CVE-2018-10578 (GCVE-0-2018-10578)

Vulnerability from cvelistv5 – Published: 2018-05-02 21:00 – Updated: 2024-08-05 07:39

Summary

An issue was discovered on WatchGuard AP100, AP102, and AP200 devices with firmware before 1.2.9.15, and AP300 devices with firmware before 2.0.0.10. Incorrect validation of the "old password" field in the change password form allows an attacker to bypass validation of this field.

Severity

9.8 (Critical)


                        
                          CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

Assigner

mitre

References

1 reference

URL	Tags
http://seclists.org/fulldisclosure/2018/May/12	mailing-listx_refsource_FULLDISC

Date Public

2018-05-01 00:00

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T07:39:08.396Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "20180501 Multiple issues in WatchGuard AP100 AP102 AP200 result in remote code execution",
            "tags": [
              "mailing-list",
              "x_refsource_FULLDISC",
              "x_transferred"
            ],
            "url": "http://seclists.org/fulldisclosure/2018/May/12"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2018-05-01T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered on WatchGuard AP100, AP102, and AP200 devices with firmware before 1.2.9.15, and AP300 devices with firmware before 2.0.0.10. Incorrect validation of the \"old password\" field in the change password form allows an attacker to bypass validation of this field."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-05-02T20:57:01.000Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "name": "20180501 Multiple issues in WatchGuard AP100 AP102 AP200 result in remote code execution",
          "tags": [
            "mailing-list",
            "x_refsource_FULLDISC"
          ],
          "url": "http://seclists.org/fulldisclosure/2018/May/12"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2018-10578",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "An issue was discovered on WatchGuard AP100, AP102, and AP200 devices with firmware before 1.2.9.15, and AP300 devices with firmware before 2.0.0.10. Incorrect validation of the \"old password\" field in the change password form allows an attacker to bypass validation of this field."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "20180501 Multiple issues in WatchGuard AP100 AP102 AP200 result in remote code execution",
              "refsource": "FULLDISC",
              "url": "http://seclists.org/fulldisclosure/2018/May/12"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2018-10578",
    "datePublished": "2018-05-02T21:00:00.000Z",
    "dateReserved": "2018-04-30T00:00:00.000Z",
    "dateUpdated": "2024-08-05T07:39:08.396Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2018-10578",
      "date": "2026-06-03",
      "epss": "0.00411",
      "percentile": "0.61726"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2018-10578\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2018-05-02T21:29:01.043\",\"lastModified\":\"2024-11-21T03:41:35.967\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"An issue was discovered on WatchGuard AP100, AP102, and AP200 devices with firmware before 1.2.9.15, and AP300 devices with firmware before 2.0.0.10. Incorrect validation of the \\\"old password\\\" field in the change password form allows an attacker to bypass validation of this field.\"},{\"lang\":\"es\",\"value\":\"Se ha descubierto un problema en los dispositivos WatchGuard AP100, AP102 y AP200 con firmware en versiones anteriores a la 1.2.9.15 y en los dispositivos AP300 con firmware en versiones anteriores a la 2.0.0.10. La validaci\u00f3n del campo \\\"old password\\\" en el formulario de cambio de contrase\u00f1a permite que un atacante omita la validaci\u00f3n de este campo.\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:P/A:P\",\"baseScore\":7.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":10.0,\"impactScore\":6.4,\"acInsufInfo\":true,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-20\"}]}],\"configurations\":[{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:watchguard:ap200_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.2.9.15\",\"matchCriteriaId\":\"263A0D62-FCC4-4374-8E2F-1393140D68B0\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:watchguard:ap200:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5C6FA1D0-016C-4B73-9BC4-83848A1A6D04\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:watchguard:ap102_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.2.9.15\",\"matchCriteriaId\":\"FA60491C-1B5B-4E23-B27D-4285E3F71E99\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:watchguard:ap102:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"6E009741-C76C-49F3-83A4-4BB17D1A9510\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:watchguard:ap100_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.2.9.15\",\"matchCriteriaId\":\"428B2A59-5F74-4685-B6A9-F0CC9AFEE949\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:watchguard:ap100:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"8379C407-E7DC-4193-9BD0-5BAE24E637B8\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:watchguard:ap300_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2.0.0.10\",\"matchCriteriaId\":\"3B830CD7-1683-4C41-9B61-5ED8237EA46C\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:watchguard:ap300:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"473F5A2F-00B4-4D6E-9E4F-F81B7018DA60\"}]}]}],\"references\":[{\"url\":\"http://seclists.org/fulldisclosure/2018/May/12\",\"source\":\"cve@mitre.org\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://seclists.org/fulldisclosure/2018/May/12\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]}]}}"
  }
}

CNVD-2018-15405

Vulnerability from cnvd - Published: 2018-08-15

Title

WatchGuard AP100、AP102和AP200安全绕过漏洞

Description

WatchGuard AP100、AP102和AP200都是美国WatchGuard公司的不同系列的室内无线接入点设备。 WatchGuard AP100、AP102和AP200、AP300中存在安全漏洞，该漏洞源于程序未能正确的校验密码更改表格中的‘old password’字段。攻击者可利用该漏洞绕过对该字段的安全检查。

Severity

高

Patch Name

WatchGuard AP100、AP102和AP200安全绕过漏洞的补丁

Patch Description

WatchGuard AP100、AP102和AP200都是美国WatchGuard公司的不同系列的室内无线接入点设备。 WatchGuard AP100、AP102和AP200中存在安全漏洞，该漏洞源于程序未能正确的校验密码更改表格中的‘old password’字段。攻击者可利用该漏洞绕过对该字段的安全检查。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://www.watchguard.com/wgrd-blog/new-firmware-available-ap100ap102ap200ap300-security-vulnerability-fixes

Reference

http://seclists.org/fulldisclosure/2018/May/12

Impacted products

Name
['WatchGuard AP100 <1.2.9.15', 'WatchGuard AP200 <1.2.9.15', 'WatchGuard AP102 <1.2.9.15', 'WatchGuard AP300 <2.0.0.10']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2018-10578"
    }
  },
  "description": "WatchGuard AP100\u3001AP102\u548cAP200\u90fd\u662f\u7f8e\u56fdWatchGuard\u516c\u53f8\u7684\u4e0d\u540c\u7cfb\u5217\u7684\u5ba4\u5185\u65e0\u7ebf\u63a5\u5165\u70b9\u8bbe\u5907\u3002\r\n\r\nWatchGuard AP100\u3001AP102\u548cAP200\u3001AP300\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u672a\u80fd\u6b63\u786e\u7684\u6821\u9a8c\u5bc6\u7801\u66f4\u6539\u8868\u683c\u4e2d\u7684\u2018old password\u2019\u5b57\u6bb5\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u7ed5\u8fc7\u5bf9\u8be5\u5b57\u6bb5\u7684\u5b89\u5168\u68c0\u67e5\u3002",
  "discovererName": "Unknow",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://www.watchguard.com/wgrd-blog/new-firmware-available-ap100ap102ap200ap300-security-vulnerability-fixes",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2018-15405",
  "openTime": "2018-08-15",
  "patchDescription": "WatchGuard AP100\u3001AP102\u548cAP200\u90fd\u662f\u7f8e\u56fdWatchGuard\u516c\u53f8\u7684\u4e0d\u540c\u7cfb\u5217\u7684\u5ba4\u5185\u65e0\u7ebf\u63a5\u5165\u70b9\u8bbe\u5907\u3002\r\n\r\nWatchGuard AP100\u3001AP102\u548cAP200\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u672a\u80fd\u6b63\u786e\u7684\u6821\u9a8c\u5bc6\u7801\u66f4\u6539\u8868\u683c\u4e2d\u7684\u2018old password\u2019\u5b57\u6bb5\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u7ed5\u8fc7\u5bf9\u8be5\u5b57\u6bb5\u7684\u5b89\u5168\u68c0\u67e5\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "WatchGuard AP100\u3001AP102\u548cAP200\u5b89\u5168\u7ed5\u8fc7\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "WatchGuard   AP100 \u003c1.2.9.15",
      "WatchGuard   AP200 \u003c1.2.9.15",
      "WatchGuard   AP102 \u003c1.2.9.15",
      "WatchGuard   AP300 \u003c2.0.0.10"
    ]
  },
  "referenceLink": "http://seclists.org/fulldisclosure/2018/May/12",
  "serverity": "\u9ad8",
  "submitTime": "2018-05-22",
  "title": "WatchGuard AP100\u3001AP102\u548cAP200\u5b89\u5168\u7ed5\u8fc7\u6f0f\u6d1e"
}

FKIE_CVE-2018-10578

Vulnerability from fkie_nvd - Published: 2018-05-02 21:29 - Updated: 2024-11-21 03:41

Severity

9.8 (Critical) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

References

	URL	Tags
	cve@mitre.org	http://seclists.org/fulldisclosure/2018/May/12	Mailing List, Third Party Advisory
	af854a3a-2127-422b-91ae-364da2661108	http://seclists.org/fulldisclosure/2018/May/12	Mailing List, Third Party Advisory

Impacted products

Vendor	Product	Version
watchguard	ap200_firmware	*
watchguard	ap200	-
watchguard	ap102_firmware	*
watchguard	ap102	-
watchguard	ap100_firmware	*
watchguard	ap100	-
watchguard	ap300_firmware	*
watchguard	ap300	-

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:watchguard:ap200_firmware:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "263A0D62-FCC4-4374-8E2F-1393140D68B0",
              "versionEndExcluding": "1.2.9.15",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:watchguard:ap200:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "5C6FA1D0-016C-4B73-9BC4-83848A1A6D04",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:watchguard:ap102_firmware:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "FA60491C-1B5B-4E23-B27D-4285E3F71E99",
              "versionEndExcluding": "1.2.9.15",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:watchguard:ap102:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "6E009741-C76C-49F3-83A4-4BB17D1A9510",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:watchguard:ap100_firmware:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "428B2A59-5F74-4685-B6A9-F0CC9AFEE949",
              "versionEndExcluding": "1.2.9.15",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:watchguard:ap100:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "8379C407-E7DC-4193-9BD0-5BAE24E637B8",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:watchguard:ap300_firmware:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "3B830CD7-1683-4C41-9B61-5ED8237EA46C",
              "versionEndExcluding": "2.0.0.10",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:watchguard:ap300:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "473F5A2F-00B4-4D6E-9E4F-F81B7018DA60",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "An issue was discovered on WatchGuard AP100, AP102, and AP200 devices with firmware before 1.2.9.15, and AP300 devices with firmware before 2.0.0.10. Incorrect validation of the \"old password\" field in the change password form allows an attacker to bypass validation of this field."
    },
    {
      "lang": "es",
      "value": "Se ha descubierto un problema en los dispositivos WatchGuard AP100, AP102 y AP200 con firmware en versiones anteriores a la 1.2.9.15 y en los dispositivos AP300 con firmware en versiones anteriores a la 2.0.0.10. La validaci\u00f3n del campo \"old password\" en el formulario de cambio de contrase\u00f1a permite que un atacante omita la validaci\u00f3n de este campo."
    }
  ],
  "id": "CVE-2018-10578",
  "lastModified": "2024-11-21T03:41:35.967",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": true,
        "baseSeverity": "HIGH",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 7.5,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.0"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2018-05-02T21:29:01.043",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://seclists.org/fulldisclosure/2018/May/12"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://seclists.org/fulldisclosure/2018/May/12"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-20"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GHSA-F6CF-FHX2-354V

Vulnerability from github – Published: 2022-05-14 03:19 – Updated: 2022-05-14 03:19

Details

Severity

9.8 (Critical)


                  
                    CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2018-10578"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-05-02T21:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "An issue was discovered on WatchGuard AP100, AP102, and AP200 devices with firmware before 1.2.9.15, and AP300 devices with firmware before 2.0.0.10. Incorrect validation of the \"old password\" field in the change password form allows an attacker to bypass validation of this field.",
  "id": "GHSA-f6cf-fhx2-354v",
  "modified": "2022-05-14T03:19:00Z",
  "published": "2022-05-14T03:19:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-10578"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2018/May/12"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GSD-2018-10578

Vulnerability from gsd - Updated: 2023-12-13 01:22

Details

Aliases

CVE-2018-10578

Aliases

CVE-2018-10578

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2018-10578",
    "description": "An issue was discovered on WatchGuard AP100, AP102, and AP200 devices with firmware before 1.2.9.15, and AP300 devices with firmware before 2.0.0.10. Incorrect validation of the \"old password\" field in the change password form allows an attacker to bypass validation of this field.",
    "id": "GSD-2018-10578",
    "references": [
      "https://packetstormsecurity.com/files/cve/CVE-2018-10578"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2018-10578"
      ],
      "details": "An issue was discovered on WatchGuard AP100, AP102, and AP200 devices with firmware before 1.2.9.15, and AP300 devices with firmware before 2.0.0.10. Incorrect validation of the \"old password\" field in the change password form allows an attacker to bypass validation of this field.",
      "id": "GSD-2018-10578",
      "modified": "2023-12-13T01:22:40.712609Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@mitre.org",
        "ID": "CVE-2018-10578",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "An issue was discovered on WatchGuard AP100, AP102, and AP200 devices with firmware before 1.2.9.15, and AP300 devices with firmware before 2.0.0.10. Incorrect validation of the \"old password\" field in the change password form allows an attacker to bypass validation of this field."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "20180501 Multiple issues in WatchGuard AP100 AP102 AP200 result in remote code execution",
            "refsource": "FULLDISC",
            "url": "http://seclists.org/fulldisclosure/2018/May/12"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:watchguard:ap200_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndExcluding": "1.2.9.15",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:watchguard:ap200:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:watchguard:ap102_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndExcluding": "1.2.9.15",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:watchguard:ap102:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:watchguard:ap100_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndExcluding": "1.2.9.15",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:watchguard:ap100:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:watchguard:ap300_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndExcluding": "2.0.0.10",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:watchguard:ap300:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2018-10578"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "An issue was discovered on WatchGuard AP100, AP102, and AP200 devices with firmware before 1.2.9.15, and AP300 devices with firmware before 2.0.0.10. Incorrect validation of the \"old password\" field in the change password form allows an attacker to bypass validation of this field."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-20"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "20180501 Multiple issues in WatchGuard AP100 AP102 AP200 result in remote code execution",
              "refsource": "FULLDISC",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "http://seclists.org/fulldisclosure/2018/May/12"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": true,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 7.5,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 6.4,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "HIGH",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2018-06-13T14:09Z",
      "publishedDate": "2018-05-02T21:29Z"
    }
  }
}

VAR-201805-0245

Vulnerability from variot - Updated: 2024-11-23 21:39

An issue was discovered on WatchGuard AP100, AP102, and AP200 devices with firmware before 1.2.9.15, and AP300 devices with firmware before 2.0.0.10. Incorrect validation of the "old password" field in the change password form allows an attacker to bypass validation of this field. plural WatchGuard The product contains an input validation vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. WatchGuardAP100, AP102 and AP200 are different series of indoor wireless access point devices from WatchGuard. A security vulnerability exists in WatchGuardAP100, AP102, AP200, and AP300. Introduction

Multiple vulnerabilities can be chained together in a number of WatchGuard AP products which result in pre-authenticated remote code execution.

The vendor has produced a knowledge-base article[1] and announcement[2] regarding these issues.

ZX Security would like to commend the prompt response and resolution of these reported issues by the vendor.

Product

Several WatchGuard Access Points running firmware before v1.2.9.15 are affected, including: * AP100 * AP102 * AP200

The AP300 is also affected by issues 2, 3 and 4 when running firmware before 2.0.0.10.

The latest firmware update resolves these issues.

Technical Details

1) Hard-coded credentials

CVE-2018-10575

A hard-coded user exists in /etc/passwd. The vendor has requested the specific password and hash be withheld until users can apply the patch. There is no way for a user of the access point to change this password. An attacker who is aware of this password is able to access the device over SSH and pivot network requests through the device, though they may not run commands as the shell is set to /bin/false.

2) Hidden authentication method in web interface allows for authentication bypass

CVE-2018-10576

The standard authentication method for accessing the webserver involves submitting an HTML form. This uses a username and password separate from the standard Linux based /etc/passwd authentication. An alternative authentication method was identified from reviewing the source code whereby setting the HTTP headers AUTH_USER and AUTH_PASS, credentials are instead tested against the standard Linux /etc/passwd file. This allows an attacker to use the hardcoded credentials found previously (see 1. Hard-coded credentials) to gain web access to the device. An example command that demonstrates this issue is: curl https://watchguard-ap200/cgi-bin/luci -H "AUTH_USER: admin" -H "AUTH_PASS: [REDACTED]" -k -v

This session allows for complete access to the web interface as an administrator.

3) Hidden "wgupload" functionality allows for file uploads as root and remote code execution

CVE-2018-10577

Reviewing the code reveals file upload functionality that is not shown to the user via the web interface. An attacker needs only a serial number (which is displayed to the user when they login to the device through the standard web interface and can be retrieved programmatically) and a valid session. An example request to demonstrate this issue is: res = send_request_cgi({ 'method' => 'POST', 'uri' => "/cgi-bin/luci/;#{stok}/wgupload", 'headers' => { 'AUTH_USER' => 'admin', 'AUTH_PASS' => '[REDACTED]', }, 'cookie' => "#{sysauth}; serial=#{serial}; filename=/www/cgi-bin/payload.luci; md5sum=fail", 'data' => "#!/usr/bin/lua os.execute('touch /code-execution'); })

An attacker can then visit the URL http://watchguard-ap200/cgi-bin/payload.luci to execute this command (or any other command). An attacker is able to simply modify the JavaScript to avoid this check or perform the POST request manually.

Metasploit Module

ZX Security will be releasing a Metasploit module which automates exploitation of this chain of vulnerabilities. This has been delayed till 30 days after the initial patch was made available to ensure users are able to patch their devices. The module and the hard-coded password will be released on May the 14th 2018.

Disclosure Timeline

Vendor notification: April 04, 2018 Vendor response: April 06, 2018 Firmware update released to public: April 13, 2018 Metasploit module release: May 14, 2018

References

[1] https://watchguardsupport.secure.force.com/publicKB?type=KBSecurityIssues&SFDCID=kA62A0000000LIy [2] https://www.watchguard.com/wgrd-blog/new-firmware-available-ap100ap102ap200ap300-security-vulnerability-fixes

Show details on source website

JSON

To clipboard

{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "exploit_availability": {
      "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-201805-0245",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "ap100",
        "scope": "lt",
        "trust": 2.4,
        "vendor": "watchguard",
        "version": "1.2.9.15"
      },
      {
        "model": "ap200",
        "scope": "lt",
        "trust": 2.4,
        "vendor": "watchguard",
        "version": "1.2.9.15"
      },
      {
        "model": "ap102",
        "scope": "lt",
        "trust": 2.4,
        "vendor": "watchguard",
        "version": "1.2.9.15"
      },
      {
        "model": "ap300",
        "scope": "lt",
        "trust": 2.4,
        "vendor": "watchguard",
        "version": "2.0.0.10"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2018-15405"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-004918"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-10578"
      }
    ]
  },
  "configurations": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/configurations#",
      "children": {
        "@container": "@list"
      },
      "cpe_match": {
        "@container": "@list"
      },
      "data": {
        "@container": "@list"
      },
      "nodes": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "cpe_match": [
              {
                "cpe22Uri": "cpe:/o:watchguard:ap100_firmware",
                "vulnerable": true
              },
              {
                "cpe22Uri": "cpe:/o:watchguard:ap102_firmware",
                "vulnerable": true
              },
              {
                "cpe22Uri": "cpe:/o:watchguard:ap200_firmware",
                "vulnerable": true
              },
              {
                "cpe22Uri": "cpe:/o:watchguard:ap300_firmware",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-004918"
      }
    ]
  },
  "credits": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/credits#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Stephen Shkardoon",
    "sources": [
      {
        "db": "PACKETSTORM",
        "id": "147468"
      }
    ],
    "trust": 0.1
  },
  "cve": "CVE-2018-10578",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [
          {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "nvd@nist.gov",
            "availabilityImpact": "PARTIAL",
            "baseScore": 7.5,
            "confidentialityImpact": "PARTIAL",
            "exploitabilityScore": 10.0,
            "id": "CVE-2018-10578",
            "impactScore": 6.4,
            "integrityImpact": "PARTIAL",
            "severity": "HIGH",
            "trust": 1.8,
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "CNVD",
            "availabilityImpact": "PARTIAL",
            "baseScore": 7.5,
            "confidentialityImpact": "PARTIAL",
            "exploitabilityScore": 10.0,
            "id": "CNVD-2018-15405",
            "impactScore": 6.4,
            "integrityImpact": "PARTIAL",
            "severity": "HIGH",
            "trust": 0.6,
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          }
        ],
        "cvssV3": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "author": "nvd@nist.gov",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "exploitabilityScore": 3.9,
            "id": "CVE-2018-10578",
            "impactScore": 5.9,
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "trust": 1.8,
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          }
        ],
        "severity": [
          {
            "author": "nvd@nist.gov",
            "id": "CVE-2018-10578",
            "trust": 1.0,
            "value": "CRITICAL"
          },
          {
            "author": "NVD",
            "id": "CVE-2018-10578",
            "trust": 0.8,
            "value": "Critical"
          },
          {
            "author": "CNVD",
            "id": "CNVD-2018-15405",
            "trust": 0.6,
            "value": "HIGH"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-201805-094",
            "trust": 0.6,
            "value": "HIGH"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2018-15405"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-004918"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201805-094"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-10578"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "An issue was discovered on WatchGuard AP100, AP102, and AP200 devices with firmware before 1.2.9.15, and AP300 devices with firmware before 2.0.0.10. Incorrect validation of the \"old password\" field in the change password form allows an attacker to bypass validation of this field. plural WatchGuard The product contains an input validation vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. WatchGuardAP100, AP102 and AP200 are different series of indoor wireless access point devices from WatchGuard. A security vulnerability exists in WatchGuardAP100, AP102, AP200, and AP300. Introduction\n============\n\nMultiple vulnerabilities can be chained together in a number of\nWatchGuard AP products which result in pre-authenticated remote code\nexecution. \n\nThe vendor has produced a knowledge-base article[1] and\nannouncement[2] regarding these issues. \n\nZX Security would like to commend the prompt response and resolution\nof these reported issues by the vendor. \n\nProduct\n=======\n\nSeveral WatchGuard Access Points running firmware before v1.2.9.15 are\naffected, including:\n* AP100\n* AP102\n* AP200\n\nThe AP300 is also affected by issues 2, 3 and 4 when running firmware\nbefore 2.0.0.10. \n\nThe latest firmware update resolves these issues. \n\nTechnical Details\n=================\n\n1) Hard-coded credentials\n-------------------------\nCVE-2018-10575\n\nA hard-coded user exists in /etc/passwd. The vendor has requested the\nspecific password and hash be withheld until users can apply the\npatch. \nThere is no way for a user of the access point to change this\npassword. An attacker who is aware of this password is able to access\nthe device over SSH and pivot network requests through the device,\nthough they may not run commands as the shell is set to /bin/false. \n\n2) Hidden authentication method in web interface allows for\nauthentication bypass\n---------------------------------------------------------------------------------\nCVE-2018-10576\n\nThe standard authentication method for accessing the webserver\ninvolves submitting an HTML form. This uses a username and password\nseparate from the standard Linux based /etc/passwd authentication. \nAn alternative authentication method was identified from reviewing the\nsource code whereby setting the HTTP headers AUTH_USER and AUTH_PASS,\ncredentials are instead tested against the standard Linux /etc/passwd\nfile. This allows an attacker to use the hardcoded credentials found\npreviously (see 1. Hard-coded credentials) to gain web access to the\ndevice. \nAn example command that demonstrates this issue is:\n        curl https://watchguard-ap200/cgi-bin/luci -H \"AUTH_USER:\nadmin\" -H \"AUTH_PASS: [REDACTED]\" -k -v\n\nThis session allows for complete access to the web interface as an\nadministrator. \n\n3) Hidden \"wgupload\" functionality allows for file uploads as root and\nremote code execution\n--------------------------------------------------------------------------------------------\nCVE-2018-10577\n\nReviewing the code reveals file upload functionality that is not shown\nto the user via the web interface. An attacker needs only a serial\nnumber (which is displayed to the user when they login to the device\nthrough the standard web interface and can be retrieved\nprogrammatically) and a valid session. \nAn example request to demonstrate this issue is:\n    res = send_request_cgi({\n        \u0027method\u0027    =\u003e \u0027POST\u0027,\n        \u0027uri\u0027       =\u003e \"/cgi-bin/luci/;#{stok}/wgupload\",\n        \u0027headers\u0027 =\u003e {\n          \u0027AUTH_USER\u0027 =\u003e \u0027admin\u0027,\n          \u0027AUTH_PASS\u0027 =\u003e \u0027[REDACTED]\u0027,\n        },\n        \u0027cookie\u0027    =\u003e \"#{sysauth}; serial=#{serial};\nfilename=/www/cgi-bin/payload.luci; md5sum=fail\",\n        \u0027data\u0027     =\u003e \"#!/usr/bin/lua\nos.execute(\u0027touch /code-execution\u0027);\n      })\n\nAn attacker can then visit the URL\nhttp://watchguard-ap200/cgi-bin/payload.luci to execute this command\n(or any other command). An attacker is able to simply modify the JavaScript\nto avoid this check or perform the POST request manually. \n\nMetasploit Module\n=================\n\nZX Security will be releasing a Metasploit module which automates\nexploitation of this chain of vulnerabilities. This has been delayed\ntill 30 days after the initial patch was made available to ensure\nusers are able to patch their devices. \nThe module and the hard-coded password will be released on May the 14th 2018. \n\nDisclosure Timeline\n===================\n\nVendor notification: April 04, 2018\nVendor response: April 06, 2018\nFirmware update released to public: April 13, 2018\nMetasploit module release: May 14, 2018\n\nReferences\n==========\n\n[1] https://watchguardsupport.secure.force.com/publicKB?type=KBSecurityIssues\u0026SFDCID=kA62A0000000LIy\n[2] https://www.watchguard.com/wgrd-blog/new-firmware-available-ap100ap102ap200ap300-security-vulnerability-fixes\n\n\n",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2018-10578"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-004918"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2018-15405"
      },
      {
        "db": "PACKETSTORM",
        "id": "147468"
      }
    ],
    "trust": 2.25
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "NVD",
        "id": "CVE-2018-10578",
        "trust": 3.1
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-004918",
        "trust": 0.8
      },
      {
        "db": "CNVD",
        "id": "CNVD-2018-15405",
        "trust": 0.6
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201805-094",
        "trust": 0.6
      },
      {
        "db": "PACKETSTORM",
        "id": "147468",
        "trust": 0.1
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2018-15405"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-004918"
      },
      {
        "db": "PACKETSTORM",
        "id": "147468"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201805-094"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-10578"
      }
    ]
  },
  "id": "VAR-201805-0245",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2018-15405"
      }
    ],
    "trust": 0.8766217999999999
  },
  "iot_taxonomy": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "category": [
          "Network device"
        ],
        "sub_category": null,
        "trust": 0.6
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2018-15405"
      }
    ]
  },
  "last_update_date": "2024-11-23T21:39:05.433000Z",
  "patch": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/patch#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "title": "New Firmware Available for AP100/AP102/AP200/AP300 with Security Vulnerability Fixes",
        "trust": 0.8,
        "url": "https://www.watchguard.com/wgrd-blog/new-firmware-available-ap100ap102ap200ap300-security-vulnerability-fixes"
      },
      {
        "title": "Article ID :000011351",
        "trust": 0.8,
        "url": "https://watchguardsupport.secure.force.com/publicKB?type=KBSecurityIssues\u0026SFDCID=kA62A0000000LIy"
      },
      {
        "title": "WatchGuardAP100, AP102, and AP200 security bypass vulnerability patches",
        "trust": 0.6,
        "url": "https://www.cnvd.org.cn/patchInfo/show/137443"
      },
      {
        "title": "WatchGuard AP100 , AP102  and AP200 Security vulnerabilities",
        "trust": 0.6,
        "url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=79829"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2018-15405"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-004918"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201805-094"
      }
    ]
  },
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "CWE-20",
        "trust": 1.8
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-004918"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-10578"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 2.2,
        "url": "http://seclists.org/fulldisclosure/2018/may/12"
      },
      {
        "trust": 0.9,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2018-10578"
      },
      {
        "trust": 0.8,
        "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-10578"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2018-10577"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2018-10576"
      },
      {
        "trust": 0.1,
        "url": "http://watchguard-ap200/cgi-bin/payload.luci"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2018-10575"
      },
      {
        "trust": 0.1,
        "url": "https://watchguard-ap200/cgi-bin/luci"
      },
      {
        "trust": 0.1,
        "url": "https://www.watchguard.com/wgrd-blog/new-firmware-available-ap100ap102ap200ap300-security-vulnerability-fixes"
      },
      {
        "trust": 0.1,
        "url": "https://watchguardsupport.secure.force.com/publickb?type=kbsecurityissues\u0026sfdcid=ka62a0000000liy"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2018-15405"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-004918"
      },
      {
        "db": "PACKETSTORM",
        "id": "147468"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201805-094"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-10578"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "CNVD",
        "id": "CNVD-2018-15405"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-004918"
      },
      {
        "db": "PACKETSTORM",
        "id": "147468"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201805-094"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-10578"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2018-08-15T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2018-15405"
      },
      {
        "date": "2018-06-29T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2018-004918"
      },
      {
        "date": "2018-05-03T00:01:32",
        "db": "PACKETSTORM",
        "id": "147468"
      },
      {
        "date": "2018-05-02T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201805-094"
      },
      {
        "date": "2018-05-02T21:29:01.043000",
        "db": "NVD",
        "id": "CVE-2018-10578"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2018-08-16T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2018-15405"
      },
      {
        "date": "2018-06-29T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2018-004918"
      },
      {
        "date": "2018-05-04T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201805-094"
      },
      {
        "date": "2024-11-21T03:41:35.967000",
        "db": "NVD",
        "id": "CVE-2018-10578"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "remote",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-201805-094"
      }
    ],
    "trust": 0.6
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "plural  WatchGuard Vulnerability related to input validation in products",
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-004918"
      }
    ],
    "trust": 0.8
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "input validation",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-201805-094"
      }
    ],
    "trust": 0.6
  }
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2018-10578 (GCVE-0-2018-10578)

CNVD-2018-15405

FKIE_CVE-2018-10578

GHSA-F6CF-FHX2-354V

GSD-2018-10578

VAR-201805-0245

Product

Technical Details

1) Hard-coded credentials

Metasploit Module

Disclosure Timeline

References

Tags

Sightings

Nomenclature