CVE-2020-13391 - OpenCVE

An issue was discovered on Tenda AC6 V1.0 V15.03.05.19_multi_TD01, AC9 V1.0 V15.03.05.19(6318)_CN, AC9 V3.0 V15.03.06.42_multi, AC15 V1.0 V15.03.05.19_multi_TD01, and AC18 V15.03.05.19(6318_)_CN devices. There is a buffer overflow vulnerability in the router's web server -- httpd. While processing the /goform/SetSpeedWan speed_dir parameter for a POST request, a value is directly used in a sprintf to a local variable placed on the stack, which overwrites the return address of a function. An attacker can construct a payload to carry out arbitrary code execution attacks.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Tendacn	Ac6 Firmware Ac15 Ac9 Ac6 Ac9 Firmware Ac18 Firmware Ac18 Ac15 Firmware

Configuration 1 [-]

AND

cpe:2.3:o:tendacn:ac6_firmware:v15.03.05.19_multi_td01:*:*:*:*:*:*:*

cpe:2.3:h:tendacn:ac6:1.0:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:tendacn:ac9_firmware:v15.03.05.19\(6318\):*:*:*:*:*:*:*

cpe:2.3:h:tendacn:ac9:1.0:*:*:*:*:*:*:*

Configuration 3 [-]

AND

cpe:2.3:o:tendacn:ac15_firmware:v15.03.05.19_multi_td01:*:*:*:*:*:*:*

cpe:2.3:h:tendacn:ac15:1.0:*:*:*:*:*:*:*

Configuration 4 [-]

AND

cpe:2.3:o:tendacn:ac18_firmware:v15.03.05.19\(6318\):*:*:*:*:*:*:*

cpe:2.3:h:tendacn:ac18:-:*:*:*:*:*:*:*

Configuration 5 [-]

AND

cpe:2.3:o:tendacn:ac9_firmware:v15.03.06.42_multi:*:*:*:*:*:*:*

cpe:2.3:h:tendacn:ac9:3.0:*:*:*:*:*:*:*

References

Link	Resource
https://joel-malwarebenchmark.github.io	Exploit Third Party Advisory
https://joel-malwarebenchmark.github.io/blog/2020/04/28/cve-2020-13391-Tenda-vulnerability/	Exploit Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2020-05-22T16:06:55

Updated: 2020-05-26T20:37:29

Reserved: 2020-05-22T00:00:00

Link: CVE-2020-13391

JSON object: View

NVD Information

Status : Analyzed

Published: 2020-05-22T17:15:11.177

Modified: 2020-05-27T19:50:31.210

Link: CVE-2020-13391

JSON object: View

Redhat Information

No data.

CWE

CWE-120

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered on Tenda AC6 V1.0 V15.03.05.19_multi_TD01, AC9 V1.0 V15.03.05.19(6318)_CN, AC9 V3.0 V15.03.06.42_multi, AC15 V1.0 V15.03.05.19_multi_TD01, and AC18 V15.03.05.19(6318_)_CN devices. There is a buffer overflow vulnerability in the router's web server -- httpd. While processing the /goform/SetSpeedWan speed_dir parameter for a POST request, a value is directly used in a sprintf to a local variable placed on the stack, which overwrites the return address of a function. An attacker can construct a payload to carry out arbitrary code execution attacks."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-05-26T20:37:29", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://joel-malwarebenchmark.github.io"}, {"tags": ["x_refsource_MISC"], "url": "https://joel-malwarebenchmark.github.io/blog/2020/04/28/cve-2020-13391-Tenda-vulnerability/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2020-13391", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An issue was discovered on Tenda AC6 V1.0 V15.03.05.19_multi_TD01, AC9 V1.0 V15.03.05.19(6318)_CN, AC9 V3.0 V15.03.06.42_multi, AC15 V1.0 V15.03.05.19_multi_TD01, and AC18 V15.03.05.19(6318_)_CN devices. There is a buffer overflow vulnerability in the router's web server -- httpd. While processing the /goform/SetSpeedWan speed_dir parameter for a POST request, a value is directly used in a sprintf to a local variable placed on the stack, which overwrites the return address of a function. An attacker can construct a payload to carry out arbitrary code execution attacks."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://joel-malwarebenchmark.github.io", "refsource": "MISC", "url": "https://joel-malwarebenchmark.github.io"}, {"name": "https://joel-malwarebenchmark.github.io/blog/2020/04/28/cve-2020-13391-Tenda-vulnerability/", "refsource": "MISC", "url": "https://joel-malwarebenchmark.github.io/blog/2020/04/28/cve-2020-13391-Tenda-vulnerability/"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2020-13391", "datePublished": "2020-05-22T16:06:55", "dateReserved": "2020-05-22T00:00:00", "dateUpdated": "2020-05-26T20:37:29", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:tendacn:ac6_firmware:v15.03.05.19_multi_td01:*:*:*:*:*:*:*", "matchCriteriaId": "CAC0673D-8596-4496-A29B-7E7F38584B29", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:tendacn:ac6:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "37AC63F5-DB8A-40B5-AA46-A2F9C9BCFB12", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:tendacn:ac9_firmware:v15.03.05.19\\(6318\\):*:*:*:*:*:*:*", "matchCriteriaId": "FA1D8A5D-204B-4EB2-8889-E48396A33017", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:tendacn:ac9:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "B3E3CCB3-34B7-4904-9C38-48CA34E44C84", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:tendacn:ac15_firmware:v15.03.05.19_multi_td01:*:*:*:*:*:*:*", "matchCriteriaId": "B6A8E101-F4DE-40EE-8412-86830A94E5D6", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:tendacn:ac15:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "0979C5E5-E098-4B24-86BC-02ED33FBFDA4", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:tendacn:ac18_firmware:v15.03.05.19\\(6318\\):*:*:*:*:*:*:*", "matchCriteriaId": "3188ED22-AA0D-440F-AD0E-9440F0B9526B", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:tendacn:ac18:-:*:*:*:*:*:*:*", "matchCriteriaId": "FCF0F551-6E6C-48D6-9C2A-740B84AF0349", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:tendacn:ac9_firmware:v15.03.06.42_multi:*:*:*:*:*:*:*", "matchCriteriaId": "87C452F1-095D-4C6C-84D5-94593AEBDDC3", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:tendacn:ac9:3.0:*:*:*:*:*:*:*", "matchCriteriaId": "CA49FEFD-41B5-4038-883D-989AB85D6CF5", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "An issue was discovered on Tenda AC6 V1.0 V15.03.05.19_multi_TD01, AC9 V1.0 V15.03.05.19(6318)_CN, AC9 V3.0 V15.03.06.42_multi, AC15 V1.0 V15.03.05.19_multi_TD01, and AC18 V15.03.05.19(6318_)_CN devices. There is a buffer overflow vulnerability in the router's web server -- httpd. While processing the /goform/SetSpeedWan speed_dir parameter for a POST request, a value is directly used in a sprintf to a local variable placed on the stack, which overwrites the return address of a function. An attacker can construct a payload to carry out arbitrary code execution attacks."}, {"lang": "es", "value": "Se detect\u00f3 un problema en dispositivos Tenda AC6 versiones V1.0 V15.03.05.19_multi_TD01, AC9 V1.0 V15.03.05.19(6318)_CN, AC9 V3.0 V15.03.06.42_multi, AC15 V1.0 V15.03.05.19_multi_TD01, y AC18 V15.03.05.19 (6318_)_CN. Se presenta una vulnerabilidad de desbordamiento de b\u00fafer en el servidor web del enrutador: httpd. Mientras se procesa el par\u00e1metro speed_dir de /goform/SetSpeedWan para una petici\u00f3n POST, un valor es usado directamente en un sprintf para una variable local colocada en la pila, que sobrescribe la direcci\u00f3n de retorno de una funci\u00f3n. Un atacante puede construir una carga \u00fatil para llevar a cabo ataques de ejecuci\u00f3n de c\u00f3digo arbitrario."}], "id": "CVE-2020-13391", "lastModified": "2020-05-27T19:50:31.210", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-05-22T17:15:11.177", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://joel-malwarebenchmark.github.io"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://joel-malwarebenchmark.github.io/blog/2020/04/28/cve-2020-13391-Tenda-vulnerability/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-120"}], "source": "nvd@nist.gov", "type": "Primary"}]}