Find a vulnerability
Search criteria
3 vulnerabilities by teracue
VAR-201903-1260
Vulnerability from variot - Updated: 2024-11-23 23:04An issue was discovered on Teracue ENC-400 devices with firmware 2.56 and below. After successful authentication, the device sends an authentication cookie to the end user such that they can access the devices web administration panel. This token is hard-coded to a string in the source code (/usr/share/www/check.lp file). By setting this cookie in a browser, an attacker is able to maintain access to every ENC-400 device without knowing the password, which results in authentication bypass. Even if a user changes the password on the device, this token is static and unchanged. Teracue ENC-400 Device firmware contains a vulnerability related to the use of hard-coded credentials.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Teracue ENC-400 is a portable multi-stream encoder from Teracue, Germany. A security vulnerability exists in the Teracue ENC-400 due to the program's use of hardcoded authentication tokens.
Introduction
Multiple vulnerabilities were identified within the Teracue ENC-400, including pre-authenticated remote code authentication. While the vendor has released updated firmware after these issues were identified, they are not all resolved with the latest version of the firmware.
Product
The Teracue ENC-400 is accessible over an HTTP interface, which allows device configuration (including setting passwords or video stream destinations and servers). The vendor describes the device as follows: This HD/SD H.264 fanless video encoder is able to deliver multiple streams in multiple bitrates and protocols to multiple destinations. Note that the latest version of firmware, v2.57, does not adequately resolve all identified issues. Specific notes have been added to issues in the Technical Details section.
Technical Details
1) Command injection in login form
CVE-2018-20218
The login form passes user input directly to a shell command without any kind of escaping or validation. In the file /usr/share/www/check.lp:
!/usr/bin/env cgilua.cgi
<% local pass = cgilua.POST.password local com1 = os.execute("echo \'"..cgilua.POST.password.."\' | (su -c /bin/true)")
An attacker is able to perform command injection using the "password" parameter displayed on the login form.
- Resolution Status * While this instance of remote code execution has been resolved, the resolution does not protect the entire codebase. In /usr/share/www/web/system_password.lp: local oldpass = cgilua.POST.oldpass local newpass = cgilua.POST.newpass local com1=os.execute("echo '"..oldpass.."' | (su -c 'echo '"..oldpass.."' | (su root -c '/bin/true') > /dev/null 2>&1 ; echo $?')")
This allows an authenticated user to execute commands without knowing the existing password. This is particularly important given the insufficient resolution of CVE-2018-20219 (issue 2). In the file /usr/share/www/check.lp:
cookies.sethtml("AuthByPasswdENC400","Teracue:dGFpOfrtmR1bW1thrf5dGV4nhyxxdA==",{path='/'})
(Note: Line may be slightly different in different firmware versions, though the token is still the same). This results in an authentication bypass.
- Resolution Status * While this cookie is now dynamically generated, the latest code generates cookie values from the current time in seconds.
2) Missing authentication on sensitive endpoints
CVE-2018-20220
While the web interface requires authentication before it can be interacted with, a large portion of the HTTP endpoints are missing authentication. The "/configuration.xml" file, for example, includes all information required to access a video stream, such as the IP and port information, and any encryption information if specified.
- Resolution Status * No verification was performed as to whether this issue was appropriately resolved, or whether other files may be left unprotected.
Disclosure Timeline
Attempts to contact vendor begin: August 30, 2018 Vendor contacted: September 7, 2018 Vendor acknowledges issues: October 23, 2018 Initial fixes released for testing: December 4, 2018 Response indicating insufficient fixes: December 4, 2018 Public firmware release: February 13, 2019
References
[1] https://www.teracue.com/en/iptv-products/encoding
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201903-1260",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "enc-400 hdmi",
"scope": "lte",
"trust": 1.8,
"vendor": "teracue",
"version": "2.56"
},
{
"model": "enc-400 hdmi2",
"scope": "lte",
"trust": 1.8,
"vendor": "teracue",
"version": "2.56"
},
{
"model": "enc-400 hdsdi",
"scope": "lte",
"trust": 1.8,
"vendor": "teracue",
"version": "2.56"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-015073"
},
{
"db": "NVD",
"id": "CVE-2018-20219"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/o:teracue:enc-400_hdmi_firmware",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:teracue:enc-400_hdmi2_firmware",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:teracue:enc-400_hdsdi_firmware",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-015073"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Stephen Shkardoon",
"sources": [
{
"db": "PACKETSTORM",
"id": "151802"
},
{
"db": "CNNVD",
"id": "CNNVD-201902-812"
}
],
"trust": 0.7
},
"cve": "CVE-2018-20219",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "COMPLETE",
"baseScore": 9.3,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 8.6,
"id": "CVE-2018-20219",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 1.9,
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "COMPLETE",
"baseScore": 9.3,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 8.6,
"id": "VHN-131003",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.1,
"vectorString": "AV:N/AC:M/AU:N/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 2.2,
"id": "CVE-2018-20219",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.8,
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2018-20219",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "NVD",
"id": "CVE-2018-20219",
"trust": 0.8,
"value": "High"
},
{
"author": "CNNVD",
"id": "CNNVD-201902-812",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "VULHUB",
"id": "VHN-131003",
"trust": 0.1,
"value": "HIGH"
},
{
"author": "VULMON",
"id": "CVE-2018-20219",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-131003"
},
{
"db": "VULMON",
"id": "CVE-2018-20219"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015073"
},
{
"db": "CNNVD",
"id": "CNNVD-201902-812"
},
{
"db": "NVD",
"id": "CVE-2018-20219"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "An issue was discovered on Teracue ENC-400 devices with firmware 2.56 and below. After successful authentication, the device sends an authentication cookie to the end user such that they can access the devices web administration panel. This token is hard-coded to a string in the source code (/usr/share/www/check.lp file). By setting this cookie in a browser, an attacker is able to maintain access to every ENC-400 device without knowing the password, which results in authentication bypass. Even if a user changes the password on the device, this token is static and unchanged. Teracue ENC-400 Device firmware contains a vulnerability related to the use of hard-coded credentials.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Teracue ENC-400 is a portable multi-stream encoder from Teracue, Germany. A security vulnerability exists in the Teracue ENC-400 due to the program\u0027s use of hardcoded authentication tokens. \n\nIntroduction\n============\n\nMultiple vulnerabilities were identified within the Teracue ENC-400,\nincluding pre-authenticated remote code authentication. While the vendor\nhas released updated firmware after these issues were identified, they are\nnot all resolved with the latest version of the firmware. \n\nProduct\n=======\n\nThe Teracue ENC-400 is accessible over an HTTP interface, which allows\ndevice configuration (including setting passwords or video stream\ndestinations and servers). The vendor describes the device as follows:\nThis HD/SD H.264 fanless video encoder is able to deliver multiple streams\nin multiple bitrates and protocols to multiple destinations. \nNote that the latest version of firmware, v2.57, does not adequately\nresolve all identified issues. Specific notes have been added to issues in\nthe Technical Details section. \n\n\nTechnical Details\n=================\n\n1) Command injection in login form\n----------------------------------\nCVE-2018-20218\n\nThe login form passes user input directly to a shell command without any\nkind of escaping or validation. \nIn the file /usr/share/www/check.lp:\n#!/usr/bin/env cgilua.cgi\n\u003c%\nlocal pass = cgilua.POST.password\nlocal com1 = os.execute(\"echo \\\u0027\"..cgilua.POST.password..\"\\\u0027 | (su -c\n/bin/true)\")\n\nAn attacker is able to perform command injection using the \"password\"\nparameter displayed on the login form. \n\n* Resolution Status *\nWhile this instance of remote code execution has been resolved, the\nresolution does not protect the entire codebase. \nIn /usr/share/www/web/system_password.lp:\nlocal oldpass = cgilua.POST.oldpass\nlocal newpass = cgilua.POST.newpass\nlocal com1=os.execute(\"echo \u0027\"..oldpass..\"\u0027 | (su -c \u0027echo \u0027\"..oldpass..\"\u0027\n| (su root -c \u0027/bin/true\u0027) \u003e /dev/null 2\u003e\u00261 ; echo $?\u0027)\")\n\nThis allows an authenticated user to execute commands without knowing the\nexisting password. This is particularly important given the insufficient\nresolution of CVE-2018-20219 (issue 2). \nIn the file /usr/share/www/check.lp:\n\ncookies.sethtml(\"AuthByPasswdENC400\",\"Teracue:dGFpOfrtmR1bW1thrf5dGV4nhyxxdA==\",{path=\u0027/\u0027})\n\n(Note: Line may be slightly different in different firmware versions,\nthough the token is still the same). \nThis results in an authentication bypass. \n\n* Resolution Status *\nWhile this cookie is now dynamically generated, the latest code generates\ncookie values from the current time in seconds. \n\n2) Missing authentication on sensitive endpoints\n---------------------------------------------------------------------------------\nCVE-2018-20220\n\nWhile the web interface requires authentication before it can be interacted\nwith, a large portion of the HTTP endpoints are missing authentication. \nThe \"/configuration.xml\" file, for example, includes all information\nrequired to access a video stream, such as the IP and port information, and\nany encryption information if specified. \n\n* Resolution Status *\nNo verification was performed as to whether this issue was appropriately\nresolved, or whether other files may be left unprotected. \n\n\nDisclosure Timeline\n===================\n\nAttempts to contact vendor begin: August 30, 2018\nVendor contacted: September 7, 2018\nVendor acknowledges issues: October 23, 2018\nInitial fixes released for testing: December 4, 2018\nResponse indicating insufficient fixes: December 4, 2018\nPublic firmware release: February 13, 2019\n\nReferences\n==========\n\n[1] https://www.teracue.com/en/iptv-products/encoding\n\n\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2018-20219"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015073"
},
{
"db": "VULHUB",
"id": "VHN-131003"
},
{
"db": "VULMON",
"id": "CVE-2018-20219"
},
{
"db": "PACKETSTORM",
"id": "151802"
}
],
"trust": 1.89
},
"exploit_availability": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"reference": "https://vulmon.com/exploitdetails?qidtp=exploitdb\u0026qid=46451",
"trust": 0.1,
"type": "exploit"
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2018-20219"
}
]
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2018-20219",
"trust": 2.7
},
{
"db": "PACKETSTORM",
"id": "151802",
"trust": 2.7
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015073",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201902-812",
"trust": 0.7
},
{
"db": "EXPLOIT-DB",
"id": "46451",
"trust": 0.7
},
{
"db": "VULHUB",
"id": "VHN-131003",
"trust": 0.1
},
{
"db": "VULMON",
"id": "CVE-2018-20219",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-131003"
},
{
"db": "VULMON",
"id": "CVE-2018-20219"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015073"
},
{
"db": "PACKETSTORM",
"id": "151802"
},
{
"db": "CNNVD",
"id": "CNNVD-201902-812"
},
{
"db": "NVD",
"id": "CVE-2018-20219"
}
]
},
"id": "VAR-201903-1260",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-131003"
}
],
"trust": 0.01
},
"last_update_date": "2024-11-23T23:04:49.412000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Encoding",
"trust": 0.8,
"url": "https://www.teracue.com/en/iptv-products/encoding"
},
{
"title": "Teracue ENC-400 Security vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=89605"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-015073"
},
{
"db": "CNNVD",
"id": "CNNVD-201902-812"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-798",
"trust": 1.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-131003"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015073"
},
{
"db": "NVD",
"id": "CVE-2018-20219"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 3.2,
"url": "http://packetstormsecurity.com/files/151802/teracue-enc-400-command-injection-missing-authentication.html"
},
{
"trust": 1.9,
"url": "http://seclists.org/fulldisclosure/2019/feb/48"
},
{
"trust": 1.8,
"url": "https://zxsecurity.co.nz/research.html"
},
{
"trust": 1.5,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-20219"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-20219"
},
{
"trust": 0.7,
"url": "https://www.exploit-db.com/exploits/46451"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/798.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://www.teracue.com/en/iptv-products/encoding"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-20220"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-131003"
},
{
"db": "VULMON",
"id": "CVE-2018-20219"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015073"
},
{
"db": "PACKETSTORM",
"id": "151802"
},
{
"db": "CNNVD",
"id": "CNNVD-201902-812"
},
{
"db": "NVD",
"id": "CVE-2018-20219"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULHUB",
"id": "VHN-131003"
},
{
"db": "VULMON",
"id": "CVE-2018-20219"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015073"
},
{
"db": "PACKETSTORM",
"id": "151802"
},
{
"db": "CNNVD",
"id": "CNNVD-201902-812"
},
{
"db": "NVD",
"id": "CVE-2018-20219"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2019-03-21T00:00:00",
"db": "VULHUB",
"id": "VHN-131003"
},
{
"date": "2019-03-21T00:00:00",
"db": "VULMON",
"id": "CVE-2018-20219"
},
{
"date": "2019-04-23T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-015073"
},
{
"date": "2019-02-20T23:02:22",
"db": "PACKETSTORM",
"id": "151802"
},
{
"date": "2019-02-20T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201902-812"
},
{
"date": "2019-03-21T16:00:35.313000",
"db": "NVD",
"id": "CVE-2018-20219"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2019-03-25T00:00:00",
"db": "VULHUB",
"id": "VHN-131003"
},
{
"date": "2019-03-25T00:00:00",
"db": "VULMON",
"id": "CVE-2018-20219"
},
{
"date": "2019-04-23T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-015073"
},
{
"date": "2019-04-01T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201902-812"
},
{
"date": "2024-11-21T04:01:06.427000",
"db": "NVD",
"id": "CVE-2018-20219"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201902-812"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Teracue ENC-400 Vulnerabilities related to the use of hard-coded credentials in device firmware",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-015073"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "lack of information",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201902-812"
}
],
"trust": 0.6
}
}
VAR-201903-1261
Vulnerability from variot - Updated: 2024-11-23 23:04An issue was discovered on Teracue ENC-400 devices with firmware 2.56 and below. While the web interface requires authentication before it can be interacted with, a large portion of the HTTP endpoints are missing authentication. An attacker is able to view these pages before being authenticated, and some of these pages may disclose sensitive information. Teracue ENC-400 There is an authentication vulnerability in the device firmware.Information may be obtained. Teracue ENC-400 is a portable multi-stream encoder from Teracue, Germany.
Introduction
Multiple vulnerabilities were identified within the Teracue ENC-400, including pre-authenticated remote code authentication. While the vendor has released updated firmware after these issues were identified, they are not all resolved with the latest version of the firmware.
Product
The Teracue ENC-400 is accessible over an HTTP interface, which allows device configuration (including setting passwords or video stream destinations and servers). The vendor describes the device as follows: This HD/SD H.264 fanless video encoder is able to deliver multiple streams in multiple bitrates and protocols to multiple destinations. Note that the latest version of firmware, v2.57, does not adequately resolve all identified issues. Specific notes have been added to issues in the Technical Details section.
Technical Details
1) Command injection in login form
CVE-2018-20218
The login form passes user input directly to a shell command without any kind of escaping or validation. In the file /usr/share/www/check.lp:
!/usr/bin/env cgilua.cgi
<% local pass = cgilua.POST.password local com1 = os.execute("echo \'"..cgilua.POST.password.."\' | (su -c /bin/true)")
An attacker is able to perform command injection using the "password" parameter displayed on the login form. An example "password" to bypass this authentication would be: f' > /dev/null #
It is also possible for an attacker to simply execute code directly on the server.
- Resolution Status * While this instance of remote code execution has been resolved, the resolution does not protect the entire codebase. In /usr/share/www/web/system_password.lp: local oldpass = cgilua.POST.oldpass local newpass = cgilua.POST.newpass local com1=os.execute("echo '"..oldpass.."' | (su -c 'echo '"..oldpass.."' | (su root -c '/bin/true') > /dev/null 2>&1 ; echo $?')")
This allows an authenticated user to execute commands without knowing the existing password. This is particularly important given the insufficient resolution of CVE-2018-20219 (issue 2).
2) Hard-coded authentication token
CVE-2018-20219
After successful authentication, the device sends an authentication cookie to the end user such that they can access the devices web administration panel. This token is hardcoded to a string in the source code. In the file /usr/share/www/check.lp:
cookies.sethtml("AuthByPasswdENC400","Teracue:dGFpOfrtmR1bW1thrf5dGV4nhyxxdA==",{path='/'})
(Note: Line may be slightly different in different firmware versions, though the token is still the same).
By simply setting this cookie in a browser, an attacker is able to maintain access to every ENC-400 device without knowing the password. Even if a user changes the password on the device, this token is static and unchanged. This results in an authentication bypass.
- Resolution Status * While this cookie is now dynamically generated, the latest code generates cookie values from the current time in seconds. In the file /usr/share/www/check.lp: math.randomseed(os.time()) local cookie_value=RandomVariable(30)
An attacker is able to trivially bypass authentication simply by knowing the approximate time of the last successful authentication. The "/configuration.xml" file, for example, includes all information required to access a video stream, such as the IP and port information, and any encryption information if specified.
- Resolution Status * No verification was performed as to whether this issue was appropriately resolved, or whether other files may be left unprotected.
Disclosure Timeline
Attempts to contact vendor begin: August 30, 2018 Vendor contacted: September 7, 2018 Vendor acknowledges issues: October 23, 2018 Initial fixes released for testing: December 4, 2018 Response indicating insufficient fixes: December 4, 2018 Public firmware release: February 13, 2019
References
[1] https://www.teracue.com/en/iptv-products/encoding
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201903-1261",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "enc-400 hdmi",
"scope": "lte",
"trust": 1.8,
"vendor": "teracue",
"version": "2.56"
},
{
"model": "enc-400 hdmi2",
"scope": "lte",
"trust": 1.8,
"vendor": "teracue",
"version": "2.56"
},
{
"model": "enc-400 hdsdi",
"scope": "lte",
"trust": 1.8,
"vendor": "teracue",
"version": "2.56"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-015072"
},
{
"db": "NVD",
"id": "CVE-2018-20220"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/o:teracue:enc-400_hdmi_firmware",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:teracue:enc-400_hdmi2_firmware",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:teracue:enc-400_hdsdi_firmware",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-015072"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Stephen Shkardoon",
"sources": [
{
"db": "PACKETSTORM",
"id": "151802"
},
{
"db": "CNNVD",
"id": "CNNVD-201902-811"
}
],
"trust": 0.7
},
"cve": "CVE-2018-20220",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "CVE-2018-20220",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 1.9,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "VHN-131005",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 0.1,
"vectorString": "AV:N/AC:L/AU:N/C:P/I:N/A:N",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 3.9,
"id": "CVE-2018-20220",
"impactScore": 3.6,
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.8,
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2018-20220",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "NVD",
"id": "CVE-2018-20220",
"trust": 0.8,
"value": "High"
},
{
"author": "CNNVD",
"id": "CNNVD-201902-811",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "VULHUB",
"id": "VHN-131005",
"trust": 0.1,
"value": "MEDIUM"
},
{
"author": "VULMON",
"id": "CVE-2018-20220",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-131005"
},
{
"db": "VULMON",
"id": "CVE-2018-20220"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015072"
},
{
"db": "CNNVD",
"id": "CNNVD-201902-811"
},
{
"db": "NVD",
"id": "CVE-2018-20220"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "An issue was discovered on Teracue ENC-400 devices with firmware 2.56 and below. While the web interface requires authentication before it can be interacted with, a large portion of the HTTP endpoints are missing authentication. An attacker is able to view these pages before being authenticated, and some of these pages may disclose sensitive information. Teracue ENC-400 There is an authentication vulnerability in the device firmware.Information may be obtained. Teracue ENC-400 is a portable multi-stream encoder from Teracue, Germany. \n\nIntroduction\n============\n\nMultiple vulnerabilities were identified within the Teracue ENC-400,\nincluding pre-authenticated remote code authentication. While the vendor\nhas released updated firmware after these issues were identified, they are\nnot all resolved with the latest version of the firmware. \n\nProduct\n=======\n\nThe Teracue ENC-400 is accessible over an HTTP interface, which allows\ndevice configuration (including setting passwords or video stream\ndestinations and servers). The vendor describes the device as follows:\nThis HD/SD H.264 fanless video encoder is able to deliver multiple streams\nin multiple bitrates and protocols to multiple destinations. \nNote that the latest version of firmware, v2.57, does not adequately\nresolve all identified issues. Specific notes have been added to issues in\nthe Technical Details section. \n\n\nTechnical Details\n=================\n\n1) Command injection in login form\n----------------------------------\nCVE-2018-20218\n\nThe login form passes user input directly to a shell command without any\nkind of escaping or validation. \nIn the file /usr/share/www/check.lp:\n#!/usr/bin/env cgilua.cgi\n\u003c%\nlocal pass = cgilua.POST.password\nlocal com1 = os.execute(\"echo \\\u0027\"..cgilua.POST.password..\"\\\u0027 | (su -c\n/bin/true)\")\n\nAn attacker is able to perform command injection using the \"password\"\nparameter displayed on the login form. An example \"password\" to bypass this\nauthentication would be:\nf\u0027 \u003e /dev/null #\n\nIt is also possible for an attacker to simply execute code directly on the\nserver. \n\n* Resolution Status *\nWhile this instance of remote code execution has been resolved, the\nresolution does not protect the entire codebase. \nIn /usr/share/www/web/system_password.lp:\nlocal oldpass = cgilua.POST.oldpass\nlocal newpass = cgilua.POST.newpass\nlocal com1=os.execute(\"echo \u0027\"..oldpass..\"\u0027 | (su -c \u0027echo \u0027\"..oldpass..\"\u0027\n| (su root -c \u0027/bin/true\u0027) \u003e /dev/null 2\u003e\u00261 ; echo $?\u0027)\")\n\nThis allows an authenticated user to execute commands without knowing the\nexisting password. This is particularly important given the insufficient\nresolution of CVE-2018-20219 (issue 2). \n\n2) Hard-coded authentication token\n----------------------------------\nCVE-2018-20219\n\nAfter successful authentication, the device sends an authentication cookie\nto the end user such that they can access the devices web administration\npanel. This token is hardcoded to a string in the source code. \nIn the file /usr/share/www/check.lp:\n\ncookies.sethtml(\"AuthByPasswdENC400\",\"Teracue:dGFpOfrtmR1bW1thrf5dGV4nhyxxdA==\",{path=\u0027/\u0027})\n\n(Note: Line may be slightly different in different firmware versions,\nthough the token is still the same). \n\nBy simply setting this cookie in a browser, an attacker is able to maintain\naccess to every ENC-400 device without knowing the password. Even if a user\nchanges the password on the device, this token is static and unchanged. \nThis results in an authentication bypass. \n\n* Resolution Status *\nWhile this cookie is now dynamically generated, the latest code generates\ncookie values from the current time in seconds. \nIn the file /usr/share/www/check.lp:\nmath.randomseed(os.time())\nlocal cookie_value=RandomVariable(30)\n\nAn attacker is able to trivially bypass authentication simply by knowing\nthe approximate time of the last successful authentication. \nThe \"/configuration.xml\" file, for example, includes all information\nrequired to access a video stream, such as the IP and port information, and\nany encryption information if specified. \n\n* Resolution Status *\nNo verification was performed as to whether this issue was appropriately\nresolved, or whether other files may be left unprotected. \n\n\nDisclosure Timeline\n===================\n\nAttempts to contact vendor begin: August 30, 2018\nVendor contacted: September 7, 2018\nVendor acknowledges issues: October 23, 2018\nInitial fixes released for testing: December 4, 2018\nResponse indicating insufficient fixes: December 4, 2018\nPublic firmware release: February 13, 2019\n\nReferences\n==========\n\n[1] https://www.teracue.com/en/iptv-products/encoding\n\n\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2018-20220"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015072"
},
{
"db": "VULHUB",
"id": "VHN-131005"
},
{
"db": "VULMON",
"id": "CVE-2018-20220"
},
{
"db": "PACKETSTORM",
"id": "151802"
}
],
"trust": 1.89
},
"exploit_availability": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"reference": "https://vulmon.com/exploitdetails?qidtp=exploitdb\u0026qid=46451",
"trust": 0.1,
"type": "exploit"
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2018-20220"
}
]
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2018-20220",
"trust": 2.7
},
{
"db": "PACKETSTORM",
"id": "151802",
"trust": 2.7
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015072",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201902-811",
"trust": 0.7
},
{
"db": "EXPLOIT-DB",
"id": "46451",
"trust": 0.7
},
{
"db": "VULHUB",
"id": "VHN-131005",
"trust": 0.1
},
{
"db": "VULMON",
"id": "CVE-2018-20220",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-131005"
},
{
"db": "VULMON",
"id": "CVE-2018-20220"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015072"
},
{
"db": "PACKETSTORM",
"id": "151802"
},
{
"db": "CNNVD",
"id": "CNNVD-201902-811"
},
{
"db": "NVD",
"id": "CVE-2018-20220"
}
]
},
"id": "VAR-201903-1261",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-131005"
}
],
"trust": 0.01
},
"last_update_date": "2024-11-23T23:04:49.379000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Encoding",
"trust": 0.8,
"url": "https://www.teracue.com/en/iptv-products/encoding"
},
{
"title": "Teracue ENC-400 Security vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=89604"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-015072"
},
{
"db": "CNNVD",
"id": "CNNVD-201902-811"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-306",
"trust": 1.1
},
{
"problemtype": "CWE-287",
"trust": 0.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-131005"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015072"
},
{
"db": "NVD",
"id": "CVE-2018-20220"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 3.2,
"url": "http://packetstormsecurity.com/files/151802/teracue-enc-400-command-injection-missing-authentication.html"
},
{
"trust": 1.9,
"url": "http://seclists.org/fulldisclosure/2019/feb/48"
},
{
"trust": 1.8,
"url": "https://zxsecurity.co.nz/research.html"
},
{
"trust": 1.5,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-20220"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-20220"
},
{
"trust": 0.7,
"url": "https://www.exploit-db.com/exploits/46451"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/306.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://www.teracue.com/en/iptv-products/encoding"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-20219"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-131005"
},
{
"db": "VULMON",
"id": "CVE-2018-20220"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015072"
},
{
"db": "PACKETSTORM",
"id": "151802"
},
{
"db": "CNNVD",
"id": "CNNVD-201902-811"
},
{
"db": "NVD",
"id": "CVE-2018-20220"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULHUB",
"id": "VHN-131005"
},
{
"db": "VULMON",
"id": "CVE-2018-20220"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015072"
},
{
"db": "PACKETSTORM",
"id": "151802"
},
{
"db": "CNNVD",
"id": "CNNVD-201902-811"
},
{
"db": "NVD",
"id": "CVE-2018-20220"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2019-03-21T00:00:00",
"db": "VULHUB",
"id": "VHN-131005"
},
{
"date": "2019-03-21T00:00:00",
"db": "VULMON",
"id": "CVE-2018-20220"
},
{
"date": "2019-04-23T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-015072"
},
{
"date": "2019-02-20T23:02:22",
"db": "PACKETSTORM",
"id": "151802"
},
{
"date": "2019-02-20T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201902-811"
},
{
"date": "2019-03-21T16:00:35.407000",
"db": "NVD",
"id": "CVE-2018-20220"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2020-08-24T00:00:00",
"db": "VULHUB",
"id": "VHN-131005"
},
{
"date": "2020-08-24T00:00:00",
"db": "VULMON",
"id": "CVE-2018-20220"
},
{
"date": "2019-04-23T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-015072"
},
{
"date": "2020-08-25T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201902-811"
},
{
"date": "2024-11-21T04:01:06.570000",
"db": "NVD",
"id": "CVE-2018-20220"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201902-811"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Teracue ENC-400 Authentication vulnerabilities in device firmware",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-015072"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "access control error",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201902-811"
}
],
"trust": 0.6
}
}
VAR-201903-1259
Vulnerability from variot - Updated: 2024-11-23 23:04An issue was discovered on Teracue ENC-400 devices with firmware 2.56 and below. The login form passes user input directly to a shell command without any kind of escaping or validation in /usr/share/www/check.lp file. An attacker is able to perform command injection using the "password" parameter in the login form. Teracue ENC-400 The device firmware contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. The Teracue ENC-400 is a portable multi-stream encoder from Teracue, Germany. An attacker could exploit this vulnerability to execute code
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201903-1259",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "enc-400 hdmi",
"scope": "lte",
"trust": 1.8,
"vendor": "teracue",
"version": "2.56"
},
{
"model": "enc-400 hdmi2",
"scope": "lte",
"trust": 1.8,
"vendor": "teracue",
"version": "2.56"
},
{
"model": "enc-400 hdsdi",
"scope": "lte",
"trust": 1.8,
"vendor": "teracue",
"version": "2.56"
},
{
"model": "enc-400",
"scope": null,
"trust": 0.6,
"vendor": "teracue",
"version": null
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-05289"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015074"
},
{
"db": "NVD",
"id": "CVE-2018-20218"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/o:teracue:enc-400_hdmi_firmware",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:teracue:enc-400_hdmi2_firmware",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:teracue:enc-400_hdsdi_firmware",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-015074"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Stephen Shkardoon",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201902-888"
}
],
"trust": 0.6
},
"cve": "CVE-2018-20218",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"id": "CVE-2018-20218",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 1.9,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "CNVD-2019-05289",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "HIGH",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"id": "VHN-131002",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.1,
"vectorString": "AV:N/AC:L/AU:N/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 3.9,
"id": "CVE-2018-20218",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.8,
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2018-20218",
"trust": 1.0,
"value": "CRITICAL"
},
{
"author": "NVD",
"id": "CVE-2018-20218",
"trust": 0.8,
"value": "Critical"
},
{
"author": "CNVD",
"id": "CNVD-2019-05289",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-201902-888",
"trust": 0.6,
"value": "CRITICAL"
},
{
"author": "VULHUB",
"id": "VHN-131002",
"trust": 0.1,
"value": "HIGH"
},
{
"author": "VULMON",
"id": "CVE-2018-20218",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-05289"
},
{
"db": "VULHUB",
"id": "VHN-131002"
},
{
"db": "VULMON",
"id": "CVE-2018-20218"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015074"
},
{
"db": "CNNVD",
"id": "CNNVD-201902-888"
},
{
"db": "NVD",
"id": "CVE-2018-20218"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "An issue was discovered on Teracue ENC-400 devices with firmware 2.56 and below. The login form passes user input directly to a shell command without any kind of escaping or validation in /usr/share/www/check.lp file. An attacker is able to perform command injection using the \"password\" parameter in the login form. Teracue ENC-400 The device firmware contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. The Teracue ENC-400 is a portable multi-stream encoder from Teracue, Germany. An attacker could exploit this vulnerability to execute code",
"sources": [
{
"db": "NVD",
"id": "CVE-2018-20218"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015074"
},
{
"db": "CNVD",
"id": "CNVD-2019-05289"
},
{
"db": "VULHUB",
"id": "VHN-131002"
},
{
"db": "VULMON",
"id": "CVE-2018-20218"
}
],
"trust": 2.34
},
"exploit_availability": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"reference": "https://vulmon.com/exploitdetails?qidtp=exploitdb\u0026qid=46451",
"trust": 0.1,
"type": "exploit"
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2018-20218"
}
]
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2018-20218",
"trust": 3.2
},
{
"db": "EXPLOIT-DB",
"id": "46451",
"trust": 1.3
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015074",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201902-888",
"trust": 0.7
},
{
"db": "CNVD",
"id": "CNVD-2019-05289",
"trust": 0.6
},
{
"db": "VULHUB",
"id": "VHN-131002",
"trust": 0.1
},
{
"db": "VULMON",
"id": "CVE-2018-20218",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-05289"
},
{
"db": "VULHUB",
"id": "VHN-131002"
},
{
"db": "VULMON",
"id": "CVE-2018-20218"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015074"
},
{
"db": "CNNVD",
"id": "CNNVD-201902-888"
},
{
"db": "NVD",
"id": "CVE-2018-20218"
}
]
},
"id": "VAR-201903-1259",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-05289"
},
{
"db": "VULHUB",
"id": "VHN-131002"
}
],
"trust": 1.7
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-05289"
}
]
},
"last_update_date": "2024-11-23T23:04:49.345000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Encoding",
"trust": 0.8,
"url": "https://www.teracue.com/en/iptv-products/encoding"
},
{
"title": "Teracue ENC-400 command injection vulnerability patch",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchInfo/show/154477"
},
{
"title": "Teracue ENC-400 Fixes for command injection vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=89638"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-05289"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015074"
},
{
"db": "CNNVD",
"id": "CNNVD-201902-888"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-78",
"trust": 1.1
},
{
"problemtype": "CWE-77",
"trust": 0.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-131002"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015074"
},
{
"db": "NVD",
"id": "CVE-2018-20218"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.7,
"url": "http://seclists.org/fulldisclosure/2019/feb/48"
},
{
"trust": 1.8,
"url": "https://zxsecurity.co.nz/research.html"
},
{
"trust": 1.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-20218"
},
{
"trust": 1.3,
"url": "https://www.exploit-db.com/exploits/46451"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-20218"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/78.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-05289"
},
{
"db": "VULHUB",
"id": "VHN-131002"
},
{
"db": "VULMON",
"id": "CVE-2018-20218"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015074"
},
{
"db": "CNNVD",
"id": "CNNVD-201902-888"
},
{
"db": "NVD",
"id": "CVE-2018-20218"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2019-05289"
},
{
"db": "VULHUB",
"id": "VHN-131002"
},
{
"db": "VULMON",
"id": "CVE-2018-20218"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015074"
},
{
"db": "CNNVD",
"id": "CNNVD-201902-888"
},
{
"db": "NVD",
"id": "CVE-2018-20218"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2019-02-26T00:00:00",
"db": "CNVD",
"id": "CNVD-2019-05289"
},
{
"date": "2019-03-21T00:00:00",
"db": "VULHUB",
"id": "VHN-131002"
},
{
"date": "2019-03-21T00:00:00",
"db": "VULMON",
"id": "CVE-2018-20218"
},
{
"date": "2019-04-23T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-015074"
},
{
"date": "2019-02-22T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201902-888"
},
{
"date": "2019-03-21T16:00:35.250000",
"db": "NVD",
"id": "CVE-2018-20218"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2019-02-26T00:00:00",
"db": "CNVD",
"id": "CNVD-2019-05289"
},
{
"date": "2019-10-03T00:00:00",
"db": "VULHUB",
"id": "VHN-131002"
},
{
"date": "2019-10-03T00:00:00",
"db": "VULMON",
"id": "CVE-2018-20218"
},
{
"date": "2019-04-23T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-015074"
},
{
"date": "2020-05-22T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201902-888"
},
{
"date": "2024-11-21T04:01:06.283000",
"db": "NVD",
"id": "CVE-2018-20218"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201902-888"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Teracue ENC-400 Command injection vulnerability in device firmware",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-015074"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "operating system commend injection",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201902-888"
}
],
"trust": 0.6
}
}