CVE-2018-15555 (GCVE-0-2018-15555)

Vulnerability from cvelistv5 – Published: 2019-06-28 14:34 – Updated: 2024-08-05 09:54

Summary

On Telus Actiontec WEB6000Q v1.1.02.22 devices, an attacker can login with root level access with the user "root" and password "admin" by using the enabled onboard UART headers.

Severity

9.8 (Critical)


                        
                          CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

Assigner

mitre

References

2 references

URL	Tags
http://seclists.org/fulldisclosure/2019/Jun/1	mailing-listx_refsource_FULLDISC
http://packetstormsecurity.com/files/153262/Telus…	x_refsource_MISC

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T09:54:03.857Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "20190611 [CVE-2018-15555 / 15556] Telus Actiontec WEB6000Q Local Privilege Escalation",
            "tags": [
              "mailing-list",
              "x_refsource_FULLDISC",
              "x_transferred"
            ],
            "url": "http://seclists.org/fulldisclosure/2019/Jun/1"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/153262/Telus-Actiontec-WEB6000Q-Privilege-Escalation.html"
          },
          {
            "name": "20190609 [CVE-2018-15555 / 15556] Telus Actiontec WEB6000Q Local Privilege Escalation",
            "tags": [
              "mailing-list",
              "x_refsource_FULLDISC",
              "x_transferred"
            ],
            "url": "http://seclists.org/fulldisclosure/2019/Jun/1"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "On Telus Actiontec WEB6000Q v1.1.02.22 devices, an attacker can login with root level access with the user \"root\" and password \"admin\" by using the enabled onboard UART headers."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-06-28T14:36:04.000Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "name": "20190611 [CVE-2018-15555 / 15556] Telus Actiontec WEB6000Q Local Privilege Escalation",
          "tags": [
            "mailing-list",
            "x_refsource_FULLDISC"
          ],
          "url": "http://seclists.org/fulldisclosure/2019/Jun/1"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://packetstormsecurity.com/files/153262/Telus-Actiontec-WEB6000Q-Privilege-Escalation.html"
        },
        {
          "name": "20190609 [CVE-2018-15555 / 15556] Telus Actiontec WEB6000Q Local Privilege Escalation",
          "tags": [
            "mailing-list",
            "x_refsource_FULLDISC"
          ],
          "url": "http://seclists.org/fulldisclosure/2019/Jun/1"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2018-15555",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "On Telus Actiontec WEB6000Q v1.1.02.22 devices, an attacker can login with root level access with the user \"root\" and password \"admin\" by using the enabled onboard UART headers."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "20190611 [CVE-2018-15555 / 15556] Telus Actiontec WEB6000Q Local Privilege Escalation",
              "refsource": "FULLDISC",
              "url": "http://seclists.org/fulldisclosure/2019/Jun/1"
            },
            {
              "name": "http://packetstormsecurity.com/files/153262/Telus-Actiontec-WEB6000Q-Privilege-Escalation.html",
              "refsource": "MISC",
              "url": "http://packetstormsecurity.com/files/153262/Telus-Actiontec-WEB6000Q-Privilege-Escalation.html"
            },
            {
              "name": "20190609 [CVE-2018-15555 / 15556] Telus Actiontec WEB6000Q Local Privilege Escalation",
              "refsource": "FULLDISC",
              "url": "http://seclists.org/fulldisclosure/2019/Jun/1"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2018-15555",
    "datePublished": "2019-06-28T14:34:51.000Z",
    "dateReserved": "2018-08-19T00:00:00.000Z",
    "dateUpdated": "2024-08-05T09:54:03.857Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2018-15555",
      "date": "2026-06-02",
      "epss": "0.01004",
      "percentile": "0.77343"
    },
    "fkie_nvd": {
      "configurations": "[{\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:actiontec:web6000q_firmware:1.1.02.22:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"15FB0A36-1830-43A8-BD4C-C4E1D1C151FC\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:actiontec:web6000q:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"12DC9F09-2F05-4EF7-A05F-F5059D25E39F\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"On Telus Actiontec WEB6000Q v1.1.02.22 devices, an attacker can login with root level access with the user \\\"root\\\" and password \\\"admin\\\" by using the enabled onboard UART headers.\"}, {\"lang\": \"es\", \"value\": \"En los dispositivos Telus Actiontec WEB6000Q versi\\u00f3n v1.1.02.22 un atacante puede iniciar sesi\\u00f3n con acceso de nivel root con el usuario \\\"root\\\" y una contrase\\u00f1a \\\"admin\\\" utilizando los encabezados UART integrados habilitados.\"}]",
      "id": "CVE-2018-15555",
      "lastModified": "2024-11-21T03:51:03.247",
      "metrics": "{\"cvssMetricV30\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.0\", \"vectorString\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.9}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:N/C:C/I:C/A:C\", \"baseScore\": 10.0, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"COMPLETE\", \"integrityImpact\": \"COMPLETE\", \"availabilityImpact\": \"COMPLETE\"}, \"baseSeverity\": \"HIGH\", \"exploitabilityScore\": 10.0, \"impactScore\": 10.0, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2019-06-28T15:15:09.937",
      "references": "[{\"url\": \"http://packetstormsecurity.com/files/153262/Telus-Actiontec-WEB6000Q-Privilege-Escalation.html\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"http://seclists.org/fulldisclosure/2019/Jun/1\", \"source\": \"cve@mitre.org\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"http://seclists.org/fulldisclosure/2019/Jun/1\", \"source\": \"cve@mitre.org\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"http://packetstormsecurity.com/files/153262/Telus-Actiontec-WEB6000Q-Privilege-Escalation.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"http://seclists.org/fulldisclosure/2019/Jun/1\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"http://seclists.org/fulldisclosure/2019/Jun/1\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}]",
      "sourceIdentifier": "cve@mitre.org",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-662\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2018-15555\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2019-06-28T15:15:09.937\",\"lastModified\":\"2024-11-21T03:51:03.247\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"On Telus Actiontec WEB6000Q v1.1.02.22 devices, an attacker can login with root level access with the user \\\"root\\\" and password \\\"admin\\\" by using the enabled onboard UART headers.\"},{\"lang\":\"es\",\"value\":\"En los dispositivos Telus Actiontec WEB6000Q versi\u00f3n v1.1.02.22 un atacante puede iniciar sesi\u00f3n con acceso de nivel root con el usuario \\\"root\\\" y una contrase\u00f1a \\\"admin\\\" utilizando los encabezados UART integrados habilitados.\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:C/I:C/A:C\",\"baseScore\":10.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"COMPLETE\",\"integrityImpact\":\"COMPLETE\",\"availabilityImpact\":\"COMPLETE\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":10.0,\"impactScore\":10.0,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-662\"}]}],\"configurations\":[{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:actiontec:web6000q_firmware:1.1.02.22:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"15FB0A36-1830-43A8-BD4C-C4E1D1C151FC\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:actiontec:web6000q:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"12DC9F09-2F05-4EF7-A05F-F5059D25E39F\"}]}]}],\"references\":[{\"url\":\"http://packetstormsecurity.com/files/153262/Telus-Actiontec-WEB6000Q-Privilege-Escalation.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://seclists.org/fulldisclosure/2019/Jun/1\",\"source\":\"cve@mitre.org\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://seclists.org/fulldisclosure/2019/Jun/1\",\"source\":\"cve@mitre.org\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://packetstormsecurity.com/files/153262/Telus-Actiontec-WEB6000Q-Privilege-Escalation.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://seclists.org/fulldisclosure/2019/Jun/1\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://seclists.org/fulldisclosure/2019/Jun/1\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]}]}}"
  }
}

CNVD-2019-39177

Vulnerability from cnvd - Published: 2019-11-05

Title

Telus Actiontec WEB6000Q权限提升漏洞

Description

Actiontec WEB6000Q是美国Actiontec公司的一款无线扩展器。 Telus Actiontec WEB6000Q 1.1.02.22版本中的Quantenna WiFi Controller存在安全漏洞。攻击者可利用该漏洞以root访问权限进行登录。

Severity

高

Formal description

目前厂商未提供修复方案，请关注厂商主页： https://www.telus.com/en/bc/support/article/mytelusteluscom-is-now-retired

Reference

https://packetstormsecurity.com/files/153262/Telus-Actiontec-WEB6000Q-Privilege-Escalation.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15555

Impacted products

Name
Actiontec WEB6000Q FIRMWARE 1.1.02.22

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2018-15555"
    }
  },
  "description": "Actiontec WEB6000Q\u662f\u7f8e\u56fdActiontec\u516c\u53f8\u7684\u4e00\u6b3e\u65e0\u7ebf\u6269\u5c55\u5668\u3002\n\nTelus Actiontec WEB6000Q 1.1.02.22\u7248\u672c\u4e2d\u7684Quantenna WiFi Controller\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u4ee5root\u8bbf\u95ee\u6743\u9650\u8fdb\u884c\u767b\u5f55\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u672a\u63d0\u4f9b\u4fee\u590d\u65b9\u6848\uff0c\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\uff1a\r\nhttps://www.telus.com/en/bc/support/article/mytelusteluscom-is-now-retired",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2019-39177",
  "openTime": "2019-11-05",
  "products": {
    "product": "Actiontec WEB6000Q FIRMWARE 1.1.02.22"
  },
  "referenceLink": "https://packetstormsecurity.com/files/153262/Telus-Actiontec-WEB6000Q-Privilege-Escalation.html \r\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15555",
  "serverity": "\u9ad8",
  "submitTime": "2019-06-13",
  "title": "Telus Actiontec WEB6000Q\u6743\u9650\u63d0\u5347\u6f0f\u6d1e"
}

FKIE_CVE-2018-15555

Vulnerability from fkie_nvd - Published: 2019-06-28 15:15 - Updated: 2024-11-21 03:51

Severity

9.8 (Critical) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

On Telus Actiontec WEB6000Q v1.1.02.22 devices, an attacker can login with root level access with the user "root" and password "admin" by using the enabled onboard UART headers.

References

URL	Tags
cve@mitre.org	http://packetstormsecurity.com/files/153262/Telus-Actiontec-WEB6000Q-Privilege-Escalation.html	Third Party Advisory, VDB Entry
cve@mitre.org	http://seclists.org/fulldisclosure/2019/Jun/1	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://packetstormsecurity.com/files/153262/Telus-Actiontec-WEB6000Q-Privilege-Escalation.html	Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	http://seclists.org/fulldisclosure/2019/Jun/1	Mailing List, Third Party Advisory

Impacted products

	Vendor	Product	Version
	actiontec	web6000q_firmware	1.1.02.22
	actiontec	web6000q	-

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:actiontec:web6000q_firmware:1.1.02.22:*:*:*:*:*:*:*",
              "matchCriteriaId": "15FB0A36-1830-43A8-BD4C-C4E1D1C151FC",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:actiontec:web6000q:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "12DC9F09-2F05-4EF7-A05F-F5059D25E39F",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "On Telus Actiontec WEB6000Q v1.1.02.22 devices, an attacker can login with root level access with the user \"root\" and password \"admin\" by using the enabled onboard UART headers."
    },
    {
      "lang": "es",
      "value": "En los dispositivos Telus Actiontec WEB6000Q versi\u00f3n v1.1.02.22 un atacante puede iniciar sesi\u00f3n con acceso de nivel root con el usuario \"root\" y una contrase\u00f1a \"admin\" utilizando los encabezados UART integrados habilitados."
    }
  ],
  "id": "CVE-2018-15555",
  "lastModified": "2024-11-21T03:51:03.247",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "HIGH",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "COMPLETE",
          "baseScore": 10.0,
          "confidentialityImpact": "COMPLETE",
          "integrityImpact": "COMPLETE",
          "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 10.0,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.0"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2019-06-28T15:15:09.937",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://packetstormsecurity.com/files/153262/Telus-Actiontec-WEB6000Q-Privilege-Escalation.html"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://seclists.org/fulldisclosure/2019/Jun/1"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://packetstormsecurity.com/files/153262/Telus-Actiontec-WEB6000Q-Privilege-Escalation.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://seclists.org/fulldisclosure/2019/Jun/1"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-662"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GHSA-234W-XGJ2-P772

Vulnerability from github – Published: 2022-05-24 16:48 – Updated: 2022-05-24 16:48

Details

On Telus Actiontec WEB6000Q v1.1.02.22 devices, an attacker can login with root level access with the user "root" and password "admin" by using the enabled onboard UART headers.

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2018-15555"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-06-28T15:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "On Telus Actiontec WEB6000Q v1.1.02.22 devices, an attacker can login with root level access with the user \"root\" and password \"admin\" by using the enabled onboard UART headers.",
  "id": "GHSA-234w-xgj2-p772",
  "modified": "2022-05-24T16:48:59Z",
  "published": "2022-05-24T16:48:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-15555"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/153262/Telus-Actiontec-WEB6000Q-Privilege-Escalation.html"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2019/Jun/1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GSD-2018-15555

Vulnerability from gsd - Updated: 2023-12-13 01:22

Details

On Telus Actiontec WEB6000Q v1.1.02.22 devices, an attacker can login with root level access with the user "root" and password "admin" by using the enabled onboard UART headers.

Aliases

CVE-2018-15555

Aliases

CVE-2018-15555

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2018-15555",
    "description": "On Telus Actiontec WEB6000Q v1.1.02.22 devices, an attacker can login with root level access with the user \"root\" and password \"admin\" by using the enabled onboard UART headers.",
    "id": "GSD-2018-15555",
    "references": [
      "https://packetstormsecurity.com/files/cve/CVE-2018-15555"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2018-15555"
      ],
      "details": "On Telus Actiontec WEB6000Q v1.1.02.22 devices, an attacker can login with root level access with the user \"root\" and password \"admin\" by using the enabled onboard UART headers.",
      "id": "GSD-2018-15555",
      "modified": "2023-12-13T01:22:24.117316Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@mitre.org",
        "ID": "CVE-2018-15555",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "On Telus Actiontec WEB6000Q v1.1.02.22 devices, an attacker can login with root level access with the user \"root\" and password \"admin\" by using the enabled onboard UART headers."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "20190611 [CVE-2018-15555 / 15556] Telus Actiontec WEB6000Q Local Privilege Escalation",
            "refsource": "FULLDISC",
            "url": "http://seclists.org/fulldisclosure/2019/Jun/1"
          },
          {
            "name": "http://packetstormsecurity.com/files/153262/Telus-Actiontec-WEB6000Q-Privilege-Escalation.html",
            "refsource": "MISC",
            "url": "http://packetstormsecurity.com/files/153262/Telus-Actiontec-WEB6000Q-Privilege-Escalation.html"
          },
          {
            "name": "20190609 [CVE-2018-15555 / 15556] Telus Actiontec WEB6000Q Local Privilege Escalation",
            "refsource": "FULLDISC",
            "url": "http://seclists.org/fulldisclosure/2019/Jun/1"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:actiontec:web6000q_firmware:1.1.02.22:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:actiontec:web6000q:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2018-15555"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "On Telus Actiontec WEB6000Q v1.1.02.22 devices, an attacker can login with root level access with the user \"root\" and password \"admin\" by using the enabled onboard UART headers."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-662"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "20190609 [CVE-2018-15555 / 15556] Telus Actiontec WEB6000Q Local Privilege Escalation",
              "refsource": "FULLDISC",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "http://seclists.org/fulldisclosure/2019/Jun/1"
            },
            {
              "name": "http://packetstormsecurity.com/files/153262/Telus-Actiontec-WEB6000Q-Privilege-Escalation.html",
              "refsource": "MISC",
              "tags": [
                "Third Party Advisory",
                "VDB Entry"
              ],
              "url": "http://packetstormsecurity.com/files/153262/Telus-Actiontec-WEB6000Q-Privilege-Escalation.html"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "COMPLETE",
            "baseScore": 10.0,
            "confidentialityImpact": "COMPLETE",
            "integrityImpact": "COMPLETE",
            "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 10.0,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "HIGH",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2020-08-24T17:37Z",
      "publishedDate": "2019-06-28T15:15Z"
    }
  }
}

VAR-201906-0823

Vulnerability from variot - Updated: 2023-12-18 13:18

On Telus Actiontec WEB6000Q v1.1.02.22 devices, an attacker can login with root level access with the user "root" and password "admin" by using the enabled onboard UART headers. Telus Actiontec WEB6000Q The device contains vulnerabilities related to authorization, authority, and access control.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. Actiontec WEB6000Q is a wireless extender from American Actiontec.

The Quantenna WiFi Controller in Telus Actiontec WEB6000Q 1.1.02.22 has a security vulnerability. Actiontec Electronics WEB6000Q is a wireless extender produced by Actiontec Electronics in the United States. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256

Device Details

Discovered By: Andrew Klaus (andrew@aklaus.ca) Vendor: Actiontec (Telus Branded) Model: WEB6000Q Affected Firmware: 1.1.02.22

Reported: July 2018 CVE: CVE-2018-15555 (Main OS) CVE: CVE-2018-15556 (Quantenna OS)

Summary of Findings

Both “main” and “quantenna” have a UART header on the motherboard and each of them provide full shell + bootloader access.

I used a Raspberry Pi to interface with the UART header, but there are USB UART adapters to do the same thing.

Once root access is obtained, TR-069 Updating can be fully disabled, preventing the vendor from pushing updates to the device.

Proof of Concept

Hooking up a Raspberry Pi's UART GPIO header to either UART header on the modem will give a login prompt. root/admin or root/(nopass) depending on which modem header connected to.

Enabling SSH daemon on Main OS

After retrieving a root shell on the main OS over UART, SSH can be enabled by running the following:

cli -s Device.X_ACTIONTEC_COM_RemoteLogin.Enable int 1

iptables -A INPUT -p tcp --dport 22 -j ACCEPT dropbear -p 22 -I 1800 &

$ ssh 192.168.1.2 -l admin -oKexAlgorithms=+diffie-hellman-group1-sha1 admin@192.168.1.2's password:

BusyBox v1.17.2 (2016-02-03 21:34:18 PST) built-in shell (ash) Enter 'help' for a list of built-in commands.

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE/rRUDraOzqmrp8tZoyRid8jQfpkFAlz9T5sACgkQoyRid8jQ fpnL1BAAi+Bu1xcK9thQ0AHqamY7DZ4qkP3dhFVUtW5q3hoJ4T3GOLTj/9RJLaOI J9FMvSMNAnTKtBcbTx4uvokRAbGLZEUPG1uk0Qu9wmC8tPliU0qHTCfU0vF2dFCI rrhmpaJhu4Y/AEIpjZXg1/5p5hIAQn5DfNUwu6p5VbDlRbktu5UELcFtvgnVi7Jq MUmNvPjbbxwfWlopb3kXASOh1SFLwe77AwmQmLQtIDknAyf2Ri9xfpf2wMGPqDTp WH3SzNCE+HkpHH8omSgnX+yA51KeGipUXWao3UnGvqdHp02TFz5OZIHhgzLk2AfX 6k78qy44DMegaUld9KQeW4OeVESxQqVu9goIjbRMIIlLKRsvz1BwTM+wBu74z2vU O8i1mzAPqloc8iIoIzLiu1dGzYTii4et6YMTq5GJiXL3PCTOJ8MR1/mxeebQwn9h ebsmkn0I06ruR37apz0WGBx0p7t158Pjzc954JoMLubQO8Isk/2G02wcekLLXjVj P2jxoJlnRplum7pKNQbfhAJ6VrGiyB9HY6VAarseqZzFLYJiL6u15EooKScVAg/0 ogZz/3G4m8yVZ37nnz64GNqZu/i18IRoPRGGfeYN/smKFhsKNtbw1JSWHk6VPTbN jlJLOXvQ9149zFlmJJHCxKiQ3FHvghgfgoi9W5J0Lg4Q+lqIriU= =POu3 -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256

Device Details

Discovered By: Andrew Klaus (andrew@aklaus.ca) Vendor: Actiontec (Telus Branded) Model: WEB6000Q Affected Firmware: 1.1.02.22

Reported: July 2018 CVE: CVE-2018-15557

Summary of Findings

Two instances of Linux run on the WEB6000Q. One is the “main” instance that runs the web management server, TR-069 daemon, etc., while the other is the "quantenna" management OS used to manage the wireless.

By hardcoding an IP address in the 169.254.1.0/24 network, and being on the same layer 2 network, root telnet access can be obtained on the "quantenna" management environment by accessing:

Host: 169.254.1.2 Port: 23 Login: root (no password prompted)

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE/rRUDraOzqmrp8tZoyRid8jQfpkFAlz9T9cACgkQoyRid8jQ fpmyiw/+IOKANwITYMPOlXmvq4cY2ma8n5ckyeaLs2sEMTUM4OLg9Fnv7bqHxRs9 ++/sU7QPPjtMVhGIoehWqJgQp96zIV/x/JDxNlVvHn2IbYtOgSQOJ0uCxDvU7Tf5 khAmBtUSHMDq5qBlmPZxOUHnEEDjdx38OBt11Z9/yrSso5eJaXVsYs2SsEuLCzOq xH0VXi278VSx0mDVsAPT6GvAyYja+S23M49dhW48knQ9yBCt17Lhe1C04vcUNme0 GZQUUHKLBJl03mUgt91/pcRfqN+MlUMyyQiyi7w1fPQpTWONIArUM26XV+P9oLNu T08sh1vaAdaXim1AHpSURXX24TEsIYLW0Tb9SQVPMl1UZDcNq0ub9AdoAUuuXBWv nQ3jTCKlosH3GsIau1S3hlI8hoDF3li5e+bwt62JcqhI13pY1ZdcqZ+DHcbSGLN1 PW/CjPJxw05vamYzyZSgqS/FUlflzhboFp2s2/7XG8lBvt+pTQql5aYcxdcaZ1Sq TAGEXC3Kdb4BEQlqWuJNAlZWxeN6fhewb8IPDEJhdUZr2rGF9/1rmd3FlbwC6K2u 10o0lGrXVZ3hDnewwrBFNjLgvUj/nUtVlElkk1x/rsQnqDtnuKC4sS6xq9VO27Yo tW4gSB5LSjUcMVJyc0YbLjtYtd0mYem7l0dHjpnuqXst94GrHlk= =KDej -----END PGP SIGNATURE-----

Show details on source website

JSON

To clipboard

{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "exploit_availability": {
      "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-201906-0823",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "web6000q",
        "scope": "eq",
        "trust": 3.6,
        "vendor": "actiontec",
        "version": "1.1.02.22"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2019-39178"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2019-39179"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2019-39177"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-015802"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-15555"
      }
    ]
  },
  "configurations": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/configurations#",
      "children": {
        "@container": "@list"
      },
      "cpe_match": {
        "@container": "@list"
      },
      "data": {
        "@container": "@list"
      },
      "nodes": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:actiontec:web6000q_firmware:1.1.02.22:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:actiontec:web6000q:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2018-15555"
      }
    ]
  },
  "credits": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/credits#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Andrew Klaus",
    "sources": [
      {
        "db": "PACKETSTORM",
        "id": "153262"
      }
    ],
    "trust": 0.1
  },
  "cve": "CVE-2018-15555",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [
          {
            "acInsufInfo": false,
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "NVD",
            "availabilityImpact": "COMPLETE",
            "baseScore": 10.0,
            "confidentialityImpact": "COMPLETE",
            "exploitabilityScore": 10.0,
            "impactScore": 10.0,
            "integrityImpact": "COMPLETE",
            "obtainAllPrivilege": false,
            "obtainOtherPrivilege": false,
            "obtainUserPrivilege": false,
            "severity": "HIGH",
            "trust": 1.0,
            "userInteractionRequired": false,
            "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
            "version": "2.0"
          },
          {
            "acInsufInfo": null,
            "accessComplexity": "Low",
            "accessVector": "Network",
            "authentication": "None",
            "author": "NVD",
            "availabilityImpact": "Complete",
            "baseScore": 10.0,
            "confidentialityImpact": "Complete",
            "exploitabilityScore": null,
            "id": "CVE-2018-15555",
            "impactScore": null,
            "integrityImpact": "Complete",
            "obtainAllPrivilege": null,
            "obtainOtherPrivilege": null,
            "obtainUserPrivilege": null,
            "severity": "High",
            "trust": 0.9,
            "userInteractionRequired": null,
            "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
            "version": "2.0"
          },
          {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "CNVD",
            "availabilityImpact": "COMPLETE",
            "baseScore": 10.0,
            "confidentialityImpact": "COMPLETE",
            "exploitabilityScore": 10.0,
            "id": "CNVD-2019-39178",
            "impactScore": 10.0,
            "integrityImpact": "COMPLETE",
            "severity": "HIGH",
            "trust": 0.6,
            "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
            "version": "2.0"
          },
          {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "CNVD",
            "availabilityImpact": "COMPLETE",
            "baseScore": 10.0,
            "confidentialityImpact": "COMPLETE",
            "exploitabilityScore": 10.0,
            "id": "CNVD-2019-39179",
            "impactScore": 10.0,
            "integrityImpact": "COMPLETE",
            "severity": "HIGH",
            "trust": 0.6,
            "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
            "version": "2.0"
          },
          {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "CNVD",
            "availabilityImpact": "COMPLETE",
            "baseScore": 10.0,
            "confidentialityImpact": "COMPLETE",
            "exploitabilityScore": 10.0,
            "id": "CNVD-2019-39177",
            "impactScore": 10.0,
            "integrityImpact": "COMPLETE",
            "severity": "HIGH",
            "trust": 0.6,
            "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
            "version": "2.0"
          },
          {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "VULHUB",
            "availabilityImpact": "COMPLETE",
            "baseScore": 10.0,
            "confidentialityImpact": "COMPLETE",
            "exploitabilityScore": 10.0,
            "id": "VHN-125826",
            "impactScore": 10.0,
            "integrityImpact": "COMPLETE",
            "severity": "HIGH",
            "trust": 0.1,
            "vectorString": "AV:N/AC:L/AU:N/C:C/I:C/A:C",
            "version": "2.0"
          }
        ],
        "cvssV3": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "author": "NVD",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "exploitabilityScore": 3.9,
            "impactScore": 5.9,
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "trust": 1.0,
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          {
            "attackComplexity": "Low",
            "attackVector": "Network",
            "author": "NVD",
            "availabilityImpact": "High",
            "baseScore": 9.8,
            "baseSeverity": "Critical",
            "confidentialityImpact": "High",
            "exploitabilityScore": null,
            "id": "CVE-2018-15555",
            "impactScore": null,
            "integrityImpact": "High",
            "privilegesRequired": "None",
            "scope": "Unchanged",
            "trust": 0.8,
            "userInteraction": "None",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          }
        ],
        "severity": [
          {
            "author": "NVD",
            "id": "CVE-2018-15555",
            "trust": 1.8,
            "value": "CRITICAL"
          },
          {
            "author": "CNVD",
            "id": "CNVD-2019-39178",
            "trust": 0.6,
            "value": "HIGH"
          },
          {
            "author": "CNVD",
            "id": "CNVD-2019-39179",
            "trust": 0.6,
            "value": "HIGH"
          },
          {
            "author": "CNVD",
            "id": "CNVD-2019-39177",
            "trust": 0.6,
            "value": "HIGH"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-201906-1094",
            "trust": 0.6,
            "value": "CRITICAL"
          },
          {
            "author": "VULHUB",
            "id": "VHN-125826",
            "trust": 0.1,
            "value": "HIGH"
          },
          {
            "author": "VULMON",
            "id": "CVE-2018-15555",
            "trust": 0.1,
            "value": "HIGH"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2019-39178"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2019-39179"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2019-39177"
      },
      {
        "db": "VULHUB",
        "id": "VHN-125826"
      },
      {
        "db": "VULMON",
        "id": "CVE-2018-15555"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-015802"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-15555"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201906-1094"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "On Telus Actiontec WEB6000Q v1.1.02.22 devices, an attacker can login with root level access with the user \"root\" and password \"admin\" by using the enabled onboard UART headers. Telus Actiontec WEB6000Q The device contains vulnerabilities related to authorization, authority, and access control.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. Actiontec WEB6000Q is a wireless extender from American Actiontec. \n\nThe Quantenna WiFi Controller in Telus Actiontec WEB6000Q 1.1.02.22 has a security vulnerability. Actiontec Electronics WEB6000Q is a wireless extender produced by Actiontec Electronics in the United States. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA256\n\n###  Device Details\nDiscovered By: Andrew Klaus (andrew@aklaus.ca)\nVendor: Actiontec (Telus Branded)\nModel: WEB6000Q\nAffected Firmware: 1.1.02.22\n\nReported: July 2018\nCVE: CVE-2018-15555 (Main OS)\nCVE: CVE-2018-15556 (Quantenna OS)\n\n\n### Summary of Findings\n\nBoth \u201cmain\u201d and \u201cquantenna\u201d have a UART header on the motherboard and\neach of them provide full shell + bootloader access. \n\nI used a Raspberry Pi to interface with the UART header, but there are\nUSB UART adapters to do the same thing. \n\nOnce root access is obtained, TR-069 Updating can be fully disabled,\npreventing the vendor from pushing updates to the device. \n\n\n### Proof of Concept\n\nHooking up a Raspberry Pi\u0027s UART GPIO header to either UART header on\nthe modem will give a login prompt. root/admin  or root/(nopass)\ndepending on which modem header connected to. \n\n\n### Enabling SSH daemon on Main OS\n\nAfter retrieving a root shell on the main OS over UART, SSH can be\nenabled by running the following:\n\n# cli -s Device.X_ACTIONTEC_COM_RemoteLogin.Enable int 1\niptables -A INPUT -p tcp --dport 22 -j ACCEPT\ndropbear -p 22 -I 1800 \u0026\n\n\n$ ssh 192.168.1.2 -l admin -oKexAlgorithms=+diffie-hellman-group1-sha1\nadmin@192.168.1.2\u0027s password:\n\nBusyBox v1.17.2 (2016-02-03 21:34:18 PST) built-in shell (ash)\nEnter \u0027help\u0027 for a list of built-in commands. \n#\n\n\n\n\n\n\n\n\n-----BEGIN PGP SIGNATURE-----\n\niQIzBAEBCAAdFiEE/rRUDraOzqmrp8tZoyRid8jQfpkFAlz9T5sACgkQoyRid8jQ\nfpnL1BAAi+Bu1xcK9thQ0AHqamY7DZ4qkP3dhFVUtW5q3hoJ4T3GOLTj/9RJLaOI\nJ9FMvSMNAnTKtBcbTx4uvokRAbGLZEUPG1uk0Qu9wmC8tPliU0qHTCfU0vF2dFCI\nrrhmpaJhu4Y/AEIpjZXg1/5p5hIAQn5DfNUwu6p5VbDlRbktu5UELcFtvgnVi7Jq\nMUmNvPjbbxwfWlopb3kXASOh1SFLwe77AwmQmLQtIDknAyf2Ri9xfpf2wMGPqDTp\nWH3SzNCE+HkpHH8omSgnX+yA51KeGipUXWao3UnGvqdHp02TFz5OZIHhgzLk2AfX\n6k78qy44DMegaUld9KQeW4OeVESxQqVu9goIjbRMIIlLKRsvz1BwTM+wBu74z2vU\nO8i1mzAPqloc8iIoIzLiu1dGzYTii4et6YMTq5GJiXL3PCTOJ8MR1/mxeebQwn9h\nebsmkn0I06ruR37apz0WGBx0p7t158Pjzc954JoMLubQO8Isk/2G02wcekLLXjVj\nP2jxoJlnRplum7pKNQbfhAJ6VrGiyB9HY6VAarseqZzFLYJiL6u15EooKScVAg/0\nogZz/3G4m8yVZ37nnz64GNqZu/i18IRoPRGGfeYN/smKFhsKNtbw1JSWHk6VPTbN\njlJLOXvQ9149zFlmJJHCxKiQ3FHvghgfgoi9W5J0Lg4Q+lqIriU=\n=POu3\n-----END PGP SIGNATURE-----\n\n\n\n\n-----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA256\n\n###  Device Details\nDiscovered By: Andrew Klaus (andrew@aklaus.ca)\nVendor: Actiontec (Telus Branded)\nModel: WEB6000Q\nAffected Firmware: 1.1.02.22\n\nReported: July 2018\nCVE: CVE-2018-15557\n\n\n### Summary of Findings\n\nTwo instances of Linux run on the WEB6000Q. One is the \u201cmain\u201d instance\nthat runs the web management server, TR-069 daemon, etc., while the\nother is the \"quantenna\" management OS used to manage the wireless. \n\nBy hardcoding an IP address in the 169.254.1.0/24 network, and being on\nthe same layer 2 network, root telnet access can be obtained on the\n\"quantenna\" management environment by accessing:\n\nHost: 169.254.1.2\nPort: 23\nLogin: root  (no password prompted)\n\n\n-----BEGIN PGP SIGNATURE-----\n\niQIzBAEBCAAdFiEE/rRUDraOzqmrp8tZoyRid8jQfpkFAlz9T9cACgkQoyRid8jQ\nfpmyiw/+IOKANwITYMPOlXmvq4cY2ma8n5ckyeaLs2sEMTUM4OLg9Fnv7bqHxRs9\n++/sU7QPPjtMVhGIoehWqJgQp96zIV/x/JDxNlVvHn2IbYtOgSQOJ0uCxDvU7Tf5\nkhAmBtUSHMDq5qBlmPZxOUHnEEDjdx38OBt11Z9/yrSso5eJaXVsYs2SsEuLCzOq\nxH0VXi278VSx0mDVsAPT6GvAyYja+S23M49dhW48knQ9yBCt17Lhe1C04vcUNme0\nGZQUUHKLBJl03mUgt91/pcRfqN+MlUMyyQiyi7w1fPQpTWONIArUM26XV+P9oLNu\nT08sh1vaAdaXim1AHpSURXX24TEsIYLW0Tb9SQVPMl1UZDcNq0ub9AdoAUuuXBWv\nnQ3jTCKlosH3GsIau1S3hlI8hoDF3li5e+bwt62JcqhI13pY1ZdcqZ+DHcbSGLN1\nPW/CjPJxw05vamYzyZSgqS/FUlflzhboFp2s2/7XG8lBvt+pTQql5aYcxdcaZ1Sq\nTAGEXC3Kdb4BEQlqWuJNAlZWxeN6fhewb8IPDEJhdUZr2rGF9/1rmd3FlbwC6K2u\n10o0lGrXVZ3hDnewwrBFNjLgvUj/nUtVlElkk1x/rsQnqDtnuKC4sS6xq9VO27Yo\ntW4gSB5LSjUcMVJyc0YbLjtYtd0mYem7l0dHjpnuqXst94GrHlk=\n=KDej\n-----END PGP SIGNATURE-----\n\n",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2018-15555"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-015802"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2019-39178"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2019-39179"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2019-39177"
      },
      {
        "db": "VULHUB",
        "id": "VHN-125826"
      },
      {
        "db": "VULMON",
        "id": "CVE-2018-15555"
      },
      {
        "db": "PACKETSTORM",
        "id": "153262"
      }
    ],
    "trust": 3.51
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "PACKETSTORM",
        "id": "153262",
        "trust": 4.5
      },
      {
        "db": "NVD",
        "id": "CVE-2018-15555",
        "trust": 4.5
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-015802",
        "trust": 0.8
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201906-1094",
        "trust": 0.7
      },
      {
        "db": "CNVD",
        "id": "CNVD-2019-39178",
        "trust": 0.6
      },
      {
        "db": "CNVD",
        "id": "CNVD-2019-39179",
        "trust": 0.6
      },
      {
        "db": "CNVD",
        "id": "CNVD-2019-39177",
        "trust": 0.6
      },
      {
        "db": "VULHUB",
        "id": "VHN-125826",
        "trust": 0.1
      },
      {
        "db": "VULMON",
        "id": "CVE-2018-15555",
        "trust": 0.1
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2019-39178"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2019-39179"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2019-39177"
      },
      {
        "db": "VULHUB",
        "id": "VHN-125826"
      },
      {
        "db": "VULMON",
        "id": "CVE-2018-15555"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-015802"
      },
      {
        "db": "PACKETSTORM",
        "id": "153262"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-15555"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201906-1094"
      }
    ]
  },
  "id": "VAR-201906-0823",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2019-39178"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2019-39179"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2019-39177"
      },
      {
        "db": "VULHUB",
        "id": "VHN-125826"
      }
    ],
    "trust": 2.5666667
  },
  "iot_taxonomy": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "category": [
          "Network device"
        ],
        "sub_category": null,
        "trust": 1.8
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2019-39178"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2019-39179"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2019-39177"
      }
    ]
  },
  "last_update_date": "2023-12-18T13:18:42.046000Z",
  "patch": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/patch#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "title": "WEB6000Q",
        "trust": 0.8,
        "url": "https://www.actiontec.com/products/home-networking/web6000q/"
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-015802"
      }
    ]
  },
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "CWE-662",
        "trust": 1.1
      },
      {
        "problemtype": "CWE-264",
        "trust": 0.9
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-125826"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-015802"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-15555"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 5.1,
        "url": "http://packetstormsecurity.com/files/153262/telus-actiontec-web6000q-privilege-escalation.html"
      },
      {
        "trust": 2.6,
        "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-15555"
      },
      {
        "trust": 1.8,
        "url": "http://seclists.org/fulldisclosure/2019/jun/1"
      },
      {
        "trust": 1.5,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2018-15555"
      },
      {
        "trust": 0.1,
        "url": "https://cwe.mitre.org/data/definitions/662.html"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2018-15556"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2018-15557"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2019-39178"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2019-39179"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2019-39177"
      },
      {
        "db": "VULHUB",
        "id": "VHN-125826"
      },
      {
        "db": "VULMON",
        "id": "CVE-2018-15555"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-015802"
      },
      {
        "db": "PACKETSTORM",
        "id": "153262"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-15555"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201906-1094"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "CNVD",
        "id": "CNVD-2019-39178"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2019-39179"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2019-39177"
      },
      {
        "db": "VULHUB",
        "id": "VHN-125826"
      },
      {
        "db": "VULMON",
        "id": "CVE-2018-15555"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-015802"
      },
      {
        "db": "PACKETSTORM",
        "id": "153262"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-15555"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201906-1094"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2019-11-05T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2019-39178"
      },
      {
        "date": "2019-11-05T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2019-39179"
      },
      {
        "date": "2019-11-05T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2019-39177"
      },
      {
        "date": "2019-06-28T00:00:00",
        "db": "VULHUB",
        "id": "VHN-125826"
      },
      {
        "date": "2019-06-28T00:00:00",
        "db": "VULMON",
        "id": "CVE-2018-15555"
      },
      {
        "date": "2019-07-08T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2018-015802"
      },
      {
        "date": "2019-06-12T18:39:04",
        "db": "PACKETSTORM",
        "id": "153262"
      },
      {
        "date": "2019-06-28T15:15:09.937000",
        "db": "NVD",
        "id": "CVE-2018-15555"
      },
      {
        "date": "2019-06-28T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201906-1094"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2019-11-05T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2019-39178"
      },
      {
        "date": "2019-11-05T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2019-39179"
      },
      {
        "date": "2019-11-05T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2019-39177"
      },
      {
        "date": "2020-08-24T00:00:00",
        "db": "VULHUB",
        "id": "VHN-125826"
      },
      {
        "date": "2020-08-24T00:00:00",
        "db": "VULMON",
        "id": "CVE-2018-15555"
      },
      {
        "date": "2019-07-08T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2018-015802"
      },
      {
        "date": "2020-08-24T17:37:01.140000",
        "db": "NVD",
        "id": "CVE-2018-15555"
      },
      {
        "date": "2020-08-25T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201906-1094"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "remote",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-201906-1094"
      }
    ],
    "trust": 0.6
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Telus Actiontec WEB6000Q Vulnerabilities related to authorization, authority, and access control in devices",
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-015802"
      }
    ],
    "trust": 0.8
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "permissions and access control issues",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-201906-1094"
      }
    ],
    "trust": 0.6
  }
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2018-15555 (GCVE-0-2018-15555)

CNVD-2019-39177

FKIE_CVE-2018-15555

GHSA-234W-XGJ2-P772

GSD-2018-15555

VAR-201906-0823

Device Details

Summary of Findings

Proof of Concept

Enabling SSH daemon on Main OS

cli -s Device.X_ACTIONTEC_COM_RemoteLogin.Enable int 1

Device Details

Summary of Findings

Tags

Sightings

Nomenclature