// For flags

CVE-2017-6900

 

Severity Score

9.8
*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

An issue was discovered in Riello NetMan 204 14-2 and 15-2. The issue is with the login script and wrongpass Python script used for authentication. When calling wrongpass, the variables $VAL0 and $VAL1 should be enclosed in quotes to prevent the potential for Bash command injection. Further to this, VAL0 and VAL1 should be sanitised to ensure they do not contain malicious characters. Passing it the username of '-' will cause it to time out and log the user in because of poor error handling. This will log the attacker in as an administrator where the telnet / ssh services can be enabled, and the credentials for local users can be reset. Also, login.cgi accepts the username as a GET parameter, so login can be achieved by browsing to the /cgi-bin/login.cgi?username=-%20a URI.

Se descubrió un problema en Riello NetMan 204 14-2 y 15-2. El problema está relacionado con la secuencia de comandos de inicio de sesión y la secuencia de comandos de Python utilizada incorrectamente para la identificación. Al llamar a paso incorrecto, las variables $ VAL0 y $ VAL1 deben incluirse entre comillas para evitar el potencial de inyección del comando Bash. Además de esto, VAL0 y VAL1 deben limpiarse para garantizar que no contengan caracteres maliciosos. Al pasarle el nombre de usuario de '-', se cerrará el tiempo de espera y el usuario iniciará sesión debido a un mal manejo de errores. Esto registrará al atacante como administrador, donde los servicios de telnet / ssh se pueden habilitar, y las credenciales de los usuarios locales se pueden restablecer. Además, login.cgi acepta el nombre de usuario como un parámetro GET, por lo que el inicio de sesión se puede lograr al buscar en la URI /cgi-bin/login.cgi?username=-%20a.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
Complete
Integrity
Complete
Availability
Complete
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2017-03-14 CVE Reserved
  • 2019-07-03 CVE Published
  • 2024-08-05 CVE Updated
  • 2024-12-17 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-255: Credentials Management Errors
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Riello-ups
Search vendor "Riello-ups"
Netman 204 Firmware
Search vendor "Riello-ups" for product "Netman 204 Firmware"
14-2
Search vendor "Riello-ups" for product "Netman 204 Firmware" and version "14-2"
-
Affected
in Riello-ups
Search vendor "Riello-ups"
Netman 204
Search vendor "Riello-ups" for product "Netman 204"
--
Safe
Riello-ups
Search vendor "Riello-ups"
Netman 204 Firmware
Search vendor "Riello-ups" for product "Netman 204 Firmware"
15-2
Search vendor "Riello-ups" for product "Netman 204 Firmware" and version "15-2"
-
Affected
in Riello-ups
Search vendor "Riello-ups"
Netman 204
Search vendor "Riello-ups" for product "Netman 204"
--
Safe