Executive Summary



This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Summary
Title Philippine Long Distance Telephone SpeedSurf 504AN and Kasda KW58293 contain multiple vulnerabilities
Informations
Name VU#525276 First vendor Publication 2015-08-31
Vendor VU-CERT Last vendor Modification 2015-08-31
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:N/I:N/A:C)
Cvss Base Score 7.8 Attack Range Network
Cvss Impact Score 6.9 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#525276

Philippine Long Distance Telephone SpeedSurf 504AN and Kasda KW58293 contain multiple vulnerabilities

Original Release date: 31 Aug 2015 | Last revised: 31 Aug 2015

Overview

The Phillipine Long Distance Telephone (PLDT) company provides internet access in the Phillippines. The SpeedSurf 504AN and Kasda KW58293 modems distributed by PLDT contains multiple vulnerabilities.

Description

PLDT provides SpeedSurf 504AN, firmware version GAN9.8U26-4-TX-R6B018-PH.EN, and the Kasda KW58293, to customers for internet access. These devices contains multiple vulnerabilities.

CWE-352: Cross-Site Request Forgery (CSRF) - CVE-2015-5991

The form2WlanSetup.cgi page does not properly authenticate that administrative actions are being performed on purpose. An attacker may lure a user behind the router to click a malicious link when performs administrative actions such as changing the device's network settings.

CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) - CVE-2015-5992

The form2WlanSetup.cgi page contains an "ssid" parameter which is vulnerable to cross-site scripting.

CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') - CVE-2015-5993

The form2ping.cgi page may be used to send PING requests. An attacker may use this page to inject a large string (more than 1874 characters) in the parameter "ipaddr" with a POST request which may cause a denial of service on the router. The router requires manual rebooting to recover.

CWE-798: Use of Hard-coded Credentials

Both modems contain a hard-coded account named adminpldt with a hard-coded password. For more information, please see VU#950576.

The CVSS score below is based on CVE-2015-5991.

Impact

A remote attacker may utilize these credentials to gain administrator access to the device. A remote attacker may also be able to cause a denial of service.

Solution

The CERT/CC is currently unaware of a practical solution to this problem.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
Philippine Long Distance TelephoneAffected02 Jun 201528 Aug 2015
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

GroupScoreVector
Base7.4AV:A/AC:M/Au:S/C:C/I:C/A:C
Temporal6.3E:POC/RL:U/RC:UR
Environmental4.7CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

  • None

Credit

Thanks to Eskie Cirrus James Maquilang for reporting this vulnerability to us.

This document was written by Garret Wassermann.

Other Information

  • CVE IDs:CVE-2015-5991CVE-2015-5992CVE-2015-5993
  • Date Public:31 Aug 2015
  • Date First Published:31 Aug 2015
  • Date Last Updated:31 Aug 2015
  • Document Revision:47

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.