Vulnerabilities > CVE-2019-9974 - Missing Authorization vulnerability in Dasannetworks H660Rm Firmware 1.030022

047910
CVSS 9.1 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
NONE
Availability impact
HIGH
network
low complexity
dasannetworks
CWE-862
critical

Summary

diag_tool.cgi on DASAN H660RM GPON routers with firmware 1.03-0022 lacks any authorization check, which allows remote attackers to run a ping command via a GET request to enumerate LAN devices or crash the router with a DoS attack.

Vulnerable Configurations

Part Description Count
OS
Dasannetworks
1
Hardware
Dasannetworks
1

Common Weakness Enumeration (CWE)

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/152232/dasanh660rm-disclosebypass.txt
idPACKETSTORM:152232
last seen2019-03-26
published2019-03-26
reporterKrzysztof Burghardt
sourcehttps://packetstormsecurity.com/files/152232/DASAN-H660RM-Information-Disclosure-Hardcoded-Key.html
titleDASAN H660RM Information Disclosure / Hardcoded Key