.26

Trust: 0.8

vendor:netgearmodel:nighthawk x10-r9000scope:eqversion: -

Trust: 0.6

vendor:netgearmodel:nighthawk x10-r9000scope:eqversion:1.0.4.24

Trust: 0.6

sources: CNVD: CNVD-2020-13467 // JVNDB: JVNDB-2019-014700 // CNNVD: CNNVD-201909-918 // NVD: CVE-2019-12511

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-12511
value: CRITICAL

Trust: 1.0

NVD: JVNDB-2019-014700
value: CRITICAL

Trust: 0.8

CNVD: CNVD-2020-13467
value: HIGH

Trust: 0.6

CNNVD: CNNVD-201909-918
value: MEDIUM

Trust: 0.6

nvd@nist.gov: CVE-2019-12511
severity: HIGH
baseScore: 9.3
vectorString: AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.6
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

NVD: JVNDB-2019-014700
severity: HIGH
baseScore: 9.3
vectorString: AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

CNVD: CNVD-2020-13467
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2019-12511
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: JVNDB-2019-014700
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2020-13467 // JVNDB: JVNDB-2019-014700 // CNNVD: CNNVD-201909-918 // NVD: CVE-2019-12511

PROBLEMTYPE DATA

problemtype:CWE-78

Trust: 1.8

sources: JVNDB: JVNDB-2019-014700 // NVD: CVE-2019-12511

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201909-918

TYPE

operating system commend injection

Trust: 0.6

sources: CNNVD: CNNVD-201909-918

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2019-014700

PATCH
title:Model: R9000url:https://www.netgear.com/home/products/networking/wifi-routers/R9000.aspx
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2019-014700

EXTERNAL IDS
db:NVDid:CVE-2019-12511
Trust: 3.0
db:JVNDBid:JVNDB-2019-014700
Trust: 0.8
db:CNVDid:CNVD-2020-13467
Trust: 0.6
db:CNNVDid:CNNVD-201909-918
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2020-13467 // 
            
            
            
            JVNDB: JVNDB-2019-014700 // 
            
            
            
            CNNVD: CNNVD-201909-918 // 
            
            
            
            NVD: CVE-2019-12511

REFERENCES
url:https://www.ise.io/casestudies/sohopelessly-broken-2-0/
Trust: 2.4
url:https://nvd.nist.gov/vuln/detail/cve-2019-12511
Trust: 2.0
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-12511
Trust: 0.8
url:https://www.securityevaluators.com/whitepaper/sohopelessly-broken-2/
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2020-13467 // 
            
            
            
            JVNDB: JVNDB-2019-014700 // 
            
            
            
            CNNVD: CNNVD-201909-918 // 
            
            
            
            NVD: CVE-2019-12511

CREDITS
Rick Ramgattie,Shaun Mirani, Joshua Meyer, and Ian Sindermann
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-201909-918

SOURCES
db:CNVDid:CNVD-2020-13467
db:JVNDBid:JVNDB-2019-014700
db:CNNVDid:CNNVD-201909-918
db:NVDid:CVE-2019-12511

LAST UPDATE DATE
2024-11-23T22:29:46.822000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2020-13467date:2020-02-25T00:00:00
db:JVNDBid:JVNDB-2019-014700date:2020-03-10T00:00:00
db:CNNVDid:CNNVD-201909-918date:2020-03-12T00:00:00
db:NVDid:CVE-2019-12511date:2024-11-21T04:23:00.173

SOURCES RELEASE DATE
db:CNVDid:CNVD-2020-13467date:2020-02-25T00:00:00
db:JVNDBid:JVNDB-2019-014700date:2020-03-10T00:00:00
db:CNNVDid:CNNVD-201909-918date:2019-09-16T00:00:00
db:NVDid:CVE-2019-12511date:2020-02-24T19:15:13.513