FKIE_CVE-2019-13269

Vulnerability from fkie_nvd - Published: 2019-08-27 18:15 - Updated: 2024-11-21 04:24
Severity ?
8.8 (High) - CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Edimax BR-6208AC V1 devices have Insufficient Compartmentalization between a host network and a guest network that are established by the same device. A DHCP Request is sent to the router with a certain Transaction ID field. Following the DHCP protocol, the router responds with an ACK or NAK message. Studying the NAK case revealed that the router erroneously sends the NAK to both Host and Guest networks with the same Transaction ID as found in the DHCP Request. This allows encoding of data to be sent cross-router into the 32-bit Transaction ID field.
References
cve@mitre.orghttps://orenlab.sise.bgu.ac.il/publications/CrossRouterExploit, Third Party Advisory
cve@mitre.orghttps://www.usenix.org/system/files/woot19-paper_ovadia.pdfThird Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://orenlab.sise.bgu.ac.il/publications/CrossRouterExploit, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://www.usenix.org/system/files/woot19-paper_ovadia.pdfThird Party Advisory
Impacted products
Vendor Product Version
edimax br-6208ac_v1_firmware -
edimax br-6208ac_v1 -
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:edimax:br-6208ac_v1_firmware:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "D5A84D9B-E71E-4C6A-B178-0338BE069EAF",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:edimax:br-6208ac_v1:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "1ABDDEA4-BA8C-499C-9403-6039466A2AEE",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Edimax BR-6208AC V1 devices have Insufficient Compartmentalization between a host network and a guest network that are established by the same device. A DHCP Request is sent to the router with a certain Transaction ID field. Following the DHCP protocol, the router responds with an ACK or NAK message. Studying the NAK case revealed that the router erroneously sends the NAK to both Host and Guest networks with the same Transaction ID as found in the DHCP Request. This allows encoding of data to be sent cross-router into the 32-bit Transaction ID field."
    },
    {
      "lang": "es",
      "value": "Los dispositivos Br-6208AC V1 de Edimax tienen una compartimentaci\u00f3n insuficiente entre una red host y una red de invitados establecida por el mismo dispositivo. Una petici\u00f3n DHCP se env\u00eda al router con un determinado campo del ID de transacci\u00f3n. Siguiendo el protocolo DHCP, el router responde con un mensaje ACK o NAK. El estudio del caso NAK revel\u00f3 que el router env\u00eda err\u00f3neamente el NAK a las redes del host y del invitado con el mismo ID de transacci\u00f3n que se encuentra en la petici\u00f3n DHCP. Esto permite que la codificaci\u00f3n de los datos se env\u00ede entre enrutadores en el campo ID de transacci\u00f3n de 32 bits."
    }
  ],
  "id": "CVE-2019-13269",
  "lastModified": "2024-11-21T04:24:35.340",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "ADJACENT_NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 5.8,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:A/AC:L/Au:N/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 6.5,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "ADJACENT_NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.0"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2019-08-27T18:15:11.030",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://orenlab.sise.bgu.ac.il/publications/CrossRouter"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.usenix.org/system/files/woot19-paper_ovadia.pdf"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://orenlab.sise.bgu.ac.il/publications/CrossRouter"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.usenix.org/system/files/woot19-paper_ovadia.pdf"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-20"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.