← Back to CVEs
CVE-2019-13140
MEDIUM6.5
Description
Inteno EG200 EG200-WU7P1U_ADAMO3.16.4-190226_1650 routers have a JUCI ACL misconfiguration that allows the "user" account to extract the 3DES key via JSON commands to ubus. The 3DES key is used to decrypt the provisioning file provided by Adamo Telecom on a public URL via cleartext HTTP.
CVE Details
CVSS v3.1 Score6.5
SeverityMEDIUM
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack VectorNETWORK
ComplexityLOW
Privileges RequiredLOW
User InteractionNONE
Published9/16/2019
Last Modified11/21/2024
Sourcenvd
Honeypot Sightings0
Affected Products
intenogroup:eg200intenogroup:eg200_firmware
Weaknesses (CWE)
CWE-552
References
http://packetstormsecurity.com/files/154494/Inteno-IOPSYS-Gateway-3DES-Key-Extraction-Improper-Access.html(cve@mitre.org)
https://twitter.com/GerardFuguet/status/1169298861782896642(cve@mitre.org)
https://www.exploit-db.com/docs/47397(cve@mitre.org)
https://www.exploit-db.com/exploits/47390(cve@mitre.org)
http://packetstormsecurity.com/files/154494/Inteno-IOPSYS-Gateway-3DES-Key-Extraction-Improper-Access.html(af854a3a-2127-422b-91ae-364da2661108)
https://twitter.com/GerardFuguet/status/1169298861782896642(af854a3a-2127-422b-91ae-364da2661108)
https://www.exploit-db.com/docs/47397(af854a3a-2127-422b-91ae-364da2661108)
https://www.exploit-db.com/exploits/47390(af854a3a-2127-422b-91ae-364da2661108)
IOC Correlations
No correlations recorded
This product uses data from the NVD API but is not endorsed or certified by the NVD.