Details of VAR-202102-0101

ID

VAR-202102-0101

CVE

CVE-2020-13859

TITLE

Mofi Network MOFI-GXeLTE certification bypass vulnerability

Trust: 0.6

sources: CNVD: CNVD-2021-13970

DESCRIPTION

An issue was discovered on Mofi Network MOFI4500-4GXeLTE 4.0.8-std devices. A format error in /etc/shadow, coupled with a logic bug in the LuCI - OpenWrt Configuration Interface framework, allows the undocumented system account mofidev to login to the cgi-bin/luci/quick/wizard management interface without a password by abusing a forgotten-password feature. Mofi Network MOFI4500-4GXeLTE is a wireless router of Mofi Network Company. Attackers can use the vulnerabilities to log in to the mofidev user with any password. After logging in, the root user's password can be modified

Trust: 1.53

sources: NVD: CVE-2020-13859 // CNVD: CNVD-2021-13970 // VULMON: CVE-2020-13859

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2021-13970

AFFECTED PRODUCTS

vendor:	mofinetwork	model:	mofi4500-4gxelte	scope:	eq	version:	4.0.8-std	Trust: 1.0
vendor:	mofi	model:	network mofi4500-4gxelte 4.0.8-std	scope:	-	version:	-	Trust: 0.6

sources: CNVD: CNVD-2021-13970 // NVD: CVE-2020-13859

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-13859
value:	CRITICAL
Trust: 1.0
CNVD:	CNVD-2021-13970
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202101-2606
value:	CRITICAL
Trust: 0.6
VULMON:	CVE-2020-13859
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2020-13859
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.1
CNVD:	CNVD-2021-13970
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2020-13859
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.1
Trust: 1.0

sources: CNVD: CNVD-2021-13970 // VULMON: CVE-2020-13859 // CNNVD: CNNVD-202101-2606 // NVD: CVE-2020-13859

PROBLEMTYPE DATA

problemtype:	CWE-755	Trust: 1.0
problemtype:	CWE-287	Trust: 1.0

sources: NVD: CVE-2020-13859

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202101-2606

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202101-2606

PATCH

title:	Patch for Mofi Network MOFI-GXeLTE certification bypass vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/250446	Trust: 0.6
title:	Mofi Network MOFI-GXeLTE Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=140637	Trust: 0.6

sources: CNVD: CNVD-2021-13970 // CNNVD: CNNVD-202101-2606

EXTERNAL IDS

db:	NVD	id:	CVE-2020-13859	Trust: 2.3
db:	CNVD	id:	CNVD-2021-13970	Trust: 0.6
db:	CNNVD	id:	CNNVD-202101-2606	Trust: 0.6
db:	VULMON	id:	CVE-2020-13859	Trust: 0.1

sources: CNVD: CNVD-2021-13970 // VULMON: CVE-2020-13859 // CNNVD: CNNVD-202101-2606 // NVD: CVE-2020-13859

REFERENCES

url:	https://mofinetwork.com/index.php?main_page=page&id=14	Trust: 1.7
url:	https://www.criticalstart.com/critical-vulnerabilities-discovered-in-mofi-routers/	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2020-13859	Trust: 1.2
url:	https://cwe.mitre.org/data/definitions/522.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: CNVD: CNVD-2021-13970 // VULMON: CVE-2020-13859 // CNNVD: CNNVD-202101-2606 // NVD: CVE-2020-13859

SOURCES

db:	CNVD	id:	CNVD-2021-13970
db:	VULMON	id:	CVE-2020-13859
db:	CNNVD	id:	CNNVD-202101-2606
db:	NVD	id:	CVE-2020-13859

LAST UPDATE DATE

2024-11-23T22:11:08.343000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2021-13970	date:	2021-03-03T00:00:00
db:	VULMON	id:	CVE-2020-13859	date:	2021-02-04T00:00:00
db:	CNNVD	id:	CNNVD-202101-2606	date:	2021-02-09T00:00:00
db:	NVD	id:	CVE-2020-13859	date:	2024-11-21T05:02:01.560

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2021-13970	date:	2021-03-02T00:00:00
db:	VULMON	id:	CVE-2020-13859	date:	2021-02-01T00:00:00
db:	CNNVD	id:	CNNVD-202101-2606	date:	2021-01-31T00:00:00
db:	NVD	id:	CVE-2020-13859	date:	2021-02-01T02:15:14.800