CVE-2019-19942 - OpenCVE

Missing output sanitation in Swisscom Centro Grande Centro Grande before 6.16.12, Centro Business 1.0 (ADB) before 7.10.18, and Centro Business 2.0 before 8.02.04 allows a remote attacker to perform DNS spoofing against the web interface via crafted hostnames in DHCP requests.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:N/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Swisscom	Centro Grande Firmware Centro Business Centro Grande

Configuration 1 [-]

AND

cpe:2.3:o:swisscom:centro_grande_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:swisscom:centro_grande:-:*:*:*:*:*:*:*

Configuration 2 [-]

cpe:2.3:a:swisscom:centro_business:*:*:*:*:*:*:*:*

Configuration 3 [-]

cpe:2.3:a:swisscom:centro_business:*:*:*:*:*:*:*:*

References

Link	Resource
https://www.swisscom.ch/content/dam/swisscom/de/about/nachhaltigkeit/digitale-schweiz/sicherheit/bug-bounty/files/cve-2019-19940ff.txt	Exploit Vendor Advisory
https://www.swisscom.ch/en/residential/help/device/internet-router.html	Product

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2020-03-16T15:24:46

Updated: 2021-01-13T16:00:07

Reserved: 2019-12-23T00:00:00

Link: CVE-2019-19942

JSON object: View

NVD Information

Status : Analyzed

Published: 2020-03-16T16:15:12.327

Modified: 2021-03-04T20:07:57.413

Link: CVE-2019-19942

JSON object: View

Redhat Information

No data.

CWE

CWE-20

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "Missing output sanitation in Swisscom Centro Grande Centro Grande before 6.16.12, Centro Business 1.0 (ADB) before 7.10.18, and Centro Business 2.0 before 8.02.04 allows a remote attacker to perform DNS spoofing against the web interface via crafted hostnames in DHCP requests."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-01-13T16:00:07", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.swisscom.ch/content/dam/swisscom/de/about/nachhaltigkeit/digitale-schweiz/sicherheit/bug-bounty/files/cve-2019-19940ff.txt"}, {"tags": ["x_refsource_MISC"], "url": "https://www.swisscom.ch/en/residential/help/device/internet-router.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-19942", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Missing output sanitation in Swisscom Centro Grande Centro Grande before 6.16.12, Centro Business 1.0 (ADB) before 7.10.18, and Centro Business 2.0 before 8.02.04 allows a remote attacker to perform DNS spoofing against the web interface via crafted hostnames in DHCP requests."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://www.swisscom.ch/content/dam/swisscom/de/about/nachhaltigkeit/digitale-schweiz/sicherheit/bug-bounty/files/cve-2019-19940ff.txt", "refsource": "CONFIRM", "url": "https://www.swisscom.ch/content/dam/swisscom/de/about/nachhaltigkeit/digitale-schweiz/sicherheit/bug-bounty/files/cve-2019-19940ff.txt"}, {"name": "https://www.swisscom.ch/en/residential/help/device/internet-router.html", "refsource": "MISC", "url": "https://www.swisscom.ch/en/residential/help/device/internet-router.html"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-19942", "datePublished": "2020-03-16T15:24:46", "dateReserved": "2019-12-23T00:00:00", "dateUpdated": "2021-01-13T16:00:07", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:swisscom:centro_grande_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "2E8E8E27-0B4A-4CB9-9E1A-A219F59DFC1C", "versionEndExcluding": "6.14.06", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:swisscom:centro_grande:-:*:*:*:*:*:*:*", "matchCriteriaId": "66E1FEB3-60B0-4394-9953-2B8D238174D7", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:swisscom:centro_business:*:*:*:*:*:*:*:*", "matchCriteriaId": "59AE4CE3-8126-4847-AB8C-E924F51E10E1", "versionEndExcluding": "7.10.18", "versionStartIncluding": "1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:swisscom:centro_business:*:*:*:*:*:*:*:*", "matchCriteriaId": "C207174B-9E6B-4B78-A3F4-ED50677312D6", "versionEndExcluding": "8.02.04", "versionStartIncluding": "2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Missing output sanitation in Swisscom Centro Grande Centro Grande before 6.16.12, Centro Business 1.0 (ADB) before 7.10.18, and Centro Business 2.0 before 8.02.04 allows a remote attacker to perform DNS spoofing against the web interface via crafted hostnames in DHCP requests."}, {"lang": "es", "value": "Una falta de saneamiento de la salida en Swisscom Centro Grande versiones anteriores a 6.16.12, Centro Business versiones 1.0 (ADB) anteriores a 7.10.18 y Centro Business versiones 2.0 anteriores a 8.02.04, permite a un atacante remoto realizar una suplantaci\u00f3n de DNS en la interfaz web por medio de nombres de host dise\u00f1ados en peticiones DHCP"}], "id": "CVE-2019-19942", "lastModified": "2021-03-04T20:07:57.413", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-03-16T16:15:12.327", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Vendor Advisory"], "url": "https://www.swisscom.ch/content/dam/swisscom/de/about/nachhaltigkeit/digitale-schweiz/sicherheit/bug-bounty/files/cve-2019-19940ff.txt"}, {"source": "cve@mitre.org", "tags": ["Product"], "url": "https://www.swisscom.ch/en/residential/help/device/internet-router.html"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "nvd@nist.gov", "type": "Primary"}]}