Vulnerabilities > CVE-2019-13140 - Files or Directories Accessible to External Parties vulnerability in Intenogroup Eg200 Firmware Eg200Wu7P1Uadamo3.16.41902261650

CVSS 6.5 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

HIGH

Integrity impact

NONE

Availability impact

NONE

network

low complexity

intenogroup

CWE-552

exploit available

NVD

Published: 2019-09-16

Updated: 2022-03-31

Summary

Inteno EG200 EG200-WU7P1U_ADAMO3.16.4-190226_1650 routers have a JUCI ACL misconfiguration that allows the "user" account to extract the 3DES key via JSON commands to ubus. The 3DES key is used to decrypt the provisioning file provided by Adamo Telecom on a public URL via cleartext HTTP.

Vulnerable Configurations

Part	Description	Count
OS	Intenogroup Intenogroup Eg200 Firmware Eg200-Wu7P1U_Adamo3.16.4-190226_1650	1
Hardware	Intenogroup Intenogroup Eg200 -	1

Common Weakness Enumeration (CWE)

CWE-552 - Files or Directories Accessible to External Parties

Exploit-Db

id	EDB-ID:47390

Packetstorm

data source	https://packetstormsecurity.com/files/download/154494/intenoiopsysgw-improper.txt
id	PACKETSTORM:154494
last seen	2019-09-17
published	2019-09-16
reporter	Gerard Fuguet
source	https://packetstormsecurity.com/files/154494/Inteno-IOPSYS-Gateway-3DES-Key-Extraction-Improper-Access.html
title	Inteno IOPSYS Gateway 3DES Key Extraction Improper Access

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Exploit-Db

Packetstorm

References