CVE-2021-37915
https://notcve.org/view.php?id=CVE-2021-37915
An issue was discovered on the Grandstream HT801 Analog Telephone Adaptor before 1.0.29.8. From the limited configuration shell, it is possible to set the malicious gdb_debug_server variable. As a result, after a reboot, the device downloads and executes malicious scripts from an attacker-defined host. Se ha detectado un problema en Grandstream HT801 Analog Telephone Adaptor versiones anteriores a 1.0.29.8. Desde el shell de configuración limitada, es posible establecer la variable maliciosa gdb_debug_server. • http://firmware.grandstream.com/BETA/Release_Note_HT80x_1.0.29.8.pdf http://www.grandstream.com/products/gateways-and-atas/analog-telephone-adaptors/product/ht801 https://www.secforce.com/blog/exploiting-grandstream-ht801-ata-cve-2021-37748-cve-2021-37915 •
CVE-2021-37748
https://notcve.org/view.php?id=CVE-2021-37748
Multiple buffer overflows in the limited configuration shell (/sbin/gs_config) on Grandstream HT801 devices before 1.0.29 allow remote authenticated users to execute arbitrary code as root via a crafted manage_if setting, thus bypassing the intended restrictions of this shell and taking full control of the device. There are default weak credentials that can be used to authenticate. Múltiples desbordamientos de búfer en el shell de configuración limitada (/sbin/gs_config) en los dispositivos Grandstream HT801 versiones anteriores a 1.0.29 permiten a usuarios remotos autenticados ejecutar código arbitrario como root por medio de una configuración manage_if diseñada, omitiendo así las restricciones previstas de este shell y tomando el control total del dispositivo. Se presentan credenciales débiles predeterminadas que pueden ser usadas para autenticar • https://github.com/SECFORCE/CVE-2021-37748 http://www.grandstream.com/products/gateways-and-atas/analog-telephone-adaptors/product/ht801 https://www.secforce.com/blog/exploiting-grandstream-ht801-ata-cve-2021-37748-cve-2021-37915 • CWE-787: Out-of-bounds Write •
CVE-2020-5763
https://notcve.org/view.php?id=CVE-2020-5763
Grandstream HT800 series firmware version 1.0.17.5 and below contain a backdoor in the SSH service. An authenticated remote attacker can obtain a root shell by correctly answering a challenge prompt. Grandstream serie HT800 versiones de firmware 1.0.17.5 y posteriores, contiene una backdoor en el servicio SSH. Un atacante remoto autenticado puede obtener un root shell cuando responde correctamente una petición de desafío • https://www.tenable.com/security/research/tra-2020-43 https://www.tenable.com/security/research/tra-2020-47 • CWE-326: Inadequate Encryption Strength CWE-489: Active Debug Code •
CVE-2020-5762
https://notcve.org/view.php?id=CVE-2020-5762
Grandstream HT800 series firmware version 1.0.17.5 and below is vulnerable to a denial of service attack against the TR-069 service. An unauthenticated remote attacker can stop the service due to a NULL pointer dereference in the TR-069 service. This condition is triggered due to mishandling of the HTTP Authentication field. Grandstream serie HT800 versiones de firmware 1.0.17.5 y posteriores, es vulnerable a un ataque de denegación de servicio contra el servicio TR-069. Un atacante remoto no autenticado puede detener el servicio debido a una desreferencia del puntero NULL en el servicio TR-069. • https://www.tenable.com/security/research/tra-2020-43 https://www.tenable.com/security/research/tra-2020-47 • CWE-476: NULL Pointer Dereference •
CVE-2020-5761
https://notcve.org/view.php?id=CVE-2020-5761
Grandstream HT800 series firmware version 1.0.17.5 and below is vulnerable to CPU exhaustion due to an infinite loop in the TR-069 service. Unauthenticated remote attackers can trigger this case by sending a one character TCP message to the TR-069 service. Grandstream serie HT800 versiones de firmware 1.0.17.5 y posteriores, es vulnerable a un agotamiento del CPU debido a un bucle infinito en el servicio TR-069. Los atacantes remotos no autenticados pueden activar este caso mediante el envío de un mensaje TCP de un carácter hacia el servicio TR-069 • https://www.tenable.com/security/research/tra-2020-43 https://www.tenable.com/security/research/tra-2020-47 • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •