8.8

CVE-2018-10532

Exploit

EPSS 0.07%
Veröffentlicht 30.10.2018 18:29:00
Zuletzt bearbeitet 21.11.2024 03:41:30
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

An issue was discovered on EE 4GEE HH70VB-2BE8GB3 HH70_E1_02.00_19 devices. Hardcoded root SSH credentials were discovered to be stored within the "core_app" binary utilised by the EE router for networking services. An attacker with knowledge of the default password (oelinux123) could login to the router via SSH as the root user, which could allow for the loss of confidentiality, integrity, and availability of the system. This would also allow for the bypass of the "AP Isolation" mode that is supported by the router, as well as the settings for multiple Wireless networks, which a user may use for guest clients.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Ee ≫ 4gee Firmware Versionhh70_e1_02.00_19

Ee ≫ 4gee Version-

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.07%	0.221

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	8.3	6.5	10	AV:A/AC:L/Au:N/C:C/I:C/A:C

CWE-798 Use of Hard-coded Credentials

The product contains hard-coded credentials, such as a password or cryptographic key.

https://blog.jameshemmings.co.uk/2018/10/24/4gee-hh70-router-vulnerability-disclosure/

Third Party Advisory

Exploit

Mitigation

https://www.theregister.co.uk/2018/10/26/ee_4gee_hh70_ssh_backdoor/

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2018-10532

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2018-10532

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2018-10532

EUVD