Sign-up

ID

VAR-202007-0511


CVE

CVE-2019-15310


TITLE

Linkplay User-controlled key authentication evasion vulnerability in firmware

Trust: 0.8

sources: JVNDB: JVNDB-2019-015776

DESCRIPTION

An issue was discovered on various devices via the Linkplay firmware. There is WAN remote code execution without user interaction. An attacker could retrieve the AWS key from the firmware and obtain full control over Linkplay's AWS estate, including S3 buckets containing device firmware. When combined with an OS command injection vulnerability within the XML Parsing logic of the firmware update process, an attacker would be able to gain code execution on any device that attempted to update. Note that by default all devices tested had automatic updates enabled. Linkplay There is a vulnerability in the firmware regarding authentication bypass by user-controlled keys.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. Anker Zolo Halo is a smart speaker from Anker Company in the Philippines. Linkplay firmware is an application software. Provide a turnkey solution including software, voice, Wi-Fi, Bluetooth IoT/thin client modules, leading voice assistant services (such as Amazon Alexa and many popular international voice assistant services) and integration into a central mobile application Global streaming content in the program to enable smart, voice-enabled, and IoT products. There are security vulnerabilities in Linkplay firmware. Attackers can use this vulnerability to execute code

Trust: 2.79

sources: NVD: CVE-2019-15310 // JVNDB: JVNDB-2019-015776 // CNVD: CNVD-2021-18050 // CNNVD: CNNVD-202007-091 // VULMON: CVE-2019-15310

IOT TAXONOMY

category:['IoT']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2021-18050

AFFECTED PRODUCTS

vendor:linkplaymodel:linkplayscope:eqversion: -

Trust: 1.0

vendor:linkplaymodel:linkplayscope: - version: -

Trust: 0.8

vendor:ankermodel:linkplayscope: - version: -

Trust: 0.6

sources: CNVD: CNVD-2021-18050 // JVNDB: JVNDB-2019-015776 // NVD: CVE-2019-15310

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-15310
value: CRITICAL

Trust: 1.0

NVD: JVNDB-2019-015776
value: CRITICAL

Trust: 0.8

CNVD: CNVD-2021-18050
value: HIGH

Trust: 0.6

CNNVD: CNNVD-202007-091
value: CRITICAL

Trust: 0.6

VULMON: CVE-2019-15310
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2019-15310
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.1

NVD: JVNDB-2019-015776
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

CNVD: CNVD-2021-18050
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2019-15310
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: JVNDB-2019-015776
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2021-18050 // VULMON: CVE-2019-15310 // JVNDB: JVNDB-2019-015776 // CNNVD: CNNVD-202007-091 // NVD: CVE-2019-15310

PROBLEMTYPE DATA

problemtype:CWE-639

Trust: 1.8

problemtype:CWE-78

Trust: 1.0

sources: JVNDB: JVNDB-2019-015776 // NVD: CVE-2019-15310

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202007-091

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202007-091

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2019-015776

PATCH
title:Linkplayurl:https://linkplay.com/featured-products/
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2019-015776

EXTERNAL IDS
db:NVDid:CVE-2019-15310
Trust: 3.1
db:JVNDBid:JVNDB-2019-015776
Trust: 0.8
db:CNVDid:CNVD-2021-18050
Trust: 0.6
db:CNNVDid:CNNVD-202007-091
Trust: 0.6
db:VULMONid:CVE-2019-15310
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2021-18050 // 
            
            
            
            VULMON: CVE-2019-15310 // 
            
            
            
            JVNDB: JVNDB-2019-015776 // 
            
            
            
            CNNVD: CNNVD-202007-091 // 
            
            
            
            NVD: CVE-2019-15310

REFERENCES
url:https://labs.f-secure.com/advisories/linkplay-firmware-wanlan-remote-code-execution/
Trust: 2.5
url:https://labs.mwrinfosecurity.com/advisories/
Trust: 1.7
url:https://linkplay.com/featured-products/
Trust: 1.7
url:https://nvd.nist.gov/vuln/detail/cve-2019-15310
Trust: 1.4
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-15310
Trust: 0.8
url:https://cwe.mitre.org/data/definitions/639.html
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
sources:
            
            
            VULMON: CVE-2019-15310 // 
            
            
            
            JVNDB: JVNDB-2019-015776 // 
            
            
            
            CNNVD: CNNVD-202007-091 // 
            
            
            
            NVD: CVE-2019-15310

SOURCES
db:CNVDid:CNVD-2021-18050
db:VULMONid:CVE-2019-15310
db:JVNDBid:JVNDB-2019-015776
db:CNNVDid:CNNVD-202007-091
db:NVDid:CVE-2019-15310

LAST UPDATE DATE
2024-11-23T22:51:19.456000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2021-18050date:2021-03-17T00:00:00
db:VULMONid:CVE-2019-15310date:2020-07-21T00:00:00
db:JVNDBid:JVNDB-2019-015776date:2020-09-04T00:00:00
db:CNNVDid:CNNVD-202007-091date:2021-07-08T00:00:00
db:NVDid:CVE-2019-15310date:2024-11-21T04:28:25.350

SOURCES RELEASE DATE
db:CNVDid:CNVD-2021-18050date:2021-03-17T00:00:00
db:VULMONid:CVE-2019-15310date:2020-07-01T00:00:00
db:JVNDBid:JVNDB-2019-015776date:2020-09-04T00:00:00
db:CNNVDid:CNNVD-202007-091date:2020-07-01T00:00:00
db:NVDid:CVE-2019-15310date:2020-07-01T20:15:10.767