CVE-2019-19823

Severity CVSS v4.0:

Pending analysis

Type:

CWE-522 Insufficiently Protected Credentials

Publication date:

27/01/2020

Last modified:

06/02/2020

Description

A certain router administration interface (that includes Realtek APMIB 0.11f for Boa 0.94.14rc21) stores cleartext administrative passwords in flash memory and in a file. This affects TOTOLINK A3002RU through 2.0.0, A702R through 2.1.3, N301RT through 2.1.6, N302R through 3.4.0, N300RT through 3.4.0, N200RE through 4.0.0, N150RT through 3.4.0, and N100RE through 3.4.0; Rutek RTK 11N AP through 2019-12-12; Sapido GR297n through 2019-12-12; CIK TELECOM MESH ROUTER through 2019-12-12; KCTVJEJU Wireless AP through 2019-12-12; Fibergate FGN-R2 through 2019-12-12; Hi-Wifi MAX-C300N through 2019-12-12; HCN MAX-C300N through 2019-12-12; T-broad GN-866ac through 2019-12-12; Coship EMTA AP through 2019-12-12; and IO-Data WN-AC1167R through 2019-12-12.

Impact

Vector 3.x

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS v3.1 Severity and Metrics:

Base Score: 7.50 HIGH
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): None
Availability (A): None

Base Score 3.x

7.50

Severity 3.x

HIGH

Vector 2.0

AV:N/AC:L/Au:N/C:P/I:N/A:N CVSS v2.0 Severity and Metrics:

Base Score: 5.00 MEDIUM
Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

Attack Vector (AV): Network
Attack Complexity (AC): Low
Authentication (Au): None
Confidentiality (C): Physical
Integrity (I): None
Availability (A): None

Base Score 2.0

5.00

Severity 2.0

MEDIUM

Vulnerable products and versions

CPE	From	Up to
cpe:2.3:o:totolink:a3002ru_firmware::::::::		2.0.0 (including)
cpe:2.3:h:totolink:a3002ru:-:::::::*
cpe:2.3:o:totolink:a702r_firmware::::::::		2.1.3 (including)
cpe:2.3:h:totolink:a702r:-:::::::*
cpe:2.3:o:totolink:n302r_firmware::::::::		3.4.0 (including)
cpe:2.3:h:totolink:n302r:-:::::::*
cpe:2.3:o:totolink:n300rt_firmware::::::::		3.4.0 (including)
cpe:2.3:h:totolink:n300rt:-:::::::*
cpe:2.3:o:totolink:n200re_firmware::::::::		4.0.0 (including)
cpe:2.3:h:totolink:n200re:-:::::::*
cpe:2.3:o:totolink:n150rt_firmware::::::::		3.4.0 (including)
cpe:2.3:h:totolink:n150rt:-:::::::*
cpe:2.3:o:totolink:n100re_firmware::::::::		3.4.0 (including)
cpe:2.3:h:totolink:n100re:-:::::::*
cpe:2.3:o:realtek:rtk_11n_ap_firmware::::::::		2019-12-12 (including)

To consult the complete list of CPE names with products and versions, see this page

CPE	From	Up to
cpe:2.3:o:totolink:a3002ru_firmware::::::::		2.0.0 (including)
cpe:2.3:h:totolink:a3002ru:-:::::::*
cpe:2.3:o:totolink:a702r_firmware::::::::		2.1.3 (including)
cpe:2.3:h:totolink:a702r:-:::::::*
cpe:2.3:o:totolink:n302r_firmware::::::::		3.4.0 (including)
cpe:2.3:h:totolink:n302r:-:::::::*
cpe:2.3:o:totolink:n300rt_firmware::::::::		3.4.0 (including)
cpe:2.3:h:totolink:n300rt:-:::::::*
cpe:2.3:o:totolink:n200re_firmware::::::::		4.0.0 (including)
cpe:2.3:h:totolink:n200re:-:::::::*
cpe:2.3:o:totolink:n150rt_firmware::::::::		3.4.0 (including)
cpe:2.3:h:totolink:n150rt:-:::::::*
cpe:2.3:o:totolink:n100re_firmware::::::::		3.4.0 (including)
cpe:2.3:h:totolink:n100re:-:::::::*
cpe:2.3:o:realtek:rtk_11n_ap_firmware::::::::		2019-12-12 (including)

CVE-2019-19823

Description

Impact

Vulnerable products and versions

References to Advisories, Solutions, and Tools