Details of VAR-202004-0538

ID

VAR-202004-0538

CVE

CVE-2020-11965

TITLE

IQrouter Vulnerability regarding inadequate protection of credentials in

Trust: 0.8

sources: JVNDB: JVNDB-2020-004613

DESCRIPTION

In IQrouter through 3.3.1, there is a root user without a password, which allows attackers to gain full remote access via SSH. Note: The vendor claims that this vulnerability can only occur on a brand-new network that, after initiating the forced initial configuration (which has a required step for setting a secure password on the system), makes this CVE invalid. This vulnerability is “true for any unconfigured release of OpenWRT, and true of many other new Linux distros prior to being configured for the first time”. IQrouter Exists in an inadequate protection of credentials.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. Evenroute IQrouter is an intelligent router of American Evenroute. Evenroute IQrouter 3.3.1 and previous versions have security vulnerabilities. The vulnerability stems from the password of the root account being empty

Trust: 2.16

sources: NVD: CVE-2020-11965 // JVNDB: JVNDB-2020-004613 // CNVD: CNVD-2020-25367

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2020-25367

AFFECTED PRODUCTS

vendor:	evenroute	model:	iqrouter	scope:	lte	version:	3.3.1	Trust: 1.0
vendor:	evenroute	model:	iqrouter	scope:	eq	version:	3.3.1	Trust: 0.8
vendor:	evenroute	model:	iqrouter	scope:	lte	version:	<=3.3.1	Trust: 0.6

sources: CNVD: CNVD-2020-25367 // JVNDB: JVNDB-2020-004613 // NVD: CVE-2020-11965

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-11965
value:	CRITICAL
Trust: 1.0
NVD:	JVNDB-2020-004613
value:	CRITICAL
Trust: 0.8
CNVD:	CNVD-2020-25367
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-202004-1784
value:	CRITICAL
Trust: 0.6

nvd@nist.gov:	CVE-2020-11965
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
NVD:	JVNDB-2020-004613
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
CNVD:	CNVD-2020-25367
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2020-11965
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	JVNDB-2020-004613
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2020-25367 // JVNDB: JVNDB-2020-004613 // CNNVD: CNNVD-202004-1784 // NVD: CVE-2020-11965

PROBLEMTYPE DATA

problemtype:	CWE-287	Trust: 1.0
problemtype:	CWE-522	Trust: 0.8

sources: JVNDB: JVNDB-2020-004613 // NVD: CVE-2020-11965

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202004-1784

TYPE

authorization issue

Trust: 0.6

sources: CNNVD: CNNVD-202004-1784

CONFIGURATIONS

sources: JVNDB: JVNDB-2020-004613

PATCH

title:

Top Page

url:

https://evenroute.com/

Trust: 0.8

sources: JVNDB: JVNDB-2020-004613

EXTERNAL IDS

db:	NVD	id:	CVE-2020-11965	Trust: 3.0
db:	JVNDB	id:	JVNDB-2020-004613	Trust: 0.8
db:	CNVD	id:	CNVD-2020-25367	Trust: 0.6
db:	CNNVD	id:	CNNVD-202004-1784	Trust: 0.6

sources: CNVD: CNVD-2020-25367 // JVNDB: JVNDB-2020-004613 // CNNVD: CNNVD-202004-1784 // NVD: CVE-2020-11965

REFERENCES

url:	https://pastebin.com/grscsbsu	Trust: 2.4
url:	https://nvd.nist.gov/vuln/detail/cve-2020-11965	Trust: 2.0
url:	https://evenroute.zendesk.com/hc/en-us/articles/216107838-how-do-i-configure-an-iqrouter-	Trust: 1.6
url:	https://evenroute.com/	Trust: 1.6
url:	https://openwrt.org/docs/guide-quick-start/walkthrough_login	Trust: 1.6
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-11965	Trust: 0.8

sources: CNVD: CNVD-2020-25367 // JVNDB: JVNDB-2020-004613 // CNNVD: CNNVD-202004-1784 // NVD: CVE-2020-11965

SOURCES

db:	CNVD	id:	CNVD-2020-25367
db:	JVNDB	id:	JVNDB-2020-004613
db:	CNNVD	id:	CNNVD-202004-1784
db:	NVD	id:	CVE-2020-11965

LAST UPDATE DATE

2024-11-23T22:55:11.265000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2020-25367	date:	2020-04-28T00:00:00
db:	JVNDB	id:	JVNDB-2020-004613	date:	2020-05-22T00:00:00
db:	CNNVD	id:	CNNVD-202004-1784	date:	2022-05-05T00:00:00
db:	NVD	id:	CVE-2020-11965	date:	2024-11-21T04:59:00.190

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2020-25367	date:	2020-04-28T00:00:00
db:	JVNDB	id:	JVNDB-2020-004613	date:	2020-05-22T00:00:00
db:	CNNVD	id:	CNNVD-202004-1784	date:	2020-04-21T00:00:00
db:	NVD	id:	CVE-2020-11965	date:	2020-04-21T13:15:14.927