Vulnerability-Lookup

CNVD-2019-30714

Vulnerability from cnvd - Published: 2019-09-06

Title

ASUS SmartHome Gateway HG100拒绝服务漏洞

Description

ASUS SmartHome Gateway HG100是中国台湾华硕（ASUS）公司的一款智能家居中央控制网关设备。使用1.05.12及之前版本固件的ASUS SmartHome Gateway HG100中的8080端口上的web api服务器存在安全漏洞。攻击者可利用该漏洞造成拒绝服务。

Severity

高

Formal description

目前厂商暂未发布修复措施解决此安全问题，建议使用此软件的用户随时关注厂商主页或参考网址以获取解决办法： https://www.asus.com

Reference

https://nvd.nist.gov/vuln/detail/CVE-2019-11060 https://www.exploit-db.com/exploits/46720

Impacted products

Name
ASUS ASUS SmartHome Gateway HG100 <=1.05.12

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2019-11060"
    }
  },
  "description": "ASUS SmartHome Gateway HG100\u662f\u4e2d\u56fd\u53f0\u6e7e\u534e\u7855\uff08ASUS\uff09\u516c\u53f8\u7684\u4e00\u6b3e\u667a\u80fd\u5bb6\u5c45\u4e2d\u592e\u63a7\u5236\u7f51\u5173\u8bbe\u5907\u3002\n\n\u4f7f\u75281.05.12\u53ca\u4e4b\u524d\u7248\u672c\u56fa\u4ef6\u7684ASUS SmartHome Gateway HG100\u4e2d\u76848080\u7aef\u53e3\u4e0a\u7684web api\u670d\u52a1\u5668\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u9020\u6210\u62d2\u7edd\u670d\u52a1\u3002",
  "discovererName": "YinT Wang",
  "formalWay": "\u76ee\u524d\u5382\u5546\u6682\u672a\u53d1\u5e03\u4fee\u590d\u63aa\u65bd\u89e3\u51b3\u6b64\u5b89\u5168\u95ee\u9898\uff0c\u5efa\u8bae\u4f7f\u7528\u6b64\u8f6f\u4ef6\u7684\u7528\u6237\u968f\u65f6\u5173\u6ce8\u5382\u5546\u4e3b\u9875\u6216\u53c2\u8003\u7f51\u5740\u4ee5\u83b7\u53d6\u89e3\u51b3\u529e\u6cd5\uff1a\r\nhttps://www.asus.com",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2019-30714",
  "openTime": "2019-09-06",
  "products": {
    "product": "ASUS ASUS SmartHome Gateway HG100 \u003c=1.05.12"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2019-11060\r\nhttps://www.exploit-db.com/exploits/46720",
  "serverity": "\u9ad8",
  "submitTime": "2019-09-05",
  "title": "ASUS SmartHome Gateway HG100\u62d2\u7edd\u670d\u52a1\u6f0f\u6d1e"
}

CVE-2019-11060 (GCVE-0-2019-11060)

Vulnerability from cvelistv5 – Published: 2019-08-29 00:19 – Updated: 2024-09-16 17:49

Title

HG100 contains an Uncontrolled Resource Consumption vulnerability

Summary

The web api server on Port 8080 of ASUS HG100 firmware up to 1.05.12, which is vulnerable to Slowloris HTTP Denial of Service: an attacker can cause a Denial of Service (DoS) by sending headers very slowly to keep HTTP or HTTPS connections and associated resources alive for a long period of time. CVSS 3.0 Base score 7.4 (Availability impacts). CVSS vector: (CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H).

Severity

7.4 (High)


                        
                          CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

CWE

CWE-400 - Uncontrolled Resource Consumption

Assigner

twcert

References

3 references

URL	Tags
https://tvn.twcert.org.tw/taiwanvn/TVN-201906002	x_refsource_CONFIRM
http://surl.twcert.org.tw/aarVJ	x_refsource_CONFIRM
https://www.exploit-db.com/exploits/46720	x_refsource_CONFIRM

Impacted products

1 product

Vendor	Product	Version
ASUS	HG100 firmware	Affected: up to 1.05.12

Date Public

2019-08-20 00:00

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T22:40:16.207Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://tvn.twcert.org.tw/taiwanvn/TVN-201906002"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://surl.twcert.org.tw/aarVJ"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.exploit-db.com/exploits/46720"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "HG100 firmware",
          "vendor": "ASUS",
          "versions": [
            {
              "status": "affected",
              "version": "up to 1.05.12"
            }
          ]
        }
      ],
      "datePublic": "2019-08-20T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "The web api server on Port 8080 of ASUS HG100 firmware up to 1.05.12, which is vulnerable to Slowloris HTTP Denial of Service: an attacker can cause a Denial of Service (DoS) by sending headers very slowly to keep HTTP or HTTPS connections and associated resources alive for a long period of time. CVSS 3.0 Base score 7.4 (Availability impacts). CVSS vector: (CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H)."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.4,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "CWE-400 Uncontrolled Resource Consumption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-09-04T12:12:21.000Z",
        "orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
        "shortName": "twcert"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://tvn.twcert.org.tw/taiwanvn/TVN-201906002"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://surl.twcert.org.tw/aarVJ"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.exploit-db.com/exploits/46720"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "HG100 contains an Uncontrolled Resource Consumption vulnerability",
      "x_generator": {
        "engine": "Vulnogram 0.0.7"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@cert.org.tw",
          "DATE_PUBLIC": "2019-08-20T16:00:00.000Z",
          "ID": "CVE-2019-11060",
          "STATE": "PUBLIC",
          "TITLE": "HG100 contains an Uncontrolled Resource Consumption vulnerability"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "HG100 firmware",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "up to 1.05.12"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "ASUS"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The web api server on Port 8080 of ASUS HG100 firmware up to 1.05.12, which is vulnerable to Slowloris HTTP Denial of Service: an attacker can cause a Denial of Service (DoS) by sending headers very slowly to keep HTTP or HTTPS connections and associated resources alive for a long period of time. CVSS 3.0 Base score 7.4 (Availability impacts). CVSS vector: (CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H)."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.7"
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.4,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
            "version": "3.0"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-400 Uncontrolled Resource Consumption"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://tvn.twcert.org.tw/taiwanvn/TVN-201906002",
              "refsource": "CONFIRM",
              "url": "https://tvn.twcert.org.tw/taiwanvn/TVN-201906002"
            },
            {
              "name": "http://surl.twcert.org.tw/aarVJ",
              "refsource": "CONFIRM",
              "url": "http://surl.twcert.org.tw/aarVJ"
            },
            {
              "name": "https://www.exploit-db.com/exploits/46720",
              "refsource": "CONFIRM",
              "url": "https://www.exploit-db.com/exploits/46720"
            }
          ]
        },
        "source": {
          "discovery": "EXTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
    "assignerShortName": "twcert",
    "cveId": "CVE-2019-11060",
    "datePublished": "2019-08-29T00:19:45.655Z",
    "dateReserved": "2019-04-09T00:00:00.000Z",
    "dateUpdated": "2024-09-16T17:49:18.209Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2019-30714

CVE-2019-11060 (GCVE-0-2019-11060)

Tags

Sightings

Nomenclature