Vulnerability Description
Inteno EG200 EG200-WU7P1U_ADAMO3.16.4-190226_1650 routers have a JUCI ACL misconfiguration that allows the "user" account to extract the 3DES key via JSON commands to ubus. The 3DES key is used to decrypt the provisioning file provided by Adamo Telecom on a public URL via cleartext HTTP.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Intenogroup | Eg200 Firmware | eg200-wu7p1u_adamo3.16.4-190226_1650 |
| Intenogroup | Eg200 | - |
Related Weaknesses (CWE)
References
- http://packetstormsecurity.com/files/154494/Inteno-IOPSYS-Gateway-3DES-Key-ExtraExploitThird Party AdvisoryVDB Entry
- https://twitter.com/GerardFuguet/status/1169298861782896642Third Party Advisory
- https://www.exploit-db.com/docs/47397ExploitThird Party AdvisoryVDB Entry
- https://www.exploit-db.com/exploits/47390ExploitThird Party AdvisoryVDB Entry
- http://packetstormsecurity.com/files/154494/Inteno-IOPSYS-Gateway-3DES-Key-ExtraExploitThird Party AdvisoryVDB Entry
- https://twitter.com/GerardFuguet/status/1169298861782896642Third Party Advisory
- https://www.exploit-db.com/docs/47397ExploitThird Party AdvisoryVDB Entry
- https://www.exploit-db.com/exploits/47390ExploitThird Party AdvisoryVDB Entry
FAQ
What is CVE-2019-13140?
CVE-2019-13140 is a vulnerability with a CVSS score of 6.5 (MEDIUM). Inteno EG200 EG200-WU7P1U_ADAMO3.16.4-190226_1650 routers have a JUCI ACL misconfiguration that allows the "user" account to extract the 3DES key via JSON commands to ubus. The 3DES key is used to dec...
How severe is CVE-2019-13140?
CVE-2019-13140 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-13140?
Check the references section above for vendor advisories and patch information. Affected products include: Intenogroup Eg200 Firmware, Intenogroup Eg200.