CVE-2018-17208 - Command Injection vulnerability in Linksys Velop Firmware 1.1.2.187020

Publication

2018-09-19

Last modification

2018-12-17

Summary

Linksys Velop 1.1.2.187020 devices allow unauthenticated command injection, providing an attacker with full root access, via cgi-bin/zbtest.cgi or cgi-bin/zbtest2.cgi (scripts that can be discovered with binwalk on the firmware, but are not visible in the web interface). This occurs because shell metacharacters in the query string are mishandled by ShellExecute, as demonstrated by the zbtest.cgi?cmd=level&level= substring. This can also be exploited via CSRF.

Classification

CWE-77 - Command Injection

Risk level (CVSS AV:N/AC:M/Au:N/C:C/I:C/A:C)

High

9.3

Access Vector

  • Network
  • Adjacent Network
  • Local

Access Complexity

  • Low
  • Medium
  • High

Authentication

  • None
  • Single
  • Multiple

Confident. Impact

  • Complete
  • Partial
  • None

Integrity Impact

  • Complete
  • Partial
  • None

Affected Products

Vendor Product Versions
Linksys Velop Firmware  1.1.2.187020

External references