CVE-2018-10576 (GCVE-0-2018-10576)

Vulnerability from cvelistv5 – Published: 2018-04-30 22:00 – Updated: 2024-08-05 07:39

Summary

An issue was discovered on WatchGuard AP100, AP102, and AP200 devices with firmware before 1.2.9.15. Improper authentication handling by the native Access Point web UI allows authentication using a local system account (instead of the dedicated web-only user).

Severity

7.8 (High)


                        
                          CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

Assigner

mitre

References

4 references

URL	Tags
https://www.watchguard.com/wgrd-blog/new-firmware…	x_refsource_CONFIRM
http://seclists.org/fulldisclosure/2018/May/12	mailing-listx_refsource_FULLDISC
https://www.exploit-db.com/exploits/45409/	exploitx_refsource_EXPLOIT-DB
https://watchguardsupport.secure.force.com/public…	x_refsource_CONFIRM

Date Public

2018-04-30 00:00

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T07:39:08.018Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.watchguard.com/wgrd-blog/new-firmware-available-ap100ap102ap200ap300-security-vulnerability-fixes"
          },
          {
            "name": "20180501 Multiple issues in WatchGuard AP100 AP102 AP200 result in remote code execution",
            "tags": [
              "mailing-list",
              "x_refsource_FULLDISC",
              "x_transferred"
            ],
            "url": "http://seclists.org/fulldisclosure/2018/May/12"
          },
          {
            "name": "45409",
            "tags": [
              "exploit",
              "x_refsource_EXPLOIT-DB",
              "x_transferred"
            ],
            "url": "https://www.exploit-db.com/exploits/45409/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://watchguardsupport.secure.force.com/publicKB?type=KBSecurityIssues\u0026SFDCID=kA62A0000000LIy"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2018-04-30T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered on WatchGuard AP100, AP102, and AP200 devices with firmware before 1.2.9.15. Improper authentication handling by the native Access Point web UI allows authentication using a local system account (instead of the dedicated web-only user)."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-09-16T09:57:01.000Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.watchguard.com/wgrd-blog/new-firmware-available-ap100ap102ap200ap300-security-vulnerability-fixes"
        },
        {
          "name": "20180501 Multiple issues in WatchGuard AP100 AP102 AP200 result in remote code execution",
          "tags": [
            "mailing-list",
            "x_refsource_FULLDISC"
          ],
          "url": "http://seclists.org/fulldisclosure/2018/May/12"
        },
        {
          "name": "45409",
          "tags": [
            "exploit",
            "x_refsource_EXPLOIT-DB"
          ],
          "url": "https://www.exploit-db.com/exploits/45409/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://watchguardsupport.secure.force.com/publicKB?type=KBSecurityIssues\u0026SFDCID=kA62A0000000LIy"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2018-10576",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "An issue was discovered on WatchGuard AP100, AP102, and AP200 devices with firmware before 1.2.9.15. Improper authentication handling by the native Access Point web UI allows authentication using a local system account (instead of the dedicated web-only user)."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.watchguard.com/wgrd-blog/new-firmware-available-ap100ap102ap200ap300-security-vulnerability-fixes",
              "refsource": "CONFIRM",
              "url": "https://www.watchguard.com/wgrd-blog/new-firmware-available-ap100ap102ap200ap300-security-vulnerability-fixes"
            },
            {
              "name": "20180501 Multiple issues in WatchGuard AP100 AP102 AP200 result in remote code execution",
              "refsource": "FULLDISC",
              "url": "http://seclists.org/fulldisclosure/2018/May/12"
            },
            {
              "name": "45409",
              "refsource": "EXPLOIT-DB",
              "url": "https://www.exploit-db.com/exploits/45409/"
            },
            {
              "name": "https://watchguardsupport.secure.force.com/publicKB?type=KBSecurityIssues\u0026SFDCID=kA62A0000000LIy",
              "refsource": "CONFIRM",
              "url": "https://watchguardsupport.secure.force.com/publicKB?type=KBSecurityIssues\u0026SFDCID=kA62A0000000LIy"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2018-10576",
    "datePublished": "2018-04-30T22:00:00.000Z",
    "dateReserved": "2018-04-30T00:00:00.000Z",
    "dateUpdated": "2024-08-05T07:39:08.018Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2018-10576",
      "date": "2026-06-04",
      "epss": "0.00252",
      "percentile": "0.48738"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2018-10576\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2018-04-30T22:29:00.373\",\"lastModified\":\"2024-11-21T03:41:35.670\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"An issue was discovered on WatchGuard AP100, AP102, and AP200 devices with firmware before 1.2.9.15. Improper authentication handling by the native Access Point web UI allows authentication using a local system account (instead of the dedicated web-only user).\"},{\"lang\":\"es\",\"value\":\"Se ha descubierto un problema en los dispositivos WatchGuard AP100, AP102 y AP200 con firmware en versiones anteriores a la 1.2.9.15. La gesti\u00f3n de autenticaci\u00f3n incorrecta por parte de la interfaz web de usuario de Access Point permite la autenticaci\u00f3n por medio de una cuenta del sistema local (en lugar de un usuario dedicado exclusivo de la web).\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:L/AC:L/Au:N/C:P/I:P/A:P\",\"baseScore\":4.6,\"accessVector\":\"LOCAL\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":3.9,\"impactScore\":6.4,\"acInsufInfo\":true,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-287\"}]}],\"configurations\":[{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:watchguard:ap200_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.2.9.15\",\"matchCriteriaId\":\"263A0D62-FCC4-4374-8E2F-1393140D68B0\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:watchguard:ap200:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5C6FA1D0-016C-4B73-9BC4-83848A1A6D04\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:watchguard:ap102_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.2.9.15\",\"matchCriteriaId\":\"FA60491C-1B5B-4E23-B27D-4285E3F71E99\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:watchguard:ap102:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"6E009741-C76C-49F3-83A4-4BB17D1A9510\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:watchguard:ap100_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.2.9.15\",\"matchCriteriaId\":\"428B2A59-5F74-4685-B6A9-F0CC9AFEE949\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:watchguard:ap100:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"8379C407-E7DC-4193-9BD0-5BAE24E637B8\"}]}]}],\"references\":[{\"url\":\"http://seclists.org/fulldisclosure/2018/May/12\",\"source\":\"cve@mitre.org\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://watchguardsupport.secure.force.com/publicKB?type=KBSecurityIssues\u0026SFDCID=kA62A0000000LIy\",\"source\":\"cve@mitre.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.exploit-db.com/exploits/45409/\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://www.watchguard.com/wgrd-blog/new-firmware-available-ap100ap102ap200ap300-security-vulnerability-fixes\",\"source\":\"cve@mitre.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://seclists.org/fulldisclosure/2018/May/12\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://watchguardsupport.secure.force.com/publicKB?type=KBSecurityIssues\u0026SFDCID=kA62A0000000LIy\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.exploit-db.com/exploits/45409/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://www.watchguard.com/wgrd-blog/new-firmware-available-ap100ap102ap200ap300-security-vulnerability-fixes\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}"
  }
}

CNVD-2018-10148

Vulnerability from cnvd - Published: 2018-05-23

Title

WatchGuard AP100、AP102和AP200身份验证漏洞

Description

WatchGuard AP100、AP102和AP200都是美国WatchGuard公司的不同系列的室内无线接入点设备。使用1.2.9.15之前版本固件的WatchGuard AP100、AP102和AP200中存在安全漏洞，该漏洞源于本地Access Point Web UI未能正确的处理身份验证。攻击者可借助本地系统账户利用该漏洞获取AP设备的访问权限。

Severity

中

Patch Name

WatchGuard AP100、AP102和AP200身份验证漏洞的补丁

Patch Description

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://www.watchguard.com/wgrd-blog/new-firmware-available-ap100ap102ap200ap300-security-vulnerability-fixes

Reference

https://www.watchguard.com/wgrd-blog/new-firmware-available-ap100ap102ap200ap300-security-vulnerability-fixes

Impacted products

Name
['WatchGuard AP100 <1.2.9.15', 'WatchGuard AP200 <1.2.9.15', 'WatchGuard AP102 <1.2.9.15']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2018-10576",
      "cveUrl": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10576"
    }
  },
  "description": "WatchGuard AP100\u3001AP102\u548cAP200\u90fd\u662f\u7f8e\u56fdWatchGuard\u516c\u53f8\u7684\u4e0d\u540c\u7cfb\u5217\u7684\u5ba4\u5185\u65e0\u7ebf\u63a5\u5165\u70b9\u8bbe\u5907\u3002\r\n\r\n\u4f7f\u75281.2.9.15\u4e4b\u524d\u7248\u672c\u56fa\u4ef6\u7684WatchGuard AP100\u3001AP102\u548cAP200\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u672c\u5730Access Point Web UI\u672a\u80fd\u6b63\u786e\u7684\u5904\u7406\u8eab\u4efd\u9a8c\u8bc1\u3002\u653b\u51fb\u8005\u53ef\u501f\u52a9\u672c\u5730\u7cfb\u7edf\u8d26\u6237\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u53d6AP\u8bbe\u5907\u7684\u8bbf\u95ee\u6743\u9650\u3002",
  "discovererName": "Ryan Orsi",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://www.watchguard.com/wgrd-blog/new-firmware-available-ap100ap102ap200ap300-security-vulnerability-fixes",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2018-10148",
  "openTime": "2018-05-23",
  "patchDescription": "WatchGuard AP100\u3001AP102\u548cAP200\u90fd\u662f\u7f8e\u56fdWatchGuard\u516c\u53f8\u7684\u4e0d\u540c\u7cfb\u5217\u7684\u5ba4\u5185\u65e0\u7ebf\u63a5\u5165\u70b9\u8bbe\u5907\u3002\r\n\r\n\u4f7f\u75281.2.9.15\u4e4b\u524d\u7248\u672c\u56fa\u4ef6\u7684WatchGuard AP100\u3001AP102\u548cAP200\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u672c\u5730Access Point Web UI\u672a\u80fd\u6b63\u786e\u7684\u5904\u7406\u8eab\u4efd\u9a8c\u8bc1\u3002\u653b\u51fb\u8005\u53ef\u501f\u52a9\u672c\u5730\u7cfb\u7edf\u8d26\u6237\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u53d6AP\u8bbe\u5907\u7684\u8bbf\u95ee\u6743\u9650\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "WatchGuard AP100\u3001AP102\u548cAP200\u8eab\u4efd\u9a8c\u8bc1\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "WatchGuard   AP100 \u003c1.2.9.15",
      "WatchGuard   AP200 \u003c1.2.9.15",
      "WatchGuard   AP102 \u003c1.2.9.15"
    ]
  },
  "referenceLink": "https://www.watchguard.com/wgrd-blog/new-firmware-available-ap100ap102ap200ap300-security-vulnerability-fixes",
  "serverity": "\u4e2d",
  "submitTime": "2018-05-03",
  "title": "WatchGuard AP100\u3001AP102\u548cAP200\u8eab\u4efd\u9a8c\u8bc1\u6f0f\u6d1e"
}

FKIE_CVE-2018-10576

Vulnerability from fkie_nvd - Published: 2018-04-30 22:29 - Updated: 2024-11-21 03:41

Severity

7.8 (High) - CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
cve@mitre.org	http://seclists.org/fulldisclosure/2018/May/12	Mailing List, Third Party Advisory
cve@mitre.org	https://watchguardsupport.secure.force.com/publicKB?type=KBSecurityIssues&SFDCID=kA62A0000000LIy	Vendor Advisory
cve@mitre.org	https://www.exploit-db.com/exploits/45409/
cve@mitre.org	https://www.watchguard.com/wgrd-blog/new-firmware-available-ap100ap102ap200ap300-security-vulnerability-fixes	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://seclists.org/fulldisclosure/2018/May/12	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://watchguardsupport.secure.force.com/publicKB?type=KBSecurityIssues&SFDCID=kA62A0000000LIy	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://www.exploit-db.com/exploits/45409/
af854a3a-2127-422b-91ae-364da2661108	https://www.watchguard.com/wgrd-blog/new-firmware-available-ap100ap102ap200ap300-security-vulnerability-fixes	Vendor Advisory

Impacted products

Vendor	Product	Version
watchguard	ap200_firmware	*
watchguard	ap200	-
watchguard	ap102_firmware	*
watchguard	ap102	-
watchguard	ap100_firmware	*
watchguard	ap100	-

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:watchguard:ap200_firmware:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "263A0D62-FCC4-4374-8E2F-1393140D68B0",
              "versionEndExcluding": "1.2.9.15",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:watchguard:ap200:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "5C6FA1D0-016C-4B73-9BC4-83848A1A6D04",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:watchguard:ap102_firmware:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "FA60491C-1B5B-4E23-B27D-4285E3F71E99",
              "versionEndExcluding": "1.2.9.15",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:watchguard:ap102:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "6E009741-C76C-49F3-83A4-4BB17D1A9510",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:watchguard:ap100_firmware:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "428B2A59-5F74-4685-B6A9-F0CC9AFEE949",
              "versionEndExcluding": "1.2.9.15",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:watchguard:ap100:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "8379C407-E7DC-4193-9BD0-5BAE24E637B8",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "An issue was discovered on WatchGuard AP100, AP102, and AP200 devices with firmware before 1.2.9.15. Improper authentication handling by the native Access Point web UI allows authentication using a local system account (instead of the dedicated web-only user)."
    },
    {
      "lang": "es",
      "value": "Se ha descubierto un problema en los dispositivos WatchGuard AP100, AP102 y AP200 con firmware en versiones anteriores a la 1.2.9.15. La gesti\u00f3n de autenticaci\u00f3n incorrecta por parte de la interfaz web de usuario de Access Point permite la autenticaci\u00f3n por medio de una cuenta del sistema local (en lugar de un usuario dedicado exclusivo de la web)."
    }
  ],
  "id": "CVE-2018-10576",
  "lastModified": "2024-11-21T03:41:35.670",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": true,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "LOCAL",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 4.6,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 7.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.0"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2018-04-30T22:29:00.373",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://seclists.org/fulldisclosure/2018/May/12"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://watchguardsupport.secure.force.com/publicKB?type=KBSecurityIssues\u0026SFDCID=kA62A0000000LIy"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://www.exploit-db.com/exploits/45409/"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.watchguard.com/wgrd-blog/new-firmware-available-ap100ap102ap200ap300-security-vulnerability-fixes"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://seclists.org/fulldisclosure/2018/May/12"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://watchguardsupport.secure.force.com/publicKB?type=KBSecurityIssues\u0026SFDCID=kA62A0000000LIy"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://www.exploit-db.com/exploits/45409/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.watchguard.com/wgrd-blog/new-firmware-available-ap100ap102ap200ap300-security-vulnerability-fixes"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-287"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GHSA-6C4V-HJ93-73RM

Vulnerability from github – Published: 2022-05-14 02:59 – Updated: 2022-05-14 02:59

Details

Severity

7.8 (High)


                  
                    CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2018-10576"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-04-30T22:29:00Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered on WatchGuard AP100, AP102, and AP200 devices with firmware before 1.2.9.15. Improper authentication handling by the native Access Point web UI allows authentication using a local system account (instead of the dedicated web-only user).",
  "id": "GHSA-6c4v-hj93-73rm",
  "modified": "2022-05-14T02:59:32Z",
  "published": "2022-05-14T02:59:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-10576"
    },
    {
      "type": "WEB",
      "url": "https://watchguardsupport.secure.force.com/publicKB?type=KBSecurityIssues\u0026SFDCID=kA62A0000000LIy"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/45409"
    },
    {
      "type": "WEB",
      "url": "https://www.watchguard.com/wgrd-blog/new-firmware-available-ap100ap102ap200ap300-security-vulnerability-fixes"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2018/May/12"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GSD-2018-10576

Vulnerability from gsd - Updated: 2023-12-13 01:22

Details

Aliases

CVE-2018-10576

Aliases

CVE-2018-10576

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2018-10576",
    "description": "An issue was discovered on WatchGuard AP100, AP102, and AP200 devices with firmware before 1.2.9.15. Improper authentication handling by the native Access Point web UI allows authentication using a local system account (instead of the dedicated web-only user).",
    "id": "GSD-2018-10576",
    "references": [
      "https://packetstormsecurity.com/files/cve/CVE-2018-10576"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2018-10576"
      ],
      "details": "An issue was discovered on WatchGuard AP100, AP102, and AP200 devices with firmware before 1.2.9.15. Improper authentication handling by the native Access Point web UI allows authentication using a local system account (instead of the dedicated web-only user).",
      "id": "GSD-2018-10576",
      "modified": "2023-12-13T01:22:40.978160Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@mitre.org",
        "ID": "CVE-2018-10576",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "An issue was discovered on WatchGuard AP100, AP102, and AP200 devices with firmware before 1.2.9.15. Improper authentication handling by the native Access Point web UI allows authentication using a local system account (instead of the dedicated web-only user)."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://www.watchguard.com/wgrd-blog/new-firmware-available-ap100ap102ap200ap300-security-vulnerability-fixes",
            "refsource": "CONFIRM",
            "url": "https://www.watchguard.com/wgrd-blog/new-firmware-available-ap100ap102ap200ap300-security-vulnerability-fixes"
          },
          {
            "name": "20180501 Multiple issues in WatchGuard AP100 AP102 AP200 result in remote code execution",
            "refsource": "FULLDISC",
            "url": "http://seclists.org/fulldisclosure/2018/May/12"
          },
          {
            "name": "45409",
            "refsource": "EXPLOIT-DB",
            "url": "https://www.exploit-db.com/exploits/45409/"
          },
          {
            "name": "https://watchguardsupport.secure.force.com/publicKB?type=KBSecurityIssues\u0026SFDCID=kA62A0000000LIy",
            "refsource": "CONFIRM",
            "url": "https://watchguardsupport.secure.force.com/publicKB?type=KBSecurityIssues\u0026SFDCID=kA62A0000000LIy"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:watchguard:ap200_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndExcluding": "1.2.9.15",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:watchguard:ap200:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:watchguard:ap102_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndExcluding": "1.2.9.15",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:watchguard:ap102:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:watchguard:ap100_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndExcluding": "1.2.9.15",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:watchguard:ap100:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2018-10576"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "An issue was discovered on WatchGuard AP100, AP102, and AP200 devices with firmware before 1.2.9.15. Improper authentication handling by the native Access Point web UI allows authentication using a local system account (instead of the dedicated web-only user)."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-287"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.watchguard.com/wgrd-blog/new-firmware-available-ap100ap102ap200ap300-security-vulnerability-fixes",
              "refsource": "CONFIRM",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://www.watchguard.com/wgrd-blog/new-firmware-available-ap100ap102ap200ap300-security-vulnerability-fixes"
            },
            {
              "name": "https://watchguardsupport.secure.force.com/publicKB?type=KBSecurityIssues\u0026SFDCID=kA62A0000000LIy",
              "refsource": "CONFIRM",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://watchguardsupport.secure.force.com/publicKB?type=KBSecurityIssues\u0026SFDCID=kA62A0000000LIy"
            },
            {
              "name": "20180501 Multiple issues in WatchGuard AP100 AP102 AP200 result in remote code execution",
              "refsource": "FULLDISC",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "http://seclists.org/fulldisclosure/2018/May/12"
            },
            {
              "name": "45409",
              "refsource": "EXPLOIT-DB",
              "tags": [],
              "url": "https://www.exploit-db.com/exploits/45409/"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": true,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "LOCAL",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 4.6,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 6.4,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "exploitabilityScore": 1.8,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2018-09-16T10:29Z",
      "publishedDate": "2018-04-30T22:29Z"
    }
  }
}

VAR-201804-0675

Vulnerability from variot - Updated: 2024-11-23 21:39

An issue was discovered on WatchGuard AP100, AP102, and AP200 devices with firmware before 1.2.9.15. Improper authentication handling by the native Access Point web UI allows authentication using a local system account (instead of the dedicated web-only user). WatchGuard AP100 , AP102 ,and AP200 An authentication vulnerability exists in the device software.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. WatchGuardAP100, AP102 and AP200 are different series of indoor wireless access point devices from WatchGuard. A security vulnerability exists in WatchGuardAP100, AP102, and AP200 using firmware prior to 1.2.9.15, which stems from the failure of the local AccessPoint WebUI to properly handle authentication. An attacker can use this vulnerability to gain access to an AP device with the help of a local system account. Introduction

Multiple vulnerabilities can be chained together in a number of WatchGuard AP products which result in pre-authenticated remote code execution.

The vendor has produced a knowledge-base article[1] and announcement[2] regarding these issues.

ZX Security would like to commend the prompt response and resolution of these reported issues by the vendor.

Product

Several WatchGuard Access Points running firmware before v1.2.9.15 are affected, including: * AP100 * AP102 * AP200

The AP300 is also affected by issues 2, 3 and 4 when running firmware before 2.0.0.10.

The latest firmware update resolves these issues.

Technical Details

1) Hard-coded credentials

CVE-2018-10575

A hard-coded user exists in /etc/passwd. The vendor has requested the specific password and hash be withheld until users can apply the patch. There is no way for a user of the access point to change this password. An attacker who is aware of this password is able to access the device over SSH and pivot network requests through the device, though they may not run commands as the shell is set to /bin/false.

2) Hidden authentication method in web interface allows for authentication bypass

CVE-2018-10576

The standard authentication method for accessing the webserver involves submitting an HTML form. This uses a username and password separate from the standard Linux based /etc/passwd authentication. An alternative authentication method was identified from reviewing the source code whereby setting the HTTP headers AUTH_USER and AUTH_PASS, credentials are instead tested against the standard Linux /etc/passwd file. This allows an attacker to use the hardcoded credentials found previously (see 1. Hard-coded credentials) to gain web access to the device. An example command that demonstrates this issue is: curl https://watchguard-ap200/cgi-bin/luci -H "AUTH_USER: admin" -H "AUTH_PASS: [REDACTED]" -k -v

This session allows for complete access to the web interface as an administrator.

3) Hidden "wgupload" functionality allows for file uploads as root and remote code execution

CVE-2018-10577

Reviewing the code reveals file upload functionality that is not shown to the user via the web interface. An attacker needs only a serial number (which is displayed to the user when they login to the device through the standard web interface and can be retrieved programmatically) and a valid session. An example request to demonstrate this issue is: res = send_request_cgi({ 'method' => 'POST', 'uri' => "/cgi-bin/luci/;#{stok}/wgupload", 'headers' => { 'AUTH_USER' => 'admin', 'AUTH_PASS' => '[REDACTED]', }, 'cookie' => "#{sysauth}; serial=#{serial}; filename=/www/cgi-bin/payload.luci; md5sum=fail", 'data' => "#!/usr/bin/lua os.execute('touch /code-execution'); })

An attacker can then visit the URL http://watchguard-ap200/cgi-bin/payload.luci to execute this command (or any other command).

4) Change password functionality incorrectly verifies old password

CVE-2018-10578

The change password functionality within the web interface attempts to verify the old password before setting a new one, however, this is done through AJAX. An attacker is able to simply modify the JavaScript to avoid this check or perform the POST request manually.

Metasploit Module

ZX Security will be releasing a Metasploit module which automates exploitation of this chain of vulnerabilities. This has been delayed till 30 days after the initial patch was made available to ensure users are able to patch their devices. The module and the hard-coded password will be released on May the 14th 2018.

Disclosure Timeline

Vendor notification: April 04, 2018 Vendor response: April 06, 2018 Firmware update released to public: April 13, 2018 Metasploit module release: May 14, 2018

References

[1] https://watchguardsupport.secure.force.com/publicKB?type=KBSecurityIssues&SFDCID=kA62A0000000LIy [2] https://www.watchguard.com/wgrd-blog/new-firmware-available-ap100ap102ap200ap300-security-vulnerability-fixes

Show details on source website

JSON

To clipboard

{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "exploit_availability": {
      "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-201804-0675",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "ap100",
        "scope": "lt",
        "trust": 2.4,
        "vendor": "watchguard",
        "version": "1.2.9.15"
      },
      {
        "model": "ap200",
        "scope": "lt",
        "trust": 2.4,
        "vendor": "watchguard",
        "version": "1.2.9.15"
      },
      {
        "model": "ap102",
        "scope": "lt",
        "trust": 2.4,
        "vendor": "watchguard",
        "version": "1.2.9.15"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2018-10148"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-004986"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-10576"
      }
    ]
  },
  "configurations": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/configurations#",
      "children": {
        "@container": "@list"
      },
      "cpe_match": {
        "@container": "@list"
      },
      "data": {
        "@container": "@list"
      },
      "nodes": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "cpe_match": [
              {
                "cpe22Uri": "cpe:/o:watchguard:ap100_firmware",
                "vulnerable": true
              },
              {
                "cpe22Uri": "cpe:/o:watchguard:ap102_firmware",
                "vulnerable": true
              },
              {
                "cpe22Uri": "cpe:/o:watchguard:ap200_firmware",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-004986"
      }
    ]
  },
  "credits": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/credits#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Stephen Shkardoon",
    "sources": [
      {
        "db": "PACKETSTORM",
        "id": "147468"
      }
    ],
    "trust": 0.1
  },
  "cve": "CVE-2018-10576",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [
          {
            "accessComplexity": "LOW",
            "accessVector": "LOCAL",
            "authentication": "NONE",
            "author": "nvd@nist.gov",
            "availabilityImpact": "PARTIAL",
            "baseScore": 4.6,
            "confidentialityImpact": "PARTIAL",
            "exploitabilityScore": 3.9,
            "id": "CVE-2018-10576",
            "impactScore": 6.4,
            "integrityImpact": "PARTIAL",
            "severity": "MEDIUM",
            "trust": 1.8,
            "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "CNVD",
            "availabilityImpact": "NONE",
            "baseScore": 6.4,
            "confidentialityImpact": "PARTIAL",
            "exploitabilityScore": 10.0,
            "id": "CNVD-2018-10148",
            "impactScore": 4.9,
            "integrityImpact": "PARTIAL",
            "severity": "MEDIUM",
            "trust": 0.6,
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
            "version": "2.0"
          }
        ],
        "cvssV3": [
          {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "author": "nvd@nist.gov",
            "availabilityImpact": "HIGH",
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "exploitabilityScore": 1.8,
            "id": "CVE-2018-10576",
            "impactScore": 5.9,
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "trust": 1.8,
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          }
        ],
        "severity": [
          {
            "author": "nvd@nist.gov",
            "id": "CVE-2018-10576",
            "trust": 1.0,
            "value": "HIGH"
          },
          {
            "author": "NVD",
            "id": "CVE-2018-10576",
            "trust": 0.8,
            "value": "High"
          },
          {
            "author": "CNVD",
            "id": "CNVD-2018-10148",
            "trust": 0.6,
            "value": "MEDIUM"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-201805-026",
            "trust": 0.6,
            "value": "MEDIUM"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2018-10148"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-004986"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201805-026"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-10576"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "An issue was discovered on WatchGuard AP100, AP102, and AP200 devices with firmware before 1.2.9.15. Improper authentication handling by the native Access Point web UI allows authentication using a local system account (instead of the dedicated web-only user). WatchGuard AP100 , AP102 ,and AP200 An authentication vulnerability exists in the device software.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. WatchGuardAP100, AP102 and AP200 are different series of indoor wireless access point devices from WatchGuard. A security vulnerability exists in WatchGuardAP100, AP102, and AP200 using firmware prior to 1.2.9.15, which stems from the failure of the local AccessPoint WebUI to properly handle authentication. An attacker can use this vulnerability to gain access to an AP device with the help of a local system account. Introduction\n============\n\nMultiple vulnerabilities can be chained together in a number of\nWatchGuard AP products which result in pre-authenticated remote code\nexecution. \n\nThe vendor has produced a knowledge-base article[1] and\nannouncement[2] regarding these issues. \n\nZX Security would like to commend the prompt response and resolution\nof these reported issues by the vendor. \n\nProduct\n=======\n\nSeveral WatchGuard Access Points running firmware before v1.2.9.15 are\naffected, including:\n* AP100\n* AP102\n* AP200\n\nThe AP300 is also affected by issues 2, 3 and 4 when running firmware\nbefore 2.0.0.10. \n\nThe latest firmware update resolves these issues. \n\nTechnical Details\n=================\n\n1) Hard-coded credentials\n-------------------------\nCVE-2018-10575\n\nA hard-coded user exists in /etc/passwd. The vendor has requested the\nspecific password and hash be withheld until users can apply the\npatch. \nThere is no way for a user of the access point to change this\npassword. An attacker who is aware of this password is able to access\nthe device over SSH and pivot network requests through the device,\nthough they may not run commands as the shell is set to /bin/false. \n\n2) Hidden authentication method in web interface allows for\nauthentication bypass\n---------------------------------------------------------------------------------\nCVE-2018-10576\n\nThe standard authentication method for accessing the webserver\ninvolves submitting an HTML form. This uses a username and password\nseparate from the standard Linux based /etc/passwd authentication. \nAn alternative authentication method was identified from reviewing the\nsource code whereby setting the HTTP headers AUTH_USER and AUTH_PASS,\ncredentials are instead tested against the standard Linux /etc/passwd\nfile. This allows an attacker to use the hardcoded credentials found\npreviously (see 1. Hard-coded credentials) to gain web access to the\ndevice. \nAn example command that demonstrates this issue is:\n        curl https://watchguard-ap200/cgi-bin/luci -H \"AUTH_USER:\nadmin\" -H \"AUTH_PASS: [REDACTED]\" -k -v\n\nThis session allows for complete access to the web interface as an\nadministrator. \n\n3) Hidden \"wgupload\" functionality allows for file uploads as root and\nremote code execution\n--------------------------------------------------------------------------------------------\nCVE-2018-10577\n\nReviewing the code reveals file upload functionality that is not shown\nto the user via the web interface. An attacker needs only a serial\nnumber (which is displayed to the user when they login to the device\nthrough the standard web interface and can be retrieved\nprogrammatically) and a valid session. \nAn example request to demonstrate this issue is:\n    res = send_request_cgi({\n        \u0027method\u0027    =\u003e \u0027POST\u0027,\n        \u0027uri\u0027       =\u003e \"/cgi-bin/luci/;#{stok}/wgupload\",\n        \u0027headers\u0027 =\u003e {\n          \u0027AUTH_USER\u0027 =\u003e \u0027admin\u0027,\n          \u0027AUTH_PASS\u0027 =\u003e \u0027[REDACTED]\u0027,\n        },\n        \u0027cookie\u0027    =\u003e \"#{sysauth}; serial=#{serial};\nfilename=/www/cgi-bin/payload.luci; md5sum=fail\",\n        \u0027data\u0027     =\u003e \"#!/usr/bin/lua\nos.execute(\u0027touch /code-execution\u0027);\n      })\n\nAn attacker can then visit the URL\nhttp://watchguard-ap200/cgi-bin/payload.luci to execute this command\n(or any other command). \n\n4) Change password functionality incorrectly verifies old password\n------------------------------------------------------------------\nCVE-2018-10578\n\nThe change password functionality within the web interface attempts to\nverify the old password before setting a new one, however, this is\ndone through AJAX. An attacker is able to simply modify the JavaScript\nto avoid this check or perform the POST request manually. \n\nMetasploit Module\n=================\n\nZX Security will be releasing a Metasploit module which automates\nexploitation of this chain of vulnerabilities. This has been delayed\ntill 30 days after the initial patch was made available to ensure\nusers are able to patch their devices. \nThe module and the hard-coded password will be released on May the 14th 2018. \n\nDisclosure Timeline\n===================\n\nVendor notification: April 04, 2018\nVendor response: April 06, 2018\nFirmware update released to public: April 13, 2018\nMetasploit module release: May 14, 2018\n\nReferences\n==========\n\n[1] https://watchguardsupport.secure.force.com/publicKB?type=KBSecurityIssues\u0026SFDCID=kA62A0000000LIy\n[2] https://www.watchguard.com/wgrd-blog/new-firmware-available-ap100ap102ap200ap300-security-vulnerability-fixes\n\n\n",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2018-10576"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-004986"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2018-10148"
      },
      {
        "db": "PACKETSTORM",
        "id": "147468"
      }
    ],
    "trust": 2.25
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "NVD",
        "id": "CVE-2018-10576",
        "trust": 3.1
      },
      {
        "db": "EXPLOIT-DB",
        "id": "45409",
        "trust": 1.0
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-004986",
        "trust": 0.8
      },
      {
        "db": "CNVD",
        "id": "CNVD-2018-10148",
        "trust": 0.6
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201805-026",
        "trust": 0.6
      },
      {
        "db": "PACKETSTORM",
        "id": "147468",
        "trust": 0.1
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2018-10148"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-004986"
      },
      {
        "db": "PACKETSTORM",
        "id": "147468"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201805-026"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-10576"
      }
    ]
  },
  "id": "VAR-201804-0675",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2018-10148"
      }
    ],
    "trust": 0.8766217999999999
  },
  "iot_taxonomy": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "category": [
          "Network device"
        ],
        "sub_category": null,
        "trust": 0.6
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2018-10148"
      }
    ]
  },
  "last_update_date": "2024-11-23T21:39:05.524000Z",
  "patch": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/patch#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "title": "New Firmware Available for AP100/AP102/AP200/AP300 with Security Vulnerability Fixes",
        "trust": 0.8,
        "url": "https://www.watchguard.com/wgrd-blog/new-firmware-available-ap100ap102ap200ap300-security-vulnerability-fixes"
      },
      {
        "title": "000011351",
        "trust": 0.8,
        "url": "https://watchguardsupport.secure.force.com/publicKB?type=KBSecurityIssues\u0026SFDCID=kA62A0000000LIy"
      },
      {
        "title": "Patch for WatchGuardAP100, AP102, and AP200 authentication vulnerabilities",
        "trust": 0.6,
        "url": "https://www.cnvd.org.cn/patchInfo/show/130025"
      },
      {
        "title": "WatchGuard AP100 , AP102  and AP200 Security vulnerabilities",
        "trust": 0.6,
        "url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=79770"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2018-10148"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-004986"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201805-026"
      }
    ]
  },
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "CWE-287",
        "trust": 1.8
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-004986"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-10576"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 2.3,
        "url": "https://www.watchguard.com/wgrd-blog/new-firmware-available-ap100ap102ap200ap300-security-vulnerability-fixes"
      },
      {
        "trust": 1.7,
        "url": "https://watchguardsupport.secure.force.com/publickb?type=kbsecurityissues\u0026sfdcid=ka62a0000000liy"
      },
      {
        "trust": 1.0,
        "url": "https://www.exploit-db.com/exploits/45409/"
      },
      {
        "trust": 1.0,
        "url": "http://seclists.org/fulldisclosure/2018/may/12"
      },
      {
        "trust": 0.9,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2018-10576"
      },
      {
        "trust": 0.8,
        "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-10576"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2018-10577"
      },
      {
        "trust": 0.1,
        "url": "http://watchguard-ap200/cgi-bin/payload.luci"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2018-10575"
      },
      {
        "trust": 0.1,
        "url": "https://watchguard-ap200/cgi-bin/luci"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2018-10578"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2018-10148"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-004986"
      },
      {
        "db": "PACKETSTORM",
        "id": "147468"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201805-026"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-10576"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "CNVD",
        "id": "CNVD-2018-10148"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-004986"
      },
      {
        "db": "PACKETSTORM",
        "id": "147468"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201805-026"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-10576"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2018-05-23T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2018-10148"
      },
      {
        "date": "2018-07-03T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2018-004986"
      },
      {
        "date": "2018-05-03T00:01:32",
        "db": "PACKETSTORM",
        "id": "147468"
      },
      {
        "date": "2018-05-02T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201805-026"
      },
      {
        "date": "2018-04-30T22:29:00.373000",
        "db": "NVD",
        "id": "CVE-2018-10576"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2018-05-23T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2018-10148"
      },
      {
        "date": "2018-07-03T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2018-004986"
      },
      {
        "date": "2018-05-02T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201805-026"
      },
      {
        "date": "2024-11-21T03:41:35.670000",
        "db": "NVD",
        "id": "CVE-2018-10576"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "local",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-201805-026"
      }
    ],
    "trust": 0.6
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "plural  WatchGuard Authentication vulnerabilities in device software",
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-004986"
      }
    ],
    "trust": 0.8
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "authorization issue",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-201805-026"
      }
    ],
    "trust": 0.6
  }
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2018-10576 (GCVE-0-2018-10576)

CNVD-2018-10148

FKIE_CVE-2018-10576

GHSA-6C4V-HJ93-73RM

GSD-2018-10576

VAR-201804-0675

Product

Technical Details

1) Hard-coded credentials

4) Change password functionality incorrectly verifies old password

Metasploit Module

Disclosure Timeline

References

Tags

Sightings

Nomenclature