Vulnerability CVE-2013-4937


Published: 2013-07-26

Description:
Multiple unspecified vulnerabilities in the AiCloud feature on the ASUS RT-AC66U, RT-N66U, RT-N65U, RT-N14U, RT-N16, RT-N56U, and DSL-N55U with firmware before 3.0.4.372 have unknown impact and attack vectors.

See advisories in our WLB2 database:
Topic
Author
Date
High
ASUS RT-AC66U Remote Root Shell Exploit - acsd param command
Jacob Holcomb/Gi...
28.07.2013

Type:

CWE-noinfo

Vendor: ASUS
Product: Rt-n16 firmware 
Version:
7.0.2.38b
3.0.0.4.354
3.0.0.4.260
3.0.0.4.246
3.0.0.4.220
3.0.0.3.178
3.0.0.3.162
3.0.0.3.108
1.0.2.3
1.0.1.9
Product: Rt-n66u firmware 
Version: 3.0.0.4.370; 3.0.0.4.272;
Product: Rt-n14u firmware 
Version: 3.0.0.4.356; 3.0.0.4.322;
Product: Rt-ac66u firmware 
Version:
3.0.0.4.354
3.0.0.4.270
3.0.0.4.260
3.0.0.4.246
3.0.0.4.220
3.0.0.4.140
Product: Rt-n65u firmware 
Version:
3.0.0.4.346
3.0.0.4.342
3.0.0.4.334
3.0.0.4.260
3.0.0.3.176
3.0.0.3.134
Product: Rt-ac66u 
Product: Rt-n16u 
Product: Rt-n66u 
Product: Rt-n14u 
Product: Rt-n65u 

CVSS2 => (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVSS Base Score
Impact Subscore
Exploitability Subscore
10/10
10/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Complete
Complete
Complete

 References:
http://twitter.com/ASUSUSA/statuses/357612236392509440
http://reviews.cnet.com/8301-3132_7-57594003-98

Related CVE
CVE-2018-20336
An issue was discovered in ASUSWRT 3.0.0.4.384.20308. There is a stack-based buffer overflow issue in parse_req_queries function in wanduck.c via a long string over UDP, which may lead to an information leak.
CVE-2019-10709
AsusPTPFilter.sys on Asus Precision TouchPad 11.0.0.25 hardware has a Pool Overflow associated with the \\.\AsusTP device, leading to a DoS or potentially privilege escalation via a crafted DeviceIoControl call.
CVE-2019-11063
A broken access control vulnerability in SmartHome app (Android versions up to 3.0.42_190515, ios versions up to 2.0.22) allows an attacker in the same local area network to list user accounts and control IoT devices that connect with its gateway (HG...
CVE-2019-11060
The web api server on Port 8080 of ASUS HG100 firmware up to 1.05.12, which is vulnerable to Slowloris HTTP Denial of Service: an attacker can cause a Denial of Service (DoS) by sending headers very slowly to keep HTTP or HTTPS connections and associ...
CVE-2018-14714
System command injection in appGet.cgi on ASUS RT-AC3200 version 3.0.0.4.382.50010 allows attackers to execute system commands via the "load_script" URL parameter.
CVE-2018-14713
Format string vulnerability in appGet.cgi on ASUS RT-AC3200 version 3.0.0.4.382.50010 allows attackers to read arbitrary sections of memory and CPU registers via the "hook" URL parameter.
CVE-2018-14712
Buffer overflow in appGet.cgi on ASUS RT-AC3200 version 3.0.0.4.382.50010 allows attackers to inject system commands via the "hook" URL parameter.
CVE-2018-14711
Missing cross-site request forgery protection in appGet.cgi on ASUS RT-AC3200 version 3.0.0.4.382.50010 allows attackers to cause state-changing actions with specially crafted URLs.

Copyright 2019, cxsecurity.com

 

Back to Top