18.06.4

CVSS 5.9 - MEDIUM

Attack vector

NETWORK

Attack complexity

HIGH

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

NONE

Availability impact

NONE

network

high complexity

openwrt

NVD

Published: 2019-11-18

Updated: 2024-11-21

Summary

An exploitable information leak vulnerability exists in the ustream-ssl library of OpenWrt, versions 18.06.4 and 15.05.1. When connecting to a remote server, the server's SSL certificate is checked but no action is taken when the certificate is invalid. An attacker could exploit this behavior by performing a man-in-the-middle attack, providing any certificate, leading to the theft of all the data sent by the client during the first request.An exploitable information leak vulnerability exists in the ustream-ssl library of OpenWrt, versions 18.06.4 and 15.05.1. When connecting to a remote server, the server's SSL certificate is checked but no action is taken when the certificate is invalid. An attacker could exploit this behavior by performing a man-in-the-middle attack, providing any certificate, leading to the theft of all the data sent by the client during the first request.

Vulnerable Configurations

Part	Description	Count
OS	Openwrt Openwrt Openwrt 15.05.1 Openwrt Openwrt 18.06.4	2

Talos

id	TALOS-2019-0893
last seen	2019-11-21
published	2019-11-15
reporter	Talos Intelligence
source	http://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0893
title	OpenWrt ustream-ssl certificate verification information leak vulnerability

Summary

Vulnerable Configurations

Talos

References