CVE-2017-6094 (GCVE-0-2017-6094)

Vulnerability from cvelistv5 – Published: 2017-12-20 20:00 – Updated: 2024-08-05 15:18
VLAI?
Summary
CPEs used by subscribers on the access network receive their individual configuration settings from a central GAPS instance. A CPE identifies itself by the MAC address of its WAN interface and a certain "chk" value (48bit) derived from the MAC. The algorithm used to compute the "chk" was disclosed by reverse engineering the CPE's firmware. As a result, it is possible to forge valid "chk" values for any given MAC address and therefore receive the configuration settings of other subscribers' CPEs. The configuration settings often contain sensitive values, for example credentials (username/password) for VoIP services. This issue affects Genexis B.V. GAPS up to 7.2.
Severity ?
No CVSS data available.
CWE
  • n/a
Assigner
References
http://seclists.org/fulldisclosure/2017/Dec/62 mailing-listx_refsource_FULLDISC
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T15:18:49.781Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "20171219 CVE-2017-6094 - Genexis GAPS Access Control Vulnerability",
            "tags": [
              "mailing-list",
              "x_refsource_FULLDISC",
              "x_transferred"
            ],
            "url": "http://seclists.org/fulldisclosure/2017/Dec/62"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2017-12-18T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "CPEs used by subscribers on the access network receive their individual configuration settings from a central GAPS instance. A CPE identifies itself by the MAC address of its WAN interface and a certain \"chk\" value (48bit) derived from the MAC. The algorithm used to compute the \"chk\" was disclosed by reverse engineering the CPE\u0027s firmware. As a result, it is possible to forge valid \"chk\" values for any given MAC address and therefore receive the configuration settings of other subscribers\u0027 CPEs. The configuration settings often contain sensitive values, for example credentials (username/password) for VoIP services. This issue affects Genexis B.V. GAPS up to 7.2."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-12-20T19:57:01",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "name": "20171219 CVE-2017-6094 - Genexis GAPS Access Control Vulnerability",
          "tags": [
            "mailing-list",
            "x_refsource_FULLDISC"
          ],
          "url": "http://seclists.org/fulldisclosure/2017/Dec/62"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2017-6094",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "CPEs used by subscribers on the access network receive their individual configuration settings from a central GAPS instance. A CPE identifies itself by the MAC address of its WAN interface and a certain \"chk\" value (48bit) derived from the MAC. The algorithm used to compute the \"chk\" was disclosed by reverse engineering the CPE\u0027s firmware. As a result, it is possible to forge valid \"chk\" values for any given MAC address and therefore receive the configuration settings of other subscribers\u0027 CPEs. The configuration settings often contain sensitive values, for example credentials (username/password) for VoIP services. This issue affects Genexis B.V. GAPS up to 7.2."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "20171219 CVE-2017-6094 - Genexis GAPS Access Control Vulnerability",
              "refsource": "FULLDISC",
              "url": "http://seclists.org/fulldisclosure/2017/Dec/62"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2017-6094",
    "datePublished": "2017-12-20T20:00:00",
    "dateReserved": "2017-02-18T00:00:00",
    "dateUpdated": "2024-08-05T15:18:49.781Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:genexis:gaps:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"7.2\", \"matchCriteriaId\": \"B390447F-1540-4A24-AD01-57E95DF00953\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"CPEs used by subscribers on the access network receive their individual configuration settings from a central GAPS instance. A CPE identifies itself by the MAC address of its WAN interface and a certain \\\"chk\\\" value (48bit) derived from the MAC. The algorithm used to compute the \\\"chk\\\" was disclosed by reverse engineering the CPE\u0027s firmware. As a result, it is possible to forge valid \\\"chk\\\" values for any given MAC address and therefore receive the configuration settings of other subscribers\u0027 CPEs. The configuration settings often contain sensitive values, for example credentials (username/password) for VoIP services. This issue affects Genexis B.V. GAPS up to 7.2.\"}, {\"lang\": \"es\", \"value\": \"Los CPE utilizados por los suscriptores en la red de acceso reciben su configuraci\\u00f3n individual desde una instancia GAPS central. Un CPE se identifica por la direcci\\u00f3n MAC de su interfaz WAN y un valor determinado \\\"chk\\\" (48bit) derivado del MAC. El algoritmo utilizado para calcular el \\\"chk\\\" fue revelado mediante ingenier\\u00eda inversa en el firmware del CPE. Como resultado, es posible forjar valores \\\"chk\\\" v\\u00e1lidos para cualquier direcci\\u00f3n MAC dada y por lo tanto recibir los ajustes de configuraci\\u00f3n de CPE de otros suscriptores. Los ajustes de configuraci\\u00f3n suelen contener valores sensibles, por ejemplo, credenciales (nombre de usuario/contrase\\u00f1a) para servicios VoIP. Esta situaci\\u00f3n afecta a Genexis B. V. GAPS hasta la versi\\u00f3n 7.2.\"}]",
      "id": "CVE-2017-6094",
      "lastModified": "2024-11-21T03:29:04.437",
      "metrics": "{\"cvssMetricV30\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.0\", \"vectorString\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.9}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:N/C:P/I:N/A:N\", \"baseScore\": 5.0, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 10.0, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2017-12-20T20:29:00.573",
      "references": "[{\"url\": \"http://seclists.org/fulldisclosure/2017/Dec/62\", \"source\": \"cve@mitre.org\", \"tags\": [\"Exploit\", \"Mailing List\", \"Mitigation\", \"Third Party Advisory\"]}, {\"url\": \"http://seclists.org/fulldisclosure/2017/Dec/62\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Mailing List\", \"Mitigation\", \"Third Party Advisory\"]}]",
      "sourceIdentifier": "cve@mitre.org",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-200\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2017-6094\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2017-12-20T20:29:00.573\",\"lastModified\":\"2025-04-20T01:37:25.860\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"CPEs used by subscribers on the access network receive their individual configuration settings from a central GAPS instance. A CPE identifies itself by the MAC address of its WAN interface and a certain \\\"chk\\\" value (48bit) derived from the MAC. The algorithm used to compute the \\\"chk\\\" was disclosed by reverse engineering the CPE\u0027s firmware. As a result, it is possible to forge valid \\\"chk\\\" values for any given MAC address and therefore receive the configuration settings of other subscribers\u0027 CPEs. The configuration settings often contain sensitive values, for example credentials (username/password) for VoIP services. This issue affects Genexis B.V. GAPS up to 7.2.\"},{\"lang\":\"es\",\"value\":\"Los CPE utilizados por los suscriptores en la red de acceso reciben su configuraci\u00f3n individual desde una instancia GAPS central. Un CPE se identifica por la direcci\u00f3n MAC de su interfaz WAN y un valor determinado \\\"chk\\\" (48bit) derivado del MAC. El algoritmo utilizado para calcular el \\\"chk\\\" fue revelado mediante ingenier\u00eda inversa en el firmware del CPE. Como resultado, es posible forjar valores \\\"chk\\\" v\u00e1lidos para cualquier direcci\u00f3n MAC dada y por lo tanto recibir los ajustes de configuraci\u00f3n de CPE de otros suscriptores. Los ajustes de configuraci\u00f3n suelen contener valores sensibles, por ejemplo, credenciales (nombre de usuario/contrase\u00f1a) para servicios VoIP. Esta situaci\u00f3n afecta a Genexis B. V. GAPS hasta la versi\u00f3n 7.2.\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:N/A:N\",\"baseScore\":5.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-200\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:genexis:gaps:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"7.2\",\"matchCriteriaId\":\"B390447F-1540-4A24-AD01-57E95DF00953\"}]}]}],\"references\":[{\"url\":\"http://seclists.org/fulldisclosure/2017/Dec/62\",\"source\":\"cve@mitre.org\",\"tags\":[\"Exploit\",\"Mailing List\",\"Mitigation\",\"Third Party Advisory\"]},{\"url\":\"http://seclists.org/fulldisclosure/2017/Dec/62\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Mailing List\",\"Mitigation\",\"Third Party Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.