Details of VAR-202004-0537

ID

VAR-202004-0537

CVE

CVE-2020-11964

TITLE

IQrouter Vulnerability regarding inadequate protection of credentials in

Trust: 0.8

sources: JVNDB: JVNDB-2020-004619

DESCRIPTION

In IQrouter through 3.3.1, the Lua function diag_set_password in the web-panel allows remote attackers to change the root password arbitrarily. Note: The vendor claims that this vulnerability can only occur on a brand-new network that, after initiating the forced initial configuration (which has a required step for setting a secure password on the system), makes this CVE invalid. This vulnerability is “true for any unconfigured release of OpenWRT, and true of many other new Linux distros prior to being configured for the first time”. IQrouter Exists in an inadequate protection of credentials.Information may be tampered with. Evenroute IQrouter is an intelligent router of American Evenroute. Evenroute IQrouter 3.3.1 and previous versions have a security hole in the ‘diag_set_password’ function in the web panel

Trust: 2.16

sources: NVD: CVE-2020-11964 // JVNDB: JVNDB-2020-004619 // CNVD: CNVD-2020-25366

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2020-25366

AFFECTED PRODUCTS

vendor:	evenroute	model:	iqrouter	scope:	lte	version:	3.3.1	Trust: 1.0
vendor:	evenroute	model:	iqrouter	scope:	eq	version:	3.3.1	Trust: 0.8
vendor:	evenroute	model:	iqrouter	scope:	lte	version:	<=3.3.1	Trust: 0.6

sources: CNVD: CNVD-2020-25366 // JVNDB: JVNDB-2020-004619 // NVD: CVE-2020-11964

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-11964
value:	HIGH
Trust: 1.0
NVD:	JVNDB-2020-004619
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2020-25366
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202004-1800
value:	HIGH
Trust: 0.6

nvd@nist.gov:	CVE-2020-11964
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
NVD:	JVNDB-2020-004619
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
CNVD:	CNVD-2020-25366
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2020-11964
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.1
Trust: 1.0
NVD:	JVNDB-2020-004619
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2020-25366 // JVNDB: JVNDB-2020-004619 // CNNVD: CNNVD-202004-1800 // NVD: CVE-2020-11964

PROBLEMTYPE DATA

problemtype:	CWE-287	Trust: 1.0
problemtype:	CWE-522	Trust: 0.8

sources: JVNDB: JVNDB-2020-004619 // NVD: CVE-2020-11964

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202004-1800

TYPE

authorization issue

Trust: 0.6

sources: CNNVD: CNNVD-202004-1800

CONFIGURATIONS

sources: JVNDB: JVNDB-2020-004619

PATCH

title:

Top Page

url:

https://evenroute.com/

Trust: 0.8

sources: JVNDB: JVNDB-2020-004619

EXTERNAL IDS

db:	NVD	id:	CVE-2020-11964	Trust: 3.0
db:	JVNDB	id:	JVNDB-2020-004619	Trust: 0.8
db:	CNVD	id:	CNVD-2020-25366	Trust: 0.6
db:	CNNVD	id:	CNNVD-202004-1800	Trust: 0.6

sources: CNVD: CNVD-2020-25366 // JVNDB: JVNDB-2020-004619 // CNNVD: CNNVD-202004-1800 // NVD: CVE-2020-11964

REFERENCES

url:	https://pastebin.com/grscsbsu	Trust: 2.4
url:	https://nvd.nist.gov/vuln/detail/cve-2020-11964	Trust: 2.0
url:	https://evenroute.zendesk.com/hc/en-us/articles/216107838-how-do-i-configure-an-iqrouter-	Trust: 1.6
url:	https://evenroute.com/	Trust: 1.6
url:	https://openwrt.org/docs/guide-quick-start/walkthrough_login	Trust: 1.6
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-11964	Trust: 0.8

sources: CNVD: CNVD-2020-25366 // JVNDB: JVNDB-2020-004619 // CNNVD: CNNVD-202004-1800 // NVD: CVE-2020-11964

SOURCES

db:	CNVD	id:	CNVD-2020-25366
db:	JVNDB	id:	JVNDB-2020-004619
db:	CNNVD	id:	CNNVD-202004-1800
db:	NVD	id:	CVE-2020-11964

LAST UPDATE DATE

2024-11-23T21:51:35.583000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2020-25366	date:	2020-04-28T00:00:00
db:	JVNDB	id:	JVNDB-2020-004619	date:	2020-05-22T00:00:00
db:	CNNVD	id:	CNNVD-202004-1800	date:	2022-05-05T00:00:00
db:	NVD	id:	CVE-2020-11964	date:	2024-11-21T04:59:00.037

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2020-25366	date:	2020-04-28T00:00:00
db:	JVNDB	id:	JVNDB-2020-004619	date:	2020-05-22T00:00:00
db:	CNNVD	id:	CNNVD-202004-1800	date:	2020-04-21T00:00:00
db:	NVD	id:	CVE-2020-11964	date:	2020-04-21T13:15:14.847