Monday, 3 July 2017
On 00:06 by admin in vulns No comments
A vulnerability classified as critical was found in TP-LINK NC250 up to 1.2.1 Build 170515. This vulnerability affects an unknown function of the component URL Handler. The manipulation with the input value
rtsp://admin@yourip:554/h264_hd.sdp
leads to a weak authentication vulnerability. The CWE definition for the vulnerability is CWE-287. As an impact it is known to affect confidentiality.
The weakness was presented 07/02/2017. This vulnerability was named CVE-2017-10796 since 07/02/2017. The attack can be initiated remotely. No form of authentication is required for a successful exploitation. There are known technical details, but no exploit is available. The current price for an exploit might be approx. USD $0-$5k (estimation calculated on 07/03/2017).
It is possible to mitigate the weakness by firewalling .
CVSSv3
VulDB Base Score: 5.3VulDB Temp Score: 5.2
VulDB Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:X/RL:W/RC:X
VulDB Reliability: High
CVSSv2
Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
---|---|---|---|---|---|
Local | High | Multiple | None | None | None |
Adjacent | Medium | Single | Partial | Partial | Partial |
Network | Low | None | Complete | Complete | Complete |
VulDB Temp Score: 4.1 (CVSS2#E:ND/RL:W/RC:ND)
VulDB Reliability: High
CPE
- cpe:/a:tp-link:nc250:1.2.1_build_170515
Exploiting
Class: Weak authentication (CWE-287)Local: No
Remote: Yes
Availability: No
Price Prediction: steady
Current Price Estimation:
0-Day | $0-$5k | $5k-$25k | $25k-$100k | $100k-$500k |
---|---|---|---|---|
Today | $0-$5k | $5k-$25k | $25k-$100k | $100k-$500k |
Countermeasures
Recommended: Firewall
Status: Workaround
0-Day Time: 0 days since found
Timeline
07/02/2017 Advisory disclosed07/02/2017 +0 days CVE assigned
07/03/2017 +1 days VulDB entry created
07/03/2017 +0 days VulDB last update
Sources
CVE: CVE-2017-10796 (mitre.org) (nvd.nist.org) (cvedetails.com)
Subscribe to:
Post Comments (Atom)
Search
Featured post
27 good hacker documentary
In the eyes of most people, a group of hackers usually extremely boring nothing interesting people, and that if only the computer code in ...

0 comments:
Post a comment