7.8 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:N/I:N/A:C
0.005 Low
EPSS
Percentile
75.5%
The Phillipine Long Distance Telephone (PLDT) company provides internet access in the Phillippines. The SpeedSurf 504AN and Kasda KW58293 modems distributed by PLDT contain multiple vulnerabilities. The BaudTec ADSL2+ Router may also be affected.
PLDT provides SpeedSurf 504AN, firmware version GAN9.8U26-4-TX-R6B018-PH.EN, and the Kasda KW58293, to customers for internet access. These devices contains multiple vulnerabilities.
CWE-352: Cross-Site Request Forgery (CSRF) - CVE-2015-5991
The form2WlanSetup.cgi
page does not properly authenticate that administrative actions are being performed on purpose. An attacker may lure a user behind the router to click a malicious link when performs administrative actions such as changing the device’s network settings.
CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) - CVE-2015-5992
The form2WlanSetup.cgi
page contains an “ssid” parameter which is vulnerable to cross-site scripting.
CWE-120: Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’) - CVE-2015-5993
The form2ping.cgi
page may be used to send PING requests. An attacker may use this page to inject a large string (more than 1874 characters) in the parameter “ipaddr” with a POST request which may cause a denial of service on the router. The router requires manual rebooting to recover.
CWE-798: Use of Hard-coded Credentials
Both modems contain a hard-coded account named adminpldt
with a hard-coded password. For more information, please see VU#950576.
The reporter also states that the BaudTec (300Mbps WLAN ADSL2+ Router) with firmware version RNR4_A72T_PLD_0.19 may also be vulnerable to the above vulnerabilities.
The CVSS score below is based on CVE-2015-5991.
A remote attacker may utilize these credentials to gain administrator access to the device. A remote attacker may also be able to cause a denial of service.
The CERT/CC is currently unaware of a practical solution to this problem.
525276
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: June 02, 2015 Updated: August 28, 2015
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Group | Score | Vector |
---|---|---|
Base | 7.4 | AV:A/AC:M/Au:S/C:C/I:C/A:C |
Temporal | 6.3 | E:POC/RL:U/RC:UR |
Environmental | 4.7 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND |
Thanks to Eskie Cirrus James Maquilang for reporting this vulnerability to us.
This document was written by Garret Wassermann.
CVE IDs: | CVE-2015-5991, CVE-2015-5992, CVE-2015-5993 |
---|---|
Date Public: | 2015-08-31 Date First Published: |