> [Suggested description]> IQrouter through 3.3.1, when unconfigured, has> m

1. > [Suggested description]
2. > IQrouter through 3.3.1, when unconfigured, has
3. > multiple remote code execution vulnerabilities in the
4. > web-panel because of Bash Shell Metacharacter Injection.
5. >
6. > ------------------------------------------
7. >
8. > [Additional Information]
9. > Evenroute didn't send a reply at my several emails to their support center.
10. >
11. > ------------------------------------------
12. >
13. > [VulnerabilityType Other]
14. > Shell Metacharacter Injection
15. >
16. > ------------------------------------------
17. >
18. > [Vendor of Product]
19. > Evenroute
20. >
21. > ------------------------------------------
22. >
23. > [Affected Product Code Base]
24. > IQrouter - up to 3.3.1
25. >
26. > ------------------------------------------
27. >
28. > [Affected Component]
29. > Luci web-server
30. >
31. > ------------------------------------------
32. >
33. > [Attack Type]
34. > Remote
35. >
36. > ------------------------------------------
37. >
38. > [Impact Code execution]
39. > true
40. >
41. > ------------------------------------------
42. >
43. > [Impact Denial of Service]
44. > true
45. >
46. > ------------------------------------------
47. >
48. > [Impact Escalation of Privileges]
49. > true
50. >
51. > ------------------------------------------
52. >
53. > [Impact Information Disclosure]
54. > true
55. >
56. > ------------------------------------------
57. >
58. > [Attack Vectors]
59. > Attacker can exploit multiple bash code execution vulnerabilities remotely and gain root privileges.
60. >
61. > ------------------------------------------
62. >
63. > [Reference]
64. > https://evenroute.com/
65. >
66. > ------------------------------------------
67. >
68. > [Discoverer]
69. > Ilya Shaposhnikov
70.  
71. Use CVE-2020-11963.
72.  
73.  
74. > [Suggested description]
75. > In IQrouter through 3.3.1,
76. > the Lua function diag_set_password in the web-panel
77. > allows remote attackers to change the root password arbitrarily.
78. >
79. > ------------------------------------------
80. >
81. > [Additional Information]
82. > Evenroute didn't send a reply at my several emails to their support center.
83. >
84. > ------------------------------------------
85. >
86. > [Vulnerability Type]
87. > Incorrect Access Control
88. >
89. > ------------------------------------------
90. >
91. > [Vendor of Product]
92. > Evenroute
93. >
94. > ------------------------------------------
95. >
96. > [Affected Product Code Base]
97. > IQrouter - up to 3.3.1
98. >
99. > ------------------------------------------
100. >
101. > [Affected Component]
102. > Luci web-server
103. >
104. > ------------------------------------------
105. >
106. > [Attack Type]
107. > Remote
108. >
109. > ------------------------------------------
110. >
111. > [Impact Escalation of Privileges]
112. > true
113. >
114. > ------------------------------------------
115. >
116. > [Attack Vectors]
117. > Attacker can exploit this vulnerability for changing root password to arbitrary and authorize to IQrouter using SSH protocol.
118. >
119. > ------------------------------------------
120. >
121. > [Reference]
122. > https://evenroute.com/
123. >
124. > ------------------------------------------
125. >
126. > [Discoverer]
127. > Ilya Shaposhnikov
128.  
129. Use CVE-2020-11964.
130.  
131.  
132. > [Suggested description]
133. > In IQrouter through 3.3.1, there is a
134. > root user without a
135. > password, which allows attackers to gain full remote access via SSH.
136. >
137. > ------------------------------------------
138. >
139. > [Additional Information]
140. > Evenroute didn't send a reply at my several emails to their support center.
141. >
142. > ------------------------------------------
143. >
144. > [VulnerabilityType Other]
145. > Embedded credentials
146. >
147. > ------------------------------------------
148. >
149. > [Vendor of Product]
150. > Evenroute
151. >
152. > ------------------------------------------
153. >
154. > [Affected Product Code Base]
155. > IQrouter - up to 3.3.1
156. >
157. > ------------------------------------------
158. >
159. > [Affected Component]
160. > Firmware of IQrouter
161. >
162. > ------------------------------------------
163. >
164. > [Attack Type]
165. > Remote
166. >
167. > ------------------------------------------
168. >
169. > [Impact Code execution]
170. > true
171. >
172. > ------------------------------------------
173. >
174. > [Impact Denial of Service]
175. > true
176. >
177. > ------------------------------------------
178. >
179. > [Impact Escalation of Privileges]
180. > true
181. >
182. > ------------------------------------------
183. >
184. > [Impact Information Disclosure]
185. > true
186. >
187. > ------------------------------------------
188. >
189. > [Attack Vectors]
190. > Attacker can gain full remote control of IQrouter using SSH protocol using root account with empty password.
191. >
192. > ------------------------------------------
193. >
194. > [Reference]
195. > https://evenroute.com/
196. >
197. > ------------------------------------------
198. >
199. > [Discoverer]
200. > Ilya Shaposhnikov
201.  
202. Use CVE-2020-11965.
203.  
204.  
205. > [Suggested description]
206. > In IQrouter through 3.3.1,
207. > the Lua function reset_password in the web-panel
208. > allows remote attackers to change the root password arbitrarily.
209. >
210. > ------------------------------------------
211. >
212. > [Additional Information]
213. > Evenroute didn't send a reply at my several emails to their support center.
214. >
215. > ------------------------------------------
216. >
217. > [Vulnerability Type]
218. > Incorrect Access Control
219. >
220. > ------------------------------------------
221. >
222. > [Vendor of Product]
223. > Evenroute
224. >
225. > ------------------------------------------
226. >
227. > [Affected Product Code Base]
228. > IQrouter - up to 3.3.1
229. >
230. > ------------------------------------------
231. >
232. > [Affected Component]
233. > Luci web-server
234. >
235. > ------------------------------------------
236. >
237. > [Attack Type]
238. > Remote
239. >
240. > ------------------------------------------
241. >
242. > [Impact Escalation of Privileges]
243. > true
244. >
245. > ------------------------------------------
246. >
247. > [Attack Vectors]
248. > Attacker can exploit this vulnerability for changing root password to arbitrary and authorize to IQrouter using SSH protocol.
249. >
250. > ------------------------------------------
251. >
252. > [Reference]
253. > https://evenroute.com/
254. >
255. > ------------------------------------------
256. >
257. > [Discoverer]
258. > Ilya Shaposhnikov
259.  
260. Use CVE-2020-11966.
261.  
262.  
263. > [Suggested description]
264. > In IQrouter through 3.3.1,
265. > remote attackers can
266. > control the device (restart network, reboot, upgrade, reset) because of Incorrect Access Control.
267. >
268. > ------------------------------------------
269. >
270. > [Additional Information]
271. > Evenroute didn't send a reply at my several emails to their support center.
272. >
273. > ------------------------------------------
274. >
275. > [Vulnerability Type]
276. > Incorrect Access Control
277. >
278. > ------------------------------------------
279. >
280. > [Vendor of Product]
281. > Evenroute
282. >
283. > ------------------------------------------
284. >
285. > [Affected Product Code Base]
286. > IQrouter - up to 3.3.1
287. >
288. > ------------------------------------------
289. >
290. > [Affected Component]
291. > Luci web-server
292. >
293. > ------------------------------------------
294. >
295. > [Attack Type]
296. > Remote
297. >
298. > ------------------------------------------
299. >
300. > [Impact Code execution]
301. > true
302. >
303. > ------------------------------------------
304. >
305. > [Impact Denial of Service]
306. > true
307. >
308. > ------------------------------------------
309. >
310. > [Impact Information Disclosure]
311. > true
312. >
313. > ------------------------------------------
314. >
315. > [Attack Vectors]
316. > Attacker can remotely control IQrouter (restart network, reboot, upgrade, reset) without authorization.
317. >
318. > ------------------------------------------
319. >
320. > [Reference]
321. > https://evenroute.com/
322. >
323. > ------------------------------------------
324. >
325. > [Discoverer]
326. > Ilya Shaposhnikov
327.  
328. Use CVE-2020-11967.
329.  
330.  
331. > [Suggested description]
332. > In the web-panel in IQrouter through 3.3.1,
333. > remote attackers can
334. > read system logs because of Incorrect Access Control.
335. >
336. > ------------------------------------------
337. >
338. > [Additional Information]
339. > https://evenroute.com/
340. >
341. > ------------------------------------------
342. >
343. > [Vulnerability Type]
344. > Incorrect Access Control
345. >
346. > ------------------------------------------
347. >
348. > [Vendor of Product]
349. > Evenroute
350. >
351. > ------------------------------------------
352. >
353. > [Affected Product Code Base]
354. > IQrouter - up to 3.3.1
355. >
356. > ------------------------------------------
357. >
358. > [Affected Component]
359. > Luci web-server
360. >
361. > ------------------------------------------
362. >
363. > [Attack Type]
364. > Remote
365. >
366. > ------------------------------------------
367. >
368. > [Impact Information Disclosure]
369. > true
370. >
371. > ------------------------------------------
372. >
373. > [Attack Vectors]
374. > Attacker can gain system logs with email of IQrouter owner without authorization.
375. >
376. > ------------------------------------------
377. >
378. > [Reference]
379. > https://evenroute.com/
380. >
381. > ------------------------------------------
382. >
383. > [Discoverer]
384. > Ilya Shaposhnikov
385.  
386. Use CVE-2020-11968.