Executive Summary

Summary
Title Virtual Access GW6110A router privilege escalation vulnerability
Informations
Name VU#213046 First vendor Publication 2014-03-25
Vendor VU-CERT Last vendor Modification 2014-03-25
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:A/AC:M/Au:S/C:P/I:P/A:P)
Cvss Base Score 4.9 Attack Range Adjacent network
Cvss Impact Score 6.4 Attack Complexity Medium
Cvss Expoit Score 4.4 Authentication Requires single instance
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#213046

Virtual Access GW6110A router privilege escalation vulnerability

Original Release date: 25 Mar 2014 | Last revised: 25 Mar 2014

Overview

Virtual Access GW6110A routers contain a privilege escalation vulnerability which could allow an authenticated user to escalate their privileges.

Description

CWE-472: External Control of Assumed-Immutable Web Parameter

Virtual Access GW6110A routers contain a privilege escalation vulnerability which could allow an authenticated user to escalate their privileges by modifying a javascript variable that checks for user access level on the web interface.

Impact

An authenticated user could escalate their privileges on the router, allowing them access to administration features.

Solution

Update

The vendor has released an update to address this vulnerability. Affected users are advised to upgrade to one of the following versions.

    Users of software branch 9.00 are advised to update to version 9.09.27 or later.
    Users of software branch 9.50 are advised to update to version 9.50.21 or later.
    Users of software branch 10.00 are advised to update to version 10.00.21 or later.

Restrict access

As a general good security practice, only allow connections from trusted hosts and networks.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
Virtual AccessAffected29 Jan 201418 Mar 2014
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

GroupScoreVector
Base2.3AV:A/AC:M/Au:S/C:P/I:N/A:N
Temporal1.8E:U/RL:U/RC:UC
Environmental0.7CDP:L/TD:L/CR:ND/IR:ND/AR:ND

References

  • http://www.virtualaccess.com/GW6000-adsl2-router.php

Credit

Thanks to James Premo for reporting this vulnerability.

This document was written by Michael Orlando.

Other Information

  • CVE IDs:CVE-2014-0343
  • Date Public:25 Mar 2014
  • Date First Published:25 Mar 2014
  • Date Last Updated:25 Mar 2014
  • Document Revision:13

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/213046

CPE : Common Platform Enumeration

TypeDescriptionCount
Hardware 1
Os 3

Alert History

If you want to see full details history, please login or register.
0
1
2
Date Informations
2014-03-26 17:23:10
  • Multiple Updates
2014-03-26 13:28:23
  • Multiple Updates
2014-03-25 17:18:40
  • First insertion