CVE-2020-16134
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
04/08/2020
Last modified:
21/07/2021
Description
An issue was discovered on Swisscom Internet Box 2, Internet Box Standard, Internet Box Plus prior to 10.04.38, Internet Box 3 prior to 11.01.20, and Internet Box light prior to 08.06.06. Given the (user-configurable) credentials for the local Web interface or physical access to a device's plus or reset button, an attacker can create a user with elevated privileges on the Sysbus-API. This can then be used to modify local or remote SSH access, thus allowing a login session as the superuser.
Impact
Base Score 3.x
8.00
Severity 3.x
HIGH
Base Score 2.0
7.70
Severity 2.0
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:swisscom:internet-box_2_firmware:*:*:*:*:*:*:*:* | 10.04.38 (excluding) | |
| cpe:2.3:h:swisscom:internet-box_2:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:swisscom:internet-box_standard_firmware:*:*:*:*:*:*:*:* | 10.04.38 (excluding) | |
| cpe:2.3:h:swisscom:internet-box_standard:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:swisscom:internet-box_plus_firmware:*:*:*:*:*:*:*:* | 10.04.38 (excluding) | |
| cpe:2.3:h:swisscom:internet-box_plus:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:swisscom:internet-box_3_firmware:*:*:*:*:*:*:*:* | 11.01.20 (excluding) | |
| cpe:2.3:h:swisscom:internet-box_3:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:swisscom:internet-box_light_firmware:*:*:*:*:*:*:*:* | 08.06.06 (excluding) | |
| cpe:2.3:h:swisscom:internet-box_light:-:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page