CVE-2018-11681 - OpenCVE

Default and unremovable support credentials (user:nwk password:nwk2) allow attackers to gain total super user control of an IoT device through a TELNET session to products using the RadioRA 2 Lutron integration protocol Revision M to Revision Y. NOTE: The vendor disputes this id as not being a vulnerability because what can be done through the ports revolve around controlling lighting, not code execution. A certain set of commands are listed, which bear some similarity to code, but they are not arbitrary and do not allow admin-level control of a machine

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:N/AC:L/Au:N/C:C/I:C/A:C

Vendors & Products
CPE Configurations

Vendors	Products
Lutron	Homeworks Qs Firmware Stanza Firmware Radiora 2 Firmware Radiora 2 Homeworks Qs Stanza

Configuration 1 [-]

AND

cpe:2.3:o:lutron:stanza_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:lutron:stanza:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:lutron:radiora_2_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:lutron:radiora_2:-:*:*:*:*:*:*:*

Configuration 3 [-]

AND

cpe:2.3:o:lutron:homeworks_qs_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:lutron:homeworks_qs:-:*:*:*:*:*:*:*

References

Link	Resource
http://sadfud.me/explotos/CVE-2018-11629	Third Party Advisory
http://www.lutron.com/TechnicalDocumentLibrary/040249.pdf
https://reversecodes.wordpress.com/2018/06/02/0-day-tomando-el-control-de-las-instalaciones-de-la-nasa-en-cabo-canaveral/	Mitigation Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2018-06-02T13:00:00

Updated: 2024-06-04T17:11:56.366Z

Reserved: 2018-06-02T00:00:00

Link: CVE-2018-11681

JSON object: View

NVD Information

Status : Modified

Published: 2018-06-02T13:29:00.277

Modified: 2024-06-04T19:16:56.400

Link: CVE-2018-11681

JSON object: View

Redhat Information

No data.

CWE

CWE-798

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2018-06-02T00:00:00", "descriptions": [{"lang": "en", "value": "Default and unremovable support credentials (user:nwk password:nwk2) allow attackers to gain total super user control of an IoT device through a TELNET session to products using the RadioRA 2 Lutron integration protocol Revision M to Revision Y. NOTE: The vendor disputes this id as not being a vulnerability because what can be done through the ports revolve around controlling lighting, not code execution. A certain set of commands are listed, which bear some similarity to code, but they are not arbitrary and do not allow admin-level control of a machine"}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-06-27T17:40:51", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "http://sadfud.me/explotos/CVE-2018-11629"}, {"tags": ["x_refsource_MISC"], "url": "https://reversecodes.wordpress.com/2018/06/02/0-day-tomando-el-control-de-las-instalaciones-de-la-nasa-en-cabo-canaveral/"}, {"tags": ["x_refsource_MISC"], "url": "http://www.lutron.com/TechnicalDocumentLibrary/040249.pdf"}], "tags": ["disputed"], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2018-11681", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "** DISPUTED ** Default and unremovable support credentials (user:nwk password:nwk2) allow attackers to gain total super user control of an IoT device through a TELNET session to products using the RadioRA 2 Lutron integration protocol Revision M to Revision Y. NOTE: The vendor disputes this id as not being a vulnerability because what can be done through the ports revolve around controlling lighting, not code execution. A certain set of commands are listed, which bear some similarity to code, but they are not arbitrary and do not allow admin-level control of a machine."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "http://sadfud.me/explotos/CVE-2018-11629", "refsource": "MISC", "url": "http://sadfud.me/explotos/CVE-2018-11629"}, {"name": "https://reversecodes.wordpress.com/2018/06/02/0-day-tomando-el-control-de-las-instalaciones-de-la-nasa-en-cabo-canaveral/", "refsource": "MISC", "url": "https://reversecodes.wordpress.com/2018/06/02/0-day-tomando-el-control-de-las-instalaciones-de-la-nasa-en-cabo-canaveral/"}, {"name": "http://www.lutron.com/TechnicalDocumentLibrary/040249.pdf", "refsource": "MISC", "url": "http://www.lutron.com/TechnicalDocumentLibrary/040249.pdf"}]}}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2018-11681", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-04-23T18:06:19.899664Z"}}}], "affected": [{"cpes": ["cpe:2.3:o:lutron:stanza_firmware:-:*:*:*:*:*:*:*"], "vendor": "lutron", "product": "stanza_firmware", "versions": [{"status": "affected", "version": "-"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:o:lutron:radiora_2_firmware:-:*:*:*:*:*:*:*"], "vendor": "lutron", "product": "radiora_2_firmware", "versions": [{"status": "affected", "version": "-"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:o:lutron:homeworks_qs_firmware:-:*:*:*:*:*:*:*"], "vendor": "lutron", "product": "homeworks_qs_firmware", "versions": [{"status": "affected", "version": "-"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-798", "description": "CWE-798 Use of Hard-coded Credentials"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:11:56.366Z"}}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2018-11681", "datePublished": "2018-06-02T13:00:00", "dateReserved": "2018-06-02T00:00:00", "dateUpdated": "2024-06-04T17:11:56.366Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:lutron:stanza_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "2AB5848A-8331-4B38-8A52-D39E02EAF1AA", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:lutron:stanza:-:*:*:*:*:*:*:*", "matchCriteriaId": "33CF0BDB-6C11-4BDF-BA24-F8E88A330FD9", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:lutron:radiora_2_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "43C6EF7F-4CF2-4424-A0BB-47E1C9750002", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:lutron:radiora_2:-:*:*:*:*:*:*:*", "matchCriteriaId": "D4CD9186-5091-4B57-9A72-E289E06A7A58", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:lutron:homeworks_qs_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "EE9CE85D-A813-48CA-B195-E9B43341CCBD", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:lutron:homeworks_qs:-:*:*:*:*:*:*:*", "matchCriteriaId": "A7913129-7017-4739-8561-68ACCF369086", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "Default and unremovable support credentials (user:nwk password:nwk2) allow attackers to gain total super user control of an IoT device through a TELNET session to products using the RadioRA 2 Lutron integration protocol Revision M to Revision Y. NOTE: The vendor disputes this id as not being a vulnerability because what can be done through the ports revolve around controlling lighting, not code execution. A certain set of commands are listed, which bear some similarity to code, but they are not arbitrary and do not allow admin-level control of a machine"}, {"lang": "es", "value": "** EN DISPUTA ** Las credenciales de soporte por defecto e inamovibles (usuario: nwk contrase\u00f1a: nwk2) permiten que los atacantes obtengan el control de super user total de un dispositivo IoT mediante una sesi\u00f3n TELNET en productos que emplean el protocolo de integraci\u00f3n RadioRA 2 Lutron de las revisiones M a Y. NOTA: El fabricante disputa que este id no sea una vulnerabilidad porque lo que se puede hacer a trav\u00e9s de los puertos gira en torno al control de la iluminaci\u00f3n, no a la ejecuci\u00f3n del c\u00f3digo. Se enumera un cierto conjunto de comandos, que tienen cierta similitud con el c\u00f3digo, pero no son arbitrarios y no permiten el control a nivel de administrador de una m\u00e1quina."}], "id": "CVE-2018-11681", "lastModified": "2024-06-04T19:16:56.400", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 10.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-06-02T13:29:00.277", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "http://sadfud.me/explotos/CVE-2018-11629"}, {"source": "cve@mitre.org", "url": "http://www.lutron.com/TechnicalDocumentLibrary/040249.pdf"}, {"source": "cve@mitre.org", "tags": ["Mitigation", "Third Party Advisory"], "url": "https://reversecodes.wordpress.com/2018/06/02/0-day-tomando-el-control-de-las-instalaciones-de-la-nasa-en-cabo-canaveral/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-798"}], "source": "nvd@nist.gov", "type": "Primary"}]}