Details of VAR-202002-0891

ID

VAR-202002-0891

CVE

CVE-2018-8878

TITLE

Asuswrt-Merlin and ASUS Information leakage vulnerability in firmware

Trust: 0.8

sources: JVNDB: JVNDB-2018-016227

DESCRIPTION

Information disclosure in Asuswrt-Merlin firmware for ASUS devices older than 384.4 and ASUS firmware before 3.0.0.4.382.50470 for devices allows remote attackers to acquire information on internal network devices' hostnames and MAC addresses by reading the custom_id variable on the blocking.asp page. Asuswrt-Merlin and ASUS There is an information leakage vulnerability in the firmware.Information may be obtained. ASUS Asuswrt-Merlin is a firmware running in the routers of ASUS Corporation of Taiwan, China

Trust: 1.71

sources: NVD: CVE-2018-8878 // JVNDB: JVNDB-2018-016227 // VULHUB: VHN-138910

AFFECTED PRODUCTS

vendor:	asus	model:	asus	scope:	lt	version:	3.0.0.4.382.50470	Trust: 1.0
vendor:	asuswrt merlin	model:	asuswrt-merlin	scope:	lt	version:	384.4	Trust: 1.0
vendor:	asustek computer	model:	asus	scope:	eq	version:	384.4	Trust: 0.8
vendor:	asuswrt merlin	model:	asuswrt-merlin	scope:	eq	version:	3.0.0.4.382.50470	Trust: 0.8
vendor:	asuswrt merlin	model:	asuswrt-merlin	scope:	eq	version:	382.1_2	Trust: 0.6
vendor:	asuswrt merlin	model:	asuswrt-merlin	scope:	eq	version:	382.1	Trust: 0.6
vendor:	asuswrt merlin	model:	asuswrt-merlin	scope:	eq	version:	384.3	Trust: 0.6

sources: JVNDB: JVNDB-2018-016227 // CNNVD: CNNVD-202002-1276 // NVD: CVE-2018-8878

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2018-8878
value:	MEDIUM
Trust: 1.0
NVD:	JVNDB-2018-016227
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-202002-1276
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-138910
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2018-8878
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
NVD:	JVNDB-2018-016227
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
VULHUB:	VHN-138910
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2018-8878
baseSeverity:	MEDIUM
baseScore:	5.3
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	1.4
version:	3.1
Trust: 1.0
NVD:	JVNDB-2018-016227
baseSeverity:	MEDIUM
baseScore:	5.3
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-138910 // JVNDB: JVNDB-2018-016227 // CNNVD: CNNVD-202002-1276 // NVD: CVE-2018-8878

PROBLEMTYPE DATA

problemtype:

CWE-200

Trust: 1.9

sources: VULHUB: VHN-138910 // JVNDB: JVNDB-2018-016227 // NVD: CVE-2018-8878

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202002-1276

TYPE

information disclosure

Trust: 0.6

sources: CNNVD: CNNVD-202002-1276

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-016227

PATCH

title:	Top Page	url:	https://www.asus.com/us/	Trust: 0.8
title:	Top Page	url:	https://www.asuswrt-merlin.net/	Trust: 0.8
title:	ASUS Asuswrt-Merlin Repair measures for information disclosure vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=111224	Trust: 0.6

sources: JVNDB: JVNDB-2018-016227 // CNNVD: CNNVD-202002-1276

EXTERNAL IDS

db:	NVD	id:	CVE-2018-8878	Trust: 2.5
db:	JVNDB	id:	JVNDB-2018-016227	Trust: 0.8
db:	CNNVD	id:	CNNVD-202002-1276	Trust: 0.7
db:	CNVD	id:	CNVD-2020-17191	Trust: 0.1
db:	VULHUB	id:	VHN-138910	Trust: 0.1

sources: VULHUB: VHN-138910 // JVNDB: JVNDB-2018-016227 // CNNVD: CNNVD-202002-1276 // NVD: CVE-2018-8878

REFERENCES

url:	https://github.com/outofhere/research/blob/master/2018/asus/cve_notes.md	Trust: 2.5
url:	https://nvd.nist.gov/vuln/detail/cve-2018-8878	Trust: 1.4
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-8878	Trust: 0.8

sources: VULHUB: VHN-138910 // JVNDB: JVNDB-2018-016227 // CNNVD: CNNVD-202002-1276 // NVD: CVE-2018-8878

SOURCES

db:	VULHUB	id:	VHN-138910
db:	JVNDB	id:	JVNDB-2018-016227
db:	CNNVD	id:	CNNVD-202002-1276
db:	NVD	id:	CVE-2018-8878

LAST UPDATE DATE

2024-11-23T22:16:38.617000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-138910	date:	2020-03-04T00:00:00
db:	JVNDB	id:	JVNDB-2018-016227	date:	2020-03-13T00:00:00
db:	CNNVD	id:	CNNVD-202002-1276	date:	2020-03-13T00:00:00
db:	NVD	id:	CVE-2018-8878	date:	2024-11-21T04:14:30.760

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-138910	date:	2020-02-27T00:00:00
db:	JVNDB	id:	JVNDB-2018-016227	date:	2020-03-13T00:00:00
db:	CNNVD	id:	CNNVD-202002-1276	date:	2020-02-27T00:00:00
db:	NVD	id:	CVE-2018-8878	date:	2020-02-27T22:15:13.627