{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "In NETGEAR Nighthawk X10-R9000 prior to 1.0.4.26, an attacker may execute arbitrary system commands as root by sending a specially-crafted MAC address to the \"NETGEAR Genie\" SOAP endpoint at AdvancedQoS:GetCurrentBandwidthByMAC. Although this requires QoS being enabled, advanced QoS being enabled, and a valid authentication JWT, additional vulnerabilities (CVE-2019-12510) allow an attacker to interact with the entire SOAP API without authentication. Additionally, DNS rebinding techniques may be used to exploit this vulnerability remotely. Exploiting this vulnerability is somewhat involved. The following limitations apply to the payload and must be overcome for successful exploitation: - No more than 17 characters may be used. - At least one colon must be included to prevent mangling. - A single-quote and meta-character must be used to break out of the existing command. - Parent command remnants after the injection point must be dealt with. - The payload must be in all-caps. Despite these limitations, it is still possible to gain access to an interactive root shell via this vulnerability. Since the web server assigns certain HTTP headers to environment variables with all-caps names, it is possible to insert a payload into one such header and reference the subsequent environment variable in the injection point."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-03-03T17:44:13", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.ise.io/casestudies/sohopelessly-broken-2-0/"}], "title": "Root Command Injection via MAC Address in SOAP\u00a0API", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-12511", "STATE": "PUBLIC", "TITLE": "Root Command Injection via MAC Address in SOAP\u00a0API"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In NETGEAR Nighthawk X10-R9000 prior to 1.0.4.26, an attacker may execute arbitrary system commands as root by sending a specially-crafted MAC address to the \"NETGEAR Genie\" SOAP endpoint at AdvancedQoS:GetCurrentBandwidthByMAC. Although this requires QoS being enabled, advanced QoS being enabled, and a valid authentication JWT, additional vulnerabilities (CVE-2019-12510) allow an attacker to interact with the entire SOAP API without authentication. Additionally, DNS rebinding techniques may be used to exploit this vulnerability remotely. Exploiting this vulnerability is somewhat involved. The following limitations apply to the payload and must be overcome for successful exploitation: - No more than 17 characters may be used. - At least one colon must be included to prevent mangling. - A single-quote and meta-character must be used to break out of the existing command. - Parent command remnants after the injection point must be dealt with. - The payload must be in all-caps. Despite these limitations, it is still possible to gain access to an interactive root shell via this vulnerability. Since the web server assigns certain HTTP headers to environment variables with all-caps names, it is possible to insert a payload into one such header and reference the subsequent environment variable in the injection point."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://www.ise.io/casestudies/sohopelessly-broken-2-0/", "refsource": "MISC", "url": "https://www.ise.io/casestudies/sohopelessly-broken-2-0/"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T23:24:39.105Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.ise.io/casestudies/sohopelessly-broken-2-0/"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-12511", "datePublished": "2020-02-24T18:16:26", "dateReserved": "2019-06-01T00:00:00", "dateUpdated": "2024-08-04T23:24:39.105Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:netgear:nighthawk_x10-r9000_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "E309A90C-7B1D-4E76-B1C3-950516C69410", "versionEndExcluding": "1.0.4.26", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:netgear:nighthawk_x10-r9000:-:*:*:*:*:*:*:*", "matchCriteriaId": "F8103325-69AE-47DE-9546-09068F4F79DB", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "In NETGEAR Nighthawk X10-R9000 prior to 1.0.4.26, an attacker may execute arbitrary system commands as root by sending a specially-crafted MAC address to the \"NETGEAR Genie\" SOAP endpoint at AdvancedQoS:GetCurrentBandwidthByMAC. Although this requires QoS being enabled, advanced QoS being enabled, and a valid authentication JWT, additional vulnerabilities (CVE-2019-12510) allow an attacker to interact with the entire SOAP API without authentication. Additionally, DNS rebinding techniques may be used to exploit this vulnerability remotely. Exploiting this vulnerability is somewhat involved. The following limitations apply to the payload and must be overcome for successful exploitation: - No more than 17 characters may be used. - At least one colon must be included to prevent mangling. - A single-quote and meta-character must be used to break out of the existing command. - Parent command remnants after the injection point must be dealt with. - The payload must be in all-caps. Despite these limitations, it is still possible to gain access to an interactive root shell via this vulnerability. Since the web server assigns certain HTTP headers to environment variables with all-caps names, it is possible to insert a payload into one such header and reference the subsequent environment variable in the injection point."}, {"lang": "es", "value": "En NETGEAR Nighthawk X10-R9000 anterior a la versi\u00f3n 1.0.4.26, un atacante puede ejecutar comandos arbitrarios del sistema como root enviando una direcci\u00f3n MAC especialmente dise\u00f1ada al punto final SOAP \"NETGEAR Genie\" en AdvancedQoS: GetCurrentBandwidthByMAC. Aunque esto requiere QoS habilitado, QoS avanzado habilitado y un JWT de autenticaci\u00f3n v\u00e1lido, las vulnerabilidades adicionales (CVE-2019-12510) permiten que un atacante interact\u00fae con toda la API SOAP sin autenticaci\u00f3n. Adem\u00e1s, se pueden usar t\u00e9cnicas de reenlace de DNS para aprovechar esta vulnerabilidad de forma remota. Explotar esta vulnerabilidad est\u00e1 algo involucrado. Las siguientes limitaciones se aplican a la carga \u00fatil y deben superarse para una explotaci\u00f3n con \u00e9xito: - No se pueden usar m\u00e1s de 17 caracteres. - Se debe incluir al menos un colon para evitar la destrucci\u00f3n. - Se debe usar una comilla simple y un metacar\u00e1cter para romper el comando existente. - Los restos de la instrucci\u00f3n  principal despu\u00e9s del punto de inyecci\u00f3n deben ser tratados. - La carga \u00fatil debe estar en may\u00fasculas. A pesar de estas limitaciones, todav\u00eda es posible obtener acceso a un shell ra\u00edz interactivo a trav\u00e9s de esta vulnerabilidad. Dado que el servidor web asigna ciertos encabezados HTTP a variables de entorno con nombres en may\u00fasculas, es posible insertar una carga \u00fatil en uno de esos encabezados y hacer referencia a la variable de entorno posterior en el punto de inyecci\u00f3n."}], "id": "CVE-2019-12511", "lastModified": "2024-11-21T04:23:00.173", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-02-24T19:15:13.513", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.ise.io/casestudies/sohopelessly-broken-2-0/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.ise.io/casestudies/sohopelessly-broken-2-0/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}