9.1
CVE-2019-15803
- EPSS 0.38%
- Veröffentlicht 14.11.2019 21:15:11
- Zuletzt bearbeitet 21.11.2024 04:29:29
- Quelle cve@mitre.org
- Teams Watchlist Login
- Unerledigt Login
An issue was discovered on Zyxel GS1900 devices with firmware before 2.50(AAHH.0)C0. Through an undocumented sequence of keypresses, undocumented functionality is triggered. A diagnostics shell is triggered via CTRL-ALT-t, which prompts for the password returned by fds_sys_passDebugPasswd_ret(). The firmware contains access control checks that determine if remote users are allowed to access this functionality. The function that performs this check (fds_sys_remoteDebugEnable_ret in libfds.so) always return TRUE with no actual checks performed. The diagnostics menu allows for reading/writing arbitrary registers and various other configuration parameters which are believed to be related to the network interface chips.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Zyxel ≫ Gs1900-8 Firmware Version < 2.50\(aahh.0\)c0
Zyxel ≫ Gs1900-8hp Firmware Version < 2.50\(aahi.0\)c0
Zyxel ≫ Gs1900-10hp Firmware Version < 2.50\(aazi.0\)c0
Zyxel ≫ Gs1900-16 Firmware Version < 2.50\(aahj.0\)c0
Zyxel ≫ Gs1900-24e Firmware Version < 2.50\(aahk.0\)c0
Zyxel ≫ Gs1900-24 Firmware Version < 2.50\(aahl.0\)c0
Zyxel ≫ Gs1900-24hp Firmware Version < 2.50\(aahm.0\)c0
Zyxel ≫ Gs1900-48 Firmware Version < 2.50\(aahn.0\)c0
Zyxel ≫ Gs1900-48hp Firmware Version < 2.50\(aaho.0\)c0
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.38% | 0.562 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 9.1 | 3.9 | 5.2 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
|
| nvd@nist.gov | 6.4 | 10 | 4.9 |
AV:N/AC:L/Au:N/C:P/I:P/A:N
|
CWE-287 Improper Authentication
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.