Executive Summary



This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Summary
Title Verizon Fios Actiontec model MI424WR-GEN3I router vulnerable to cross-site request forgery
Informations
Name VU#278204 First vendor Publication 2013-03-18
Vendor VU-CERT Last vendor Modification 2013-03-18
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:P/I:P/A:P)
Cvss Base Score 6.8 Attack Range Network
Cvss Impact Score 6.4 Attack Complexity Medium
Cvss Expoit Score 8.6 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#278204

Verizon Fios Actiontec model MI424WR-GEN3I router vulnerable to cross-site request forgery

Original Release date: 18 Mar 2013 | Last revised: 18 Mar 2013

Overview

The Verizon FIOS Actiontec router model MI424WR-GEN3I is susceptible to cross-site request forgery attacks. (CWE-352)

Description

The Verizon FIOS Actiontec router model MI424WR-GEN3I is susceptible to cross-site request forgery attacks. (CWE-352) A remote attacker that is able to trick a user into clicking a malicious link while logged into the router may be able to compromise the router.

Impact

A remote unauthenticated attacker that is able to trick a user into clicking a malicious link while they are logged into the router may be able to compromise the router.

Solution

We are currently unaware of a practical solution to this problem. Please consider the following workarounds.

Restrict Access

Verify the router's web interface is not Internet accessible. As a general good security practice, only allow connections from trusted hosts and networks. Note that restricting access does not prevent CSRF attacks since the attack comes as an HTTP request from a legitimate user's host. Restricting access would prevent an attacker from accessing the router web interface using stolen credentials from a blocked network location.

Do Not Stay Logged Into the Router's Management Interface

Always log out of the router's management interface when done using it.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
VerizonAffected01 Feb 201318 Mar 2013
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

GroupScoreVector
Base6.4AV:A/AC:M/Au:N/C:P/I:C/A:N
Temporal5.5E:H/RL:W/RC:UC
Environmental3.0CDP:L/TD:M/CR:L/IR:L/AR:L

References

  • http://infosec42.blogspot.com/2013/03/verizon-fios-router-csrf-cve-2013-0126.html
  • http://cwe.mitre.org/data/definitions/352.html

Credit

Thanks to Jacob Holcomb of Independent Security Evaluators for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

  • CVE IDs:CVE-2013-0126
  • Date Public:18 Mar 2013
  • Date First Published:18 Mar 2013
  • Date Last Updated:18 Mar 2013
  • Document Revision:17

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/278204

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-352 Cross-Site Request Forgery (CSRF) (CWE/SANS Top 25)

CPE : Common Platform Enumeration

TypeDescriptionCount
Hardware 1
Os 1

ExploitDB Exploits

id Description
2013-03-19 Verizon Fios Router MI424WR-GEN3I - CSRF Vulnerability

Alert History

If you want to see full details history, please login or register.
0
1
2
Date Informations
2013-03-22 21:19:37
  • Multiple Updates
2013-03-22 13:19:53
  • Multiple Updates
2013-03-19 00:17:28
  • First insertion