CVE-2019-12511
CVSS V2 High 9.3
CVSS V3 Critical 9.8
Description
In NETGEAR Nighthawk X10-R9000 prior to 1.0.4.26, an attacker may execute arbitrary system commands as root by sending a specially-crafted MAC address to the "NETGEAR Genie" SOAP endpoint at AdvancedQoS:GetCurrentBandwidthByMAC. Although this requires QoS being enabled, advanced QoS being enabled, and a valid authentication JWT, additional vulnerabilities (CVE-2019-12510) allow an attacker to interact with the entire SOAP API without authentication. Additionally, DNS rebinding techniques may be used to exploit this vulnerability remotely. Exploiting this vulnerability is somewhat involved. The following limitations apply to the payload and must be overcome for successful exploitation: - No more than 17 characters may be used. - At least one colon must be included to prevent mangling. - A single-quote and meta-character must be used to break out of the existing command. - Parent command remnants after the injection point must be dealt with. - The payload must be in all-caps. Despite these limitations, it is still possible to gain access to an interactive root shell via this vulnerability. Since the web server assigns certain HTTP headers to environment variables with all-caps names, it is possible to insert a payload into one such header and reference the subsequent environment variable in the injection point.
Overview
- CVE ID
- CVE-2019-12511
- Assigner
- cve@mitre.org
- Vulnerability Status
- Modified
- Published Version
- 2020-02-24T19:15:13
- Last Modified Date
- 2020-03-03T18:15:11
Weakness Enumerations
CPE Configuration (Product)
| CPE | Vulnerable | Operator | Version Start | Version End |
|---|---|---|---|---|
| AND | ||||
| cpe:2.3:o:netgear:nighthawk_x10-r9000_firmware:*:*:*:*:*:*:*:* | 1 | OR | 1.0.4.26 | |
| cpe:2.3:h:netgear:nighthawk_x10-r9000:-:*:*:*:*:*:*:* | 0 | OR |
CVSS Version 2
- Version
- 2.0
- Vector String
- AV:N/AC:M/Au:N/C:C/I:C/A:C
- Access Vector
- NETWORK
- Access Compatibility
- MEDIUM
- Authentication
- NONE
- Confidentiality Impact
- COMPLETE
- Integrity Impact
- COMPLETE
- Availability Impact
- COMPLETE
- Base Score
- 9.3
- Severity
- HIGH
- Exploitability Score
- 8.6
- Impact Score
- 10
CVSS Version 3
- Version
- 3.1
- Vector String
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Attack Vector
- NETWORK
- Attack Compatibility
- LOW
- Privileges Required
- NONE
- User Interaction
- NONE
- Scope
- UNCHANGED
- Confidentiality Impact
- HIGH
- Availability Impact
- HIGH
- Base Score
- 9.8
- Base Severity
- CRITICAL
- Exploitability Score
- 3.9
- Impact Score
- 5.9
References
| Reference URL | Reference Tags |
|---|---|
| https://www.ise.io/casestudies/sohopelessly-broken-2-0/ | Exploit Third Party Advisory |
Sources
| Source Name | Source URL |
|---|---|
| NIST | https://nvd.nist.gov/vuln/detail/CVE-2019-12511 |
| MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12511 |
History
| Created | Old Value | New Value | Data Type | Notes |
|---|---|---|---|---|
| 2022-05-10 16:48:28 | Added to TrackCVE | |||
| 2022-12-04 11:44:35 | 2020-02-24T19:15Z | 2020-02-24T19:15:13 | CVE Published Date | updated |
| 2022-12-04 11:44:35 | 2020-03-03T18:15:11 | CVE Modified Date | updated | |
| 2022-12-04 11:44:35 | Modified | Vulnerability Status | updated |