CVE-2018-10575 (GCVE-0-2018-10575)

Vulnerability from cvelistv5 – Published: 2018-04-30 22:00 – Updated: 2024-08-05 07:39

Summary

An issue was discovered on WatchGuard AP100, AP102, and AP200 devices with firmware before 1.2.9.15. Hardcoded credentials exist for an unprivileged SSH account with a shell of /bin/false.

Severity

9.8 (Critical)


                        
                          CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

Assigner

mitre

References

4 references

URL	Tags
https://www.watchguard.com/wgrd-blog/new-firmware…	x_refsource_CONFIRM
http://seclists.org/fulldisclosure/2018/May/12	mailing-listx_refsource_FULLDISC
https://www.exploit-db.com/exploits/45409/	exploitx_refsource_EXPLOIT-DB
https://watchguardsupport.secure.force.com/public…	x_refsource_CONFIRM

Date Public

2018-04-30 00:00

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T07:39:08.065Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.watchguard.com/wgrd-blog/new-firmware-available-ap100ap102ap200ap300-security-vulnerability-fixes"
          },
          {
            "name": "20180501 Multiple issues in WatchGuard AP100 AP102 AP200 result in remote code execution",
            "tags": [
              "mailing-list",
              "x_refsource_FULLDISC",
              "x_transferred"
            ],
            "url": "http://seclists.org/fulldisclosure/2018/May/12"
          },
          {
            "name": "45409",
            "tags": [
              "exploit",
              "x_refsource_EXPLOIT-DB",
              "x_transferred"
            ],
            "url": "https://www.exploit-db.com/exploits/45409/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://watchguardsupport.secure.force.com/publicKB?type=KBSecurityIssues\u0026SFDCID=kA62A0000000LIy"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2018-04-30T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered on WatchGuard AP100, AP102, and AP200 devices with firmware before 1.2.9.15. Hardcoded credentials exist for an unprivileged SSH account with a shell of /bin/false."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-09-16T09:57:01.000Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.watchguard.com/wgrd-blog/new-firmware-available-ap100ap102ap200ap300-security-vulnerability-fixes"
        },
        {
          "name": "20180501 Multiple issues in WatchGuard AP100 AP102 AP200 result in remote code execution",
          "tags": [
            "mailing-list",
            "x_refsource_FULLDISC"
          ],
          "url": "http://seclists.org/fulldisclosure/2018/May/12"
        },
        {
          "name": "45409",
          "tags": [
            "exploit",
            "x_refsource_EXPLOIT-DB"
          ],
          "url": "https://www.exploit-db.com/exploits/45409/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://watchguardsupport.secure.force.com/publicKB?type=KBSecurityIssues\u0026SFDCID=kA62A0000000LIy"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2018-10575",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "An issue was discovered on WatchGuard AP100, AP102, and AP200 devices with firmware before 1.2.9.15. Hardcoded credentials exist for an unprivileged SSH account with a shell of /bin/false."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.watchguard.com/wgrd-blog/new-firmware-available-ap100ap102ap200ap300-security-vulnerability-fixes",
              "refsource": "CONFIRM",
              "url": "https://www.watchguard.com/wgrd-blog/new-firmware-available-ap100ap102ap200ap300-security-vulnerability-fixes"
            },
            {
              "name": "20180501 Multiple issues in WatchGuard AP100 AP102 AP200 result in remote code execution",
              "refsource": "FULLDISC",
              "url": "http://seclists.org/fulldisclosure/2018/May/12"
            },
            {
              "name": "45409",
              "refsource": "EXPLOIT-DB",
              "url": "https://www.exploit-db.com/exploits/45409/"
            },
            {
              "name": "https://watchguardsupport.secure.force.com/publicKB?type=KBSecurityIssues\u0026SFDCID=kA62A0000000LIy",
              "refsource": "CONFIRM",
              "url": "https://watchguardsupport.secure.force.com/publicKB?type=KBSecurityIssues\u0026SFDCID=kA62A0000000LIy"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2018-10575",
    "datePublished": "2018-04-30T22:00:00.000Z",
    "dateReserved": "2018-04-30T00:00:00.000Z",
    "dateUpdated": "2024-08-05T07:39:08.065Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2018-10575",
      "date": "2026-06-04",
      "epss": "0.11206",
      "percentile": "0.93644"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2018-10575\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2018-04-30T22:29:00.310\",\"lastModified\":\"2024-11-21T03:41:35.507\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"An issue was discovered on WatchGuard AP100, AP102, and AP200 devices with firmware before 1.2.9.15. Hardcoded credentials exist for an unprivileged SSH account with a shell of /bin/false.\"},{\"lang\":\"es\",\"value\":\"Se ha descubierto un problema en los dispositivos WatchGuard AP100, AP102 y AP200 con firmware en versiones anteriores a la 1.2.9.15. Existen credenciales embebidas para una cuenta SSH no privilegiada con un shell de /bin/false.\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:P/A:P\",\"baseScore\":7.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":10.0,\"impactScore\":6.4,\"acInsufInfo\":true,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-798\"}]}],\"configurations\":[{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:watchguard:ap200_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.2.9.15\",\"matchCriteriaId\":\"263A0D62-FCC4-4374-8E2F-1393140D68B0\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:watchguard:ap200:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5C6FA1D0-016C-4B73-9BC4-83848A1A6D04\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:watchguard:ap102_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.2.9.15\",\"matchCriteriaId\":\"FA60491C-1B5B-4E23-B27D-4285E3F71E99\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:watchguard:ap102:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"6E009741-C76C-49F3-83A4-4BB17D1A9510\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:watchguard:ap100_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.2.9.15\",\"matchCriteriaId\":\"428B2A59-5F74-4685-B6A9-F0CC9AFEE949\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:watchguard:ap100:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"8379C407-E7DC-4193-9BD0-5BAE24E637B8\"}]}]}],\"references\":[{\"url\":\"http://seclists.org/fulldisclosure/2018/May/12\",\"source\":\"cve@mitre.org\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://watchguardsupport.secure.force.com/publicKB?type=KBSecurityIssues\u0026SFDCID=kA62A0000000LIy\",\"source\":\"cve@mitre.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.exploit-db.com/exploits/45409/\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://www.watchguard.com/wgrd-blog/new-firmware-available-ap100ap102ap200ap300-security-vulnerability-fixes\",\"source\":\"cve@mitre.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://seclists.org/fulldisclosure/2018/May/12\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://watchguardsupport.secure.force.com/publicKB?type=KBSecurityIssues\u0026SFDCID=kA62A0000000LIy\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.exploit-db.com/exploits/45409/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://www.watchguard.com/wgrd-blog/new-firmware-available-ap100ap102ap200ap300-security-vulnerability-fixes\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}"
  }
}

CNVD-2018-10147

Vulnerability from cnvd - Published: 2018-05-23

Title

WatchGuard AP100、AP102和AP200硬编码凭据漏洞

Description

WatchGuard AP100、AP102和AP200都是美国WatchGuard公司的不同系列的室内无线接入点设备。使用1.2.9.15之前版本固件的WatchGuard AP100、AP102和AP200中存在安全漏洞，该漏洞源于程序使用了硬编码凭证。攻击者可利用该漏洞获取AP设备的访问权限。

Severity

中

Patch Name

WatchGuard AP100、AP102和AP200硬编码凭据漏洞的补丁

Patch Description

WatchGuard AP100、AP102和AP200都是美国WatchGuard公司的不同系列的室内无线接入点设备。使用1.2.9.15之前版本固件的WatchGuard AP100、AP102和AP200中存在安全漏洞，该漏洞源于程序使用了硬编码凭证。攻击者可利用该漏洞获取AP设备的访问权限。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://www.watchguard.com/wgrd-blog/new-firmware-available-ap100ap102ap200ap300-security-vulnerability-fixes

Reference

https://www.watchguard.com/wgrd-blog/new-firmware-available-ap100ap102ap200ap300-security-vulnerability-fixes

Impacted products

Name
['WatchGuard AP100 <1.2.9.15', 'WatchGuard AP200 <1.2.9.15', 'WatchGuard AP102 <1.2.9.15']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2018-10575",
      "cveUrl": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10575"
    }
  },
  "description": "WatchGuard AP100\u3001AP102\u548cAP200\u90fd\u662f\u7f8e\u56fdWatchGuard\u516c\u53f8\u7684\u4e0d\u540c\u7cfb\u5217\u7684\u5ba4\u5185\u65e0\u7ebf\u63a5\u5165\u70b9\u8bbe\u5907\u3002\r\n\r\n\u4f7f\u75281.2.9.15\u4e4b\u524d\u7248\u672c\u56fa\u4ef6\u7684WatchGuard AP100\u3001AP102\u548cAP200\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u4f7f\u7528\u4e86\u786c\u7f16\u7801\u51ed\u8bc1\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u53d6AP\u8bbe\u5907\u7684\u8bbf\u95ee\u6743\u9650\u3002",
  "discovererName": "unknwon",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://www.watchguard.com/wgrd-blog/new-firmware-available-ap100ap102ap200ap300-security-vulnerability-fixes",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2018-10147",
  "openTime": "2018-05-23",
  "patchDescription": "WatchGuard AP100\u3001AP102\u548cAP200\u90fd\u662f\u7f8e\u56fdWatchGuard\u516c\u53f8\u7684\u4e0d\u540c\u7cfb\u5217\u7684\u5ba4\u5185\u65e0\u7ebf\u63a5\u5165\u70b9\u8bbe\u5907\u3002\r\n\r\n\u4f7f\u75281.2.9.15\u4e4b\u524d\u7248\u672c\u56fa\u4ef6\u7684WatchGuard AP100\u3001AP102\u548cAP200\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u4f7f\u7528\u4e86\u786c\u7f16\u7801\u51ed\u8bc1\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u53d6AP\u8bbe\u5907\u7684\u8bbf\u95ee\u6743\u9650\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "WatchGuard AP100\u3001AP102\u548cAP200\u786c\u7f16\u7801\u51ed\u636e\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "WatchGuard   AP100 \u003c1.2.9.15",
      "WatchGuard   AP200 \u003c1.2.9.15",
      "WatchGuard   AP102 \u003c1.2.9.15"
    ]
  },
  "referenceLink": "https://www.watchguard.com/wgrd-blog/new-firmware-available-ap100ap102ap200ap300-security-vulnerability-fixes",
  "serverity": "\u4e2d",
  "submitTime": "2018-05-03",
  "title": "WatchGuard AP100\u3001AP102\u548cAP200\u786c\u7f16\u7801\u51ed\u636e\u6f0f\u6d1e"
}

FKIE_CVE-2018-10575

Vulnerability from fkie_nvd - Published: 2018-04-30 22:29 - Updated: 2024-11-21 03:41

Severity

9.8 (Critical) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

An issue was discovered on WatchGuard AP100, AP102, and AP200 devices with firmware before 1.2.9.15. Hardcoded credentials exist for an unprivileged SSH account with a shell of /bin/false.

References

URL	Tags
cve@mitre.org	http://seclists.org/fulldisclosure/2018/May/12	Mailing List, Third Party Advisory
cve@mitre.org	https://watchguardsupport.secure.force.com/publicKB?type=KBSecurityIssues&SFDCID=kA62A0000000LIy	Vendor Advisory
cve@mitre.org	https://www.exploit-db.com/exploits/45409/
cve@mitre.org	https://www.watchguard.com/wgrd-blog/new-firmware-available-ap100ap102ap200ap300-security-vulnerability-fixes	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://seclists.org/fulldisclosure/2018/May/12	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://watchguardsupport.secure.force.com/publicKB?type=KBSecurityIssues&SFDCID=kA62A0000000LIy	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://www.exploit-db.com/exploits/45409/
af854a3a-2127-422b-91ae-364da2661108	https://www.watchguard.com/wgrd-blog/new-firmware-available-ap100ap102ap200ap300-security-vulnerability-fixes	Vendor Advisory

Impacted products

Vendor	Product	Version
watchguard	ap200_firmware	*
watchguard	ap200	-
watchguard	ap102_firmware	*
watchguard	ap102	-
watchguard	ap100_firmware	*
watchguard	ap100	-

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:watchguard:ap200_firmware:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "263A0D62-FCC4-4374-8E2F-1393140D68B0",
              "versionEndExcluding": "1.2.9.15",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:watchguard:ap200:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "5C6FA1D0-016C-4B73-9BC4-83848A1A6D04",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:watchguard:ap102_firmware:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "FA60491C-1B5B-4E23-B27D-4285E3F71E99",
              "versionEndExcluding": "1.2.9.15",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:watchguard:ap102:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "6E009741-C76C-49F3-83A4-4BB17D1A9510",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:watchguard:ap100_firmware:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "428B2A59-5F74-4685-B6A9-F0CC9AFEE949",
              "versionEndExcluding": "1.2.9.15",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:watchguard:ap100:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "8379C407-E7DC-4193-9BD0-5BAE24E637B8",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "An issue was discovered on WatchGuard AP100, AP102, and AP200 devices with firmware before 1.2.9.15. Hardcoded credentials exist for an unprivileged SSH account with a shell of /bin/false."
    },
    {
      "lang": "es",
      "value": "Se ha descubierto un problema en los dispositivos WatchGuard AP100, AP102 y AP200 con firmware en versiones anteriores a la 1.2.9.15. Existen credenciales embebidas para una cuenta SSH no privilegiada con un shell de /bin/false."
    }
  ],
  "id": "CVE-2018-10575",
  "lastModified": "2024-11-21T03:41:35.507",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": true,
        "baseSeverity": "HIGH",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 7.5,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.0"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2018-04-30T22:29:00.310",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://seclists.org/fulldisclosure/2018/May/12"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://watchguardsupport.secure.force.com/publicKB?type=KBSecurityIssues\u0026SFDCID=kA62A0000000LIy"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://www.exploit-db.com/exploits/45409/"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.watchguard.com/wgrd-blog/new-firmware-available-ap100ap102ap200ap300-security-vulnerability-fixes"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://seclists.org/fulldisclosure/2018/May/12"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://watchguardsupport.secure.force.com/publicKB?type=KBSecurityIssues\u0026SFDCID=kA62A0000000LIy"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://www.exploit-db.com/exploits/45409/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.watchguard.com/wgrd-blog/new-firmware-available-ap100ap102ap200ap300-security-vulnerability-fixes"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-798"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GHSA-MV8V-4WHV-FV79

Vulnerability from github – Published: 2022-05-14 02:59 – Updated: 2022-05-14 02:59

Details

An issue was discovered on WatchGuard AP100, AP102, and AP200 devices with firmware before 1.2.9.15. Hardcoded credentials exist for an unprivileged SSH account with a shell of /bin/false.

Severity

9.8 (Critical)


                  
                    CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2018-10575"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-798"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-04-30T22:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "An issue was discovered on WatchGuard AP100, AP102, and AP200 devices with firmware before 1.2.9.15. Hardcoded credentials exist for an unprivileged SSH account with a shell of /bin/false.",
  "id": "GHSA-mv8v-4whv-fv79",
  "modified": "2022-05-14T02:59:33Z",
  "published": "2022-05-14T02:59:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-10575"
    },
    {
      "type": "WEB",
      "url": "https://watchguardsupport.secure.force.com/publicKB?type=KBSecurityIssues\u0026SFDCID=kA62A0000000LIy"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/45409"
    },
    {
      "type": "WEB",
      "url": "https://www.watchguard.com/wgrd-blog/new-firmware-available-ap100ap102ap200ap300-security-vulnerability-fixes"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2018/May/12"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GSD-2018-10575

Vulnerability from gsd - Updated: 2023-12-13 01:22

Details

An issue was discovered on WatchGuard AP100, AP102, and AP200 devices with firmware before 1.2.9.15. Hardcoded credentials exist for an unprivileged SSH account with a shell of /bin/false.

Aliases

CVE-2018-10575

Aliases

CVE-2018-10575

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2018-10575",
    "description": "An issue was discovered on WatchGuard AP100, AP102, and AP200 devices with firmware before 1.2.9.15. Hardcoded credentials exist for an unprivileged SSH account with a shell of /bin/false.",
    "id": "GSD-2018-10575",
    "references": [
      "https://packetstormsecurity.com/files/cve/CVE-2018-10575"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2018-10575"
      ],
      "details": "An issue was discovered on WatchGuard AP100, AP102, and AP200 devices with firmware before 1.2.9.15. Hardcoded credentials exist for an unprivileged SSH account with a shell of /bin/false.",
      "id": "GSD-2018-10575",
      "modified": "2023-12-13T01:22:40.927737Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@mitre.org",
        "ID": "CVE-2018-10575",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "An issue was discovered on WatchGuard AP100, AP102, and AP200 devices with firmware before 1.2.9.15. Hardcoded credentials exist for an unprivileged SSH account with a shell of /bin/false."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://www.watchguard.com/wgrd-blog/new-firmware-available-ap100ap102ap200ap300-security-vulnerability-fixes",
            "refsource": "CONFIRM",
            "url": "https://www.watchguard.com/wgrd-blog/new-firmware-available-ap100ap102ap200ap300-security-vulnerability-fixes"
          },
          {
            "name": "20180501 Multiple issues in WatchGuard AP100 AP102 AP200 result in remote code execution",
            "refsource": "FULLDISC",
            "url": "http://seclists.org/fulldisclosure/2018/May/12"
          },
          {
            "name": "45409",
            "refsource": "EXPLOIT-DB",
            "url": "https://www.exploit-db.com/exploits/45409/"
          },
          {
            "name": "https://watchguardsupport.secure.force.com/publicKB?type=KBSecurityIssues\u0026SFDCID=kA62A0000000LIy",
            "refsource": "CONFIRM",
            "url": "https://watchguardsupport.secure.force.com/publicKB?type=KBSecurityIssues\u0026SFDCID=kA62A0000000LIy"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:watchguard:ap200_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndExcluding": "1.2.9.15",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:watchguard:ap200:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:watchguard:ap102_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndExcluding": "1.2.9.15",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:watchguard:ap102:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:watchguard:ap100_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndExcluding": "1.2.9.15",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:watchguard:ap100:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2018-10575"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "An issue was discovered on WatchGuard AP100, AP102, and AP200 devices with firmware before 1.2.9.15. Hardcoded credentials exist for an unprivileged SSH account with a shell of /bin/false."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-798"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.watchguard.com/wgrd-blog/new-firmware-available-ap100ap102ap200ap300-security-vulnerability-fixes",
              "refsource": "CONFIRM",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://www.watchguard.com/wgrd-blog/new-firmware-available-ap100ap102ap200ap300-security-vulnerability-fixes"
            },
            {
              "name": "https://watchguardsupport.secure.force.com/publicKB?type=KBSecurityIssues\u0026SFDCID=kA62A0000000LIy",
              "refsource": "CONFIRM",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://watchguardsupport.secure.force.com/publicKB?type=KBSecurityIssues\u0026SFDCID=kA62A0000000LIy"
            },
            {
              "name": "20180501 Multiple issues in WatchGuard AP100 AP102 AP200 result in remote code execution",
              "refsource": "FULLDISC",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "http://seclists.org/fulldisclosure/2018/May/12"
            },
            {
              "name": "45409",
              "refsource": "EXPLOIT-DB",
              "tags": [],
              "url": "https://www.exploit-db.com/exploits/45409/"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": true,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 7.5,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 6.4,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "HIGH",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2018-09-16T10:29Z",
      "publishedDate": "2018-04-30T22:29Z"
    }
  }
}

VAR-201804-0674

Vulnerability from variot - Updated: 2024-11-23 21:39

An issue was discovered on WatchGuard AP100, AP102, and AP200 devices with firmware before 1.2.9.15. Hardcoded credentials exist for an unprivileged SSH account with a shell of /bin/false. WatchGuard AP100 , AP102 ,and AP200 The device software contains a vulnerability related to the use of hard-coded credentials.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. WatchGuardAP100, AP102 and AP200 are different series of indoor wireless access point devices from WatchGuard. A security vulnerability exists in WatchGuardAP100, AP102, and AP200 using firmware prior to 1.2.9.15, which was caused by the program using hard-coded credentials. An attacker could use this vulnerability to gain access to an AP device. Introduction

Multiple vulnerabilities can be chained together in a number of WatchGuard AP products which result in pre-authenticated remote code execution.

The vendor has produced a knowledge-base article[1] and announcement[2] regarding these issues.

ZX Security would like to commend the prompt response and resolution of these reported issues by the vendor.

Product

Several WatchGuard Access Points running firmware before v1.2.9.15 are affected, including: * AP100 * AP102 * AP200

The AP300 is also affected by issues 2, 3 and 4 when running firmware before 2.0.0.10.

The latest firmware update resolves these issues. The vendor has requested the specific password and hash be withheld until users can apply the patch. There is no way for a user of the access point to change this password. An attacker who is aware of this password is able to access the device over SSH and pivot network requests through the device, though they may not run commands as the shell is set to /bin/false.

2) Hidden authentication method in web interface allows for authentication bypass

CVE-2018-10576

The standard authentication method for accessing the webserver involves submitting an HTML form. This uses a username and password separate from the standard Linux based /etc/passwd authentication. An alternative authentication method was identified from reviewing the source code whereby setting the HTTP headers AUTH_USER and AUTH_PASS, credentials are instead tested against the standard Linux /etc/passwd file. This allows an attacker to use the hardcoded credentials found previously (see 1. An example command that demonstrates this issue is: curl https://watchguard-ap200/cgi-bin/luci -H "AUTH_USER: admin" -H "AUTH_PASS: [REDACTED]" -k -v

This session allows for complete access to the web interface as an administrator.

3) Hidden "wgupload" functionality allows for file uploads as root and remote code execution

CVE-2018-10577

Reviewing the code reveals file upload functionality that is not shown to the user via the web interface. An attacker needs only a serial number (which is displayed to the user when they login to the device through the standard web interface and can be retrieved programmatically) and a valid session. An example request to demonstrate this issue is: res = send_request_cgi({ 'method' => 'POST', 'uri' => "/cgi-bin/luci/;#{stok}/wgupload", 'headers' => { 'AUTH_USER' => 'admin', 'AUTH_PASS' => '[REDACTED]', }, 'cookie' => "#{sysauth}; serial=#{serial}; filename=/www/cgi-bin/payload.luci; md5sum=fail", 'data' => "#!/usr/bin/lua os.execute('touch /code-execution'); })

An attacker can then visit the URL http://watchguard-ap200/cgi-bin/payload.luci to execute this command (or any other command).

4) Change password functionality incorrectly verifies old password

CVE-2018-10578

The change password functionality within the web interface attempts to verify the old password before setting a new one, however, this is done through AJAX. An attacker is able to simply modify the JavaScript to avoid this check or perform the POST request manually.

Metasploit Module

ZX Security will be releasing a Metasploit module which automates exploitation of this chain of vulnerabilities. This has been delayed till 30 days after the initial patch was made available to ensure users are able to patch their devices. The module and the hard-coded password will be released on May the 14th 2018.

Disclosure Timeline

Vendor notification: April 04, 2018 Vendor response: April 06, 2018 Firmware update released to public: April 13, 2018 Metasploit module release: May 14, 2018

References

[1] https://watchguardsupport.secure.force.com/publicKB?type=KBSecurityIssues&SFDCID=kA62A0000000LIy [2] https://www.watchguard.com/wgrd-blog/new-firmware-available-ap100ap102ap200ap300-security-vulnerability-fixes

Show details on source website

JSON

To clipboard

{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "exploit_availability": {
      "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-201804-0674",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "ap100",
        "scope": "lt",
        "trust": 2.4,
        "vendor": "watchguard",
        "version": "1.2.9.15"
      },
      {
        "model": "ap200",
        "scope": "lt",
        "trust": 2.4,
        "vendor": "watchguard",
        "version": "1.2.9.15"
      },
      {
        "model": "ap102",
        "scope": "lt",
        "trust": 2.4,
        "vendor": "watchguard",
        "version": "1.2.9.15"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2018-10147"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-004985"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-10575"
      }
    ]
  },
  "configurations": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/configurations#",
      "children": {
        "@container": "@list"
      },
      "cpe_match": {
        "@container": "@list"
      },
      "data": {
        "@container": "@list"
      },
      "nodes": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "cpe_match": [
              {
                "cpe22Uri": "cpe:/o:watchguard:ap100_firmware",
                "vulnerable": true
              },
              {
                "cpe22Uri": "cpe:/o:watchguard:ap102_firmware",
                "vulnerable": true
              },
              {
                "cpe22Uri": "cpe:/o:watchguard:ap200_firmware",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-004985"
      }
    ]
  },
  "credits": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/credits#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Stephen Shkardoon",
    "sources": [
      {
        "db": "PACKETSTORM",
        "id": "147468"
      }
    ],
    "trust": 0.1
  },
  "cve": "CVE-2018-10575",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [
          {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "nvd@nist.gov",
            "availabilityImpact": "PARTIAL",
            "baseScore": 7.5,
            "confidentialityImpact": "PARTIAL",
            "exploitabilityScore": 10.0,
            "id": "CVE-2018-10575",
            "impactScore": 6.4,
            "integrityImpact": "PARTIAL",
            "severity": "HIGH",
            "trust": 1.8,
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "CNVD",
            "availabilityImpact": "NONE",
            "baseScore": 6.4,
            "confidentialityImpact": "PARTIAL",
            "exploitabilityScore": 10.0,
            "id": "CNVD-2018-10147",
            "impactScore": 4.9,
            "integrityImpact": "PARTIAL",
            "severity": "MEDIUM",
            "trust": 0.6,
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
            "version": "2.0"
          }
        ],
        "cvssV3": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "author": "nvd@nist.gov",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "exploitabilityScore": 3.9,
            "id": "CVE-2018-10575",
            "impactScore": 5.9,
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "trust": 1.8,
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          }
        ],
        "severity": [
          {
            "author": "nvd@nist.gov",
            "id": "CVE-2018-10575",
            "trust": 1.0,
            "value": "CRITICAL"
          },
          {
            "author": "NVD",
            "id": "CVE-2018-10575",
            "trust": 0.8,
            "value": "Critical"
          },
          {
            "author": "CNVD",
            "id": "CNVD-2018-10147",
            "trust": 0.6,
            "value": "MEDIUM"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-201805-027",
            "trust": 0.6,
            "value": "HIGH"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2018-10147"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-004985"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201805-027"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-10575"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "An issue was discovered on WatchGuard AP100, AP102, and AP200 devices with firmware before 1.2.9.15. Hardcoded credentials exist for an unprivileged SSH account with a shell of /bin/false. WatchGuard AP100 , AP102 ,and AP200 The device software contains a vulnerability related to the use of hard-coded credentials.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. WatchGuardAP100, AP102 and AP200 are different series of indoor wireless access point devices from WatchGuard. A security vulnerability exists in WatchGuardAP100, AP102, and AP200 using firmware prior to 1.2.9.15, which was caused by the program using hard-coded credentials. An attacker could use this vulnerability to gain access to an AP device. Introduction\n============\n\nMultiple vulnerabilities can be chained together in a number of\nWatchGuard AP products which result in pre-authenticated remote code\nexecution. \n\nThe vendor has produced a knowledge-base article[1] and\nannouncement[2] regarding these issues. \n\nZX Security would like to commend the prompt response and resolution\nof these reported issues by the vendor. \n\nProduct\n=======\n\nSeveral WatchGuard Access Points running firmware before v1.2.9.15 are\naffected, including:\n* AP100\n* AP102\n* AP200\n\nThe AP300 is also affected by issues 2, 3 and 4 when running firmware\nbefore 2.0.0.10. \n\nThe latest firmware update resolves these issues. The vendor has requested the\nspecific password and hash be withheld until users can apply the\npatch. \nThere is no way for a user of the access point to change this\npassword. An attacker who is aware of this password is able to access\nthe device over SSH and pivot network requests through the device,\nthough they may not run commands as the shell is set to /bin/false. \n\n2) Hidden authentication method in web interface allows for\nauthentication bypass\n---------------------------------------------------------------------------------\nCVE-2018-10576\n\nThe standard authentication method for accessing the webserver\ninvolves submitting an HTML form. This uses a username and password\nseparate from the standard Linux based /etc/passwd authentication. \nAn alternative authentication method was identified from reviewing the\nsource code whereby setting the HTTP headers AUTH_USER and AUTH_PASS,\ncredentials are instead tested against the standard Linux /etc/passwd\nfile. This allows an attacker to use the hardcoded credentials found\npreviously (see 1. \nAn example command that demonstrates this issue is:\n        curl https://watchguard-ap200/cgi-bin/luci -H \"AUTH_USER:\nadmin\" -H \"AUTH_PASS: [REDACTED]\" -k -v\n\nThis session allows for complete access to the web interface as an\nadministrator. \n\n3) Hidden \"wgupload\" functionality allows for file uploads as root and\nremote code execution\n--------------------------------------------------------------------------------------------\nCVE-2018-10577\n\nReviewing the code reveals file upload functionality that is not shown\nto the user via the web interface. An attacker needs only a serial\nnumber (which is displayed to the user when they login to the device\nthrough the standard web interface and can be retrieved\nprogrammatically) and a valid session. \nAn example request to demonstrate this issue is:\n    res = send_request_cgi({\n        \u0027method\u0027    =\u003e \u0027POST\u0027,\n        \u0027uri\u0027       =\u003e \"/cgi-bin/luci/;#{stok}/wgupload\",\n        \u0027headers\u0027 =\u003e {\n          \u0027AUTH_USER\u0027 =\u003e \u0027admin\u0027,\n          \u0027AUTH_PASS\u0027 =\u003e \u0027[REDACTED]\u0027,\n        },\n        \u0027cookie\u0027    =\u003e \"#{sysauth}; serial=#{serial};\nfilename=/www/cgi-bin/payload.luci; md5sum=fail\",\n        \u0027data\u0027     =\u003e \"#!/usr/bin/lua\nos.execute(\u0027touch /code-execution\u0027);\n      })\n\nAn attacker can then visit the URL\nhttp://watchguard-ap200/cgi-bin/payload.luci to execute this command\n(or any other command). \n\n4) Change password functionality incorrectly verifies old password\n------------------------------------------------------------------\nCVE-2018-10578\n\nThe change password functionality within the web interface attempts to\nverify the old password before setting a new one, however, this is\ndone through AJAX. An attacker is able to simply modify the JavaScript\nto avoid this check or perform the POST request manually. \n\nMetasploit Module\n=================\n\nZX Security will be releasing a Metasploit module which automates\nexploitation of this chain of vulnerabilities. This has been delayed\ntill 30 days after the initial patch was made available to ensure\nusers are able to patch their devices. \nThe module and the hard-coded password will be released on May the 14th 2018. \n\nDisclosure Timeline\n===================\n\nVendor notification: April 04, 2018\nVendor response: April 06, 2018\nFirmware update released to public: April 13, 2018\nMetasploit module release: May 14, 2018\n\nReferences\n==========\n\n[1] https://watchguardsupport.secure.force.com/publicKB?type=KBSecurityIssues\u0026SFDCID=kA62A0000000LIy\n[2] https://www.watchguard.com/wgrd-blog/new-firmware-available-ap100ap102ap200ap300-security-vulnerability-fixes\n\n\n",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2018-10575"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-004985"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2018-10147"
      },
      {
        "db": "PACKETSTORM",
        "id": "147468"
      }
    ],
    "trust": 2.25
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "NVD",
        "id": "CVE-2018-10575",
        "trust": 3.1
      },
      {
        "db": "EXPLOIT-DB",
        "id": "45409",
        "trust": 1.0
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-004985",
        "trust": 0.8
      },
      {
        "db": "CNVD",
        "id": "CNVD-2018-10147",
        "trust": 0.6
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201805-027",
        "trust": 0.6
      },
      {
        "db": "PACKETSTORM",
        "id": "147468",
        "trust": 0.1
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2018-10147"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-004985"
      },
      {
        "db": "PACKETSTORM",
        "id": "147468"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201805-027"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-10575"
      }
    ]
  },
  "id": "VAR-201804-0674",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2018-10147"
      }
    ],
    "trust": 0.8766217999999999
  },
  "iot_taxonomy": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "category": [
          "Network device"
        ],
        "sub_category": null,
        "trust": 0.6
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2018-10147"
      }
    ]
  },
  "last_update_date": "2024-11-23T21:39:05.467000Z",
  "patch": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/patch#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "title": "New Firmware Available for AP100/AP102/AP200/AP300 with Security Vulnerability Fixes",
        "trust": 0.8,
        "url": "https://www.watchguard.com/wgrd-blog/new-firmware-available-ap100ap102ap200ap300-security-vulnerability-fixes"
      },
      {
        "title": "000011351",
        "trust": 0.8,
        "url": "https://watchguardsupport.secure.force.com/publicKB?type=KBSecurityIssues\u0026SFDCID=kA62A0000000LIy"
      },
      {
        "title": "Patch for hardcoded credential vulnerability for WatchGuardAP100, AP102 and AP200",
        "trust": 0.6,
        "url": "https://www.cnvd.org.cn/patchInfo/show/130033"
      },
      {
        "title": "WatchGuard AP100 , AP102  and AP200 Security vulnerabilities",
        "trust": 0.6,
        "url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=79771"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2018-10147"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-004985"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201805-027"
      }
    ]
  },
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "CWE-798",
        "trust": 1.8
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-004985"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-10575"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 2.3,
        "url": "https://www.watchguard.com/wgrd-blog/new-firmware-available-ap100ap102ap200ap300-security-vulnerability-fixes"
      },
      {
        "trust": 1.7,
        "url": "https://watchguardsupport.secure.force.com/publickb?type=kbsecurityissues\u0026sfdcid=ka62a0000000liy"
      },
      {
        "trust": 1.0,
        "url": "https://www.exploit-db.com/exploits/45409/"
      },
      {
        "trust": 1.0,
        "url": "http://seclists.org/fulldisclosure/2018/may/12"
      },
      {
        "trust": 0.9,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2018-10575"
      },
      {
        "trust": 0.8,
        "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-10575"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2018-10577"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2018-10576"
      },
      {
        "trust": 0.1,
        "url": "http://watchguard-ap200/cgi-bin/payload.luci"
      },
      {
        "trust": 0.1,
        "url": "https://watchguard-ap200/cgi-bin/luci"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2018-10578"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2018-10147"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-004985"
      },
      {
        "db": "PACKETSTORM",
        "id": "147468"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201805-027"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-10575"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "CNVD",
        "id": "CNVD-2018-10147"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-004985"
      },
      {
        "db": "PACKETSTORM",
        "id": "147468"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201805-027"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-10575"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2018-05-23T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2018-10147"
      },
      {
        "date": "2018-07-03T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2018-004985"
      },
      {
        "date": "2018-05-03T00:01:32",
        "db": "PACKETSTORM",
        "id": "147468"
      },
      {
        "date": "2018-05-02T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201805-027"
      },
      {
        "date": "2018-04-30T22:29:00.310000",
        "db": "NVD",
        "id": "CVE-2018-10575"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2018-05-23T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2018-10147"
      },
      {
        "date": "2018-07-03T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2018-004985"
      },
      {
        "date": "2018-05-02T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201805-027"
      },
      {
        "date": "2024-11-21T03:41:35.507000",
        "db": "NVD",
        "id": "CVE-2018-10575"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "remote",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-201805-027"
      }
    ],
    "trust": 0.6
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "plural  WatchGuard Vulnerabilities related to the use of hard-coded credentials in device software",
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-004985"
      }
    ],
    "trust": 0.8
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "lack of information",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-201805-027"
      }
    ],
    "trust": 0.6
  }
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2018-10575 (GCVE-0-2018-10575)

CNVD-2018-10147

FKIE_CVE-2018-10575

GHSA-MV8V-4WHV-FV79

GSD-2018-10575

VAR-201804-0674

Product

4) Change password functionality incorrectly verifies old password

Metasploit Module

Disclosure Timeline

References

Tags

Sightings

Nomenclature