Details of VAR-202002-0890

ID

VAR-202002-0890

CVE

CVE-2018-8877

TITLE

Asuswrt-Merlin and ASUS Information leakage vulnerability in firmware

Trust: 0.8

sources: JVNDB: JVNDB-2018-016226

DESCRIPTION

Information disclosure in Asuswrt-Merlin firmware for ASUS devices older than 384.4 and ASUS firmware before 3.0.0.4.382.50470 for devices allows remote attackers to acquire information on internal network IP address ranges by reading the new_lan_ip variable on the error_page.htm page. Asuswrt-Merlin and ASUS There is an information leakage vulnerability in the firmware.Information may be obtained. ASUS Asuswrt-Merlin is a firmware running in the routers of ASUS Corporation of Taiwan, China

Trust: 1.71

sources: NVD: CVE-2018-8877 // JVNDB: JVNDB-2018-016226 // VULHUB: VHN-138909

AFFECTED PRODUCTS

vendor:	asus	model:	asus	scope:	lt	version:	3.0.0.4.382.50470	Trust: 1.0
vendor:	asuswrt merlin	model:	asuswrt-merlin	scope:	lt	version:	384.4	Trust: 1.0
vendor:	asustek computer	model:	asus	scope:	eq	version:	3.0.0.4.382.50470	Trust: 0.8
vendor:	asuswrt merlin	model:	asuswrt-merlin	scope:	eq	version:	384.4	Trust: 0.8
vendor:	asuswrt merlin	model:	asuswrt-merlin	scope:	eq	version:	382.1_2	Trust: 0.6
vendor:	asuswrt merlin	model:	asuswrt-merlin	scope:	eq	version:	382.1	Trust: 0.6
vendor:	asuswrt merlin	model:	asuswrt-merlin	scope:	eq	version:	384.3	Trust: 0.6

sources: JVNDB: JVNDB-2018-016226 // CNNVD: CNNVD-202002-1275 // NVD: CVE-2018-8877

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2018-8877
value:	MEDIUM
Trust: 1.0
NVD:	JVNDB-2018-016226
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-202002-1275
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-138909
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2018-8877
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
NVD:	JVNDB-2018-016226
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
VULHUB:	VHN-138909
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2018-8877
baseSeverity:	MEDIUM
baseScore:	5.3
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	1.4
version:	3.1
Trust: 1.0
NVD:	JVNDB-2018-016226
baseSeverity:	MEDIUM
baseScore:	5.3
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-138909 // JVNDB: JVNDB-2018-016226 // CNNVD: CNNVD-202002-1275 // NVD: CVE-2018-8877

PROBLEMTYPE DATA

problemtype:

CWE-200

Trust: 1.9

sources: VULHUB: VHN-138909 // JVNDB: JVNDB-2018-016226 // NVD: CVE-2018-8877

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202002-1275

TYPE

information disclosure

Trust: 0.6

sources: CNNVD: CNNVD-202002-1275

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-016226

PATCH

title:	Top Page	url:	https://www.asus.com/us/	Trust: 0.8
title:	Top Page	url:	https://www.asuswrt-merlin.net/	Trust: 0.8
title:	ASUS Asuswrt-Merlin Repair measures for information disclosure vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=111223	Trust: 0.6

sources: JVNDB: JVNDB-2018-016226 // CNNVD: CNNVD-202002-1275

EXTERNAL IDS

db:	NVD	id:	CVE-2018-8877	Trust: 2.5
db:	JVNDB	id:	JVNDB-2018-016226	Trust: 0.8
db:	CNNVD	id:	CNNVD-202002-1275	Trust: 0.7
db:	CNVD	id:	CNVD-2020-17192	Trust: 0.1
db:	VULHUB	id:	VHN-138909	Trust: 0.1

sources: VULHUB: VHN-138909 // JVNDB: JVNDB-2018-016226 // CNNVD: CNNVD-202002-1275 // NVD: CVE-2018-8877

REFERENCES

url:	https://github.com/outofhere/research/blob/master/2018/asus/cve_notes.md	Trust: 2.5
url:	https://nvd.nist.gov/vuln/detail/cve-2018-8877	Trust: 1.4
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-8877	Trust: 0.8

sources: VULHUB: VHN-138909 // JVNDB: JVNDB-2018-016226 // CNNVD: CNNVD-202002-1275 // NVD: CVE-2018-8877

SOURCES

db:	VULHUB	id:	VHN-138909
db:	JVNDB	id:	JVNDB-2018-016226
db:	CNNVD	id:	CNNVD-202002-1275
db:	NVD	id:	CVE-2018-8877

LAST UPDATE DATE

2024-11-23T22:41:10.828000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-138909	date:	2020-03-04T00:00:00
db:	JVNDB	id:	JVNDB-2018-016226	date:	2020-03-13T00:00:00
db:	CNNVD	id:	CNNVD-202002-1275	date:	2020-03-13T00:00:00
db:	NVD	id:	CVE-2018-8877	date:	2024-11-21T04:14:30.597

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-138909	date:	2020-02-27T00:00:00
db:	JVNDB	id:	JVNDB-2018-016226	date:	2020-03-13T00:00:00
db:	CNNVD	id:	CNNVD-202002-1275	date:	2020-02-27T00:00:00
db:	NVD	id:	CVE-2018-8877	date:	2020-02-27T22:15:13.567