Sign-up

ID

VAR-202004-0536


CVE

CVE-2020-11963


TITLE

Evenroute IQrouter operating system command injection vulnerability

Trust: 1.2

sources: CNVD: CNVD-2020-25365 // CNNVD: CNNVD-202004-1801

DESCRIPTION

IQrouter through 3.3.1, when unconfigured, has multiple remote code execution vulnerabilities in the web-panel because of Bash Shell Metacharacter Injection. Note: The vendor claims that this vulnerability can only occur on a brand-new network that, after initiating the forced initial configuration (which has a required step for setting a secure password on the system), makes this CVE invalid. This vulnerability is “true for any unconfigured release of OpenWRT, and true of many other new Linux distros prior to being configured for the first time”. IQrouter To OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. Evenroute IQrouter is an intelligent router of American Evenroute. Attackers can use this vulnerability to gain root permissions

Trust: 2.16

sources: NVD: CVE-2020-11963 // JVNDB: JVNDB-2020-004618 // CNVD: CNVD-2020-25365

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2020-25365

AFFECTED PRODUCTS

vendor:evenroutemodel:iqrouterscope:lteversion:3.3.1

Trust: 1.0

vendor:evenroutemodel:iqrouterscope:eqversion:3.3.1

Trust: 0.8

vendor:evenroutemodel:iqrouterscope:lteversion:<=3.3.1

Trust: 0.6

sources: CNVD: CNVD-2020-25365 // JVNDB: JVNDB-2020-004618 // NVD: CVE-2020-11963

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2020-11963
value: CRITICAL

Trust: 1.0

NVD: JVNDB-2020-004618
value: CRITICAL

Trust: 0.8

CNVD: CNVD-2020-25365
value: HIGH

Trust: 0.6

CNNVD: CNNVD-202004-1801
value: CRITICAL

Trust: 0.6

nvd@nist.gov: CVE-2020-11963
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

NVD: JVNDB-2020-004618
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

CNVD: CNVD-2020-25365
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2020-11963
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: JVNDB-2020-004618
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2020-25365 // JVNDB: JVNDB-2020-004618 // CNNVD: CNNVD-202004-1801 // NVD: CVE-2020-11963

PROBLEMTYPE DATA

problemtype:CWE-78

Trust: 1.8

sources: JVNDB: JVNDB-2020-004618 // NVD: CVE-2020-11963

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202004-1801

TYPE

operating system commend injection

Trust: 0.6

sources: CNNVD: CNNVD-202004-1801

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2020-004618

PATCH
title:Top Pageurl:https://evenroute.com/
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2020-004618

EXTERNAL IDS
db:NVDid:CVE-2020-11963
Trust: 3.0
db:JVNDBid:JVNDB-2020-004618
Trust: 0.8
db:CNVDid:CNVD-2020-25365
Trust: 0.6
db:CNNVDid:CNNVD-202004-1801
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2020-25365 // 
            
            
            
            JVNDB: JVNDB-2020-004618 // 
            
            
            
            CNNVD: CNNVD-202004-1801 // 
            
            
            
            NVD: CVE-2020-11963

REFERENCES
url:https://pastebin.com/grscsbsu
Trust: 2.4
url:https://nvd.nist.gov/vuln/detail/cve-2020-11963
Trust: 2.0
url:https://evenroute.zendesk.com/hc/en-us/articles/216107838-how-do-i-configure-an-iqrouter-
Trust: 1.6
url:https://evenroute.com/
Trust: 1.6
url:https://openwrt.org/docs/guide-quick-start/walkthrough_login
Trust: 1.6
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-11963
Trust: 0.8
sources:
            
            
            CNVD: CNVD-2020-25365 // 
            
            
            
            JVNDB: JVNDB-2020-004618 // 
            
            
            
            CNNVD: CNNVD-202004-1801 // 
            
            
            
            NVD: CVE-2020-11963

SOURCES
db:CNVDid:CNVD-2020-25365
db:JVNDBid:JVNDB-2020-004618
db:CNNVDid:CNNVD-202004-1801
db:NVDid:CVE-2020-11963

LAST UPDATE DATE
2024-11-23T22:11:34.818000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2020-25365date:2020-04-28T00:00:00
db:JVNDBid:JVNDB-2020-004618date:2020-05-22T00:00:00
db:CNNVDid:CNNVD-202004-1801date:2020-12-01T00:00:00
db:NVDid:CVE-2020-11963date:2024-11-21T04:58:59.887

SOURCES RELEASE DATE
db:CNVDid:CNVD-2020-25365date:2020-04-28T00:00:00
db:JVNDBid:JVNDB-2020-004618date:2020-05-22T00:00:00
db:CNNVDid:CNNVD-202004-1801date:2020-04-21T00:00:00
db:NVDid:CVE-2020-11963date:2020-04-21T13:15:14.770