CVE-2017-6094 - OpenCVE

CPEs used by subscribers on the access network receive their individual configuration settings from a central GAPS instance. A CPE identifies itself by the MAC address of its WAN interface and a certain "chk" value (48bit) derived from the MAC. The algorithm used to compute the "chk" was disclosed by reverse engineering the CPE's firmware. As a result, it is possible to forge valid "chk" values for any given MAC address and therefore receive the configuration settings of other subscribers' CPEs. The configuration settings often contain sensitive values, for example credentials (username/password) for VoIP services. This issue affects Genexis B.V. GAPS up to 7.2.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Genexis	Gaps

Configuration 1 [-]

cpe:2.3:a:genexis:gaps:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://seclists.org/fulldisclosure/2017/Dec/62

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2017-12-20T20:00:00

Updated: 2024-08-05T15:18:49.781Z

Reserved: 2017-02-18T00:00:00

Link: CVE-2017-6094

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2017-12-20T20:29:00.573

Modified: 2018-01-11T15:10:05.010

Link: CVE-2017-6094

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2017-12-18T00:00:00", "descriptions": [{"lang": "en", "value": "CPEs used by subscribers on the access network receive their individual configuration settings from a central GAPS instance. A CPE identifies itself by the MAC address of its WAN interface and a certain \"chk\" value (48bit) derived from the MAC. The algorithm used to compute the \"chk\" was disclosed by reverse engineering the CPE's firmware. As a result, it is possible to forge valid \"chk\" values for any given MAC address and therefore receive the configuration settings of other subscribers' CPEs. The configuration settings often contain sensitive values, for example credentials (username/password) for VoIP services. This issue affects Genexis B.V. GAPS up to 7.2."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-12-20T19:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "20171219 CVE-2017-6094 - Genexis GAPS Access Control Vulnerability", "tags": ["mailing-list", "x_refsource_FULLDISC"], "url": "http://seclists.org/fulldisclosure/2017/Dec/62"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2017-6094", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "CPEs used by subscribers on the access network receive their individual configuration settings from a central GAPS instance. A CPE identifies itself by the MAC address of its WAN interface and a certain \"chk\" value (48bit) derived from the MAC. The algorithm used to compute the \"chk\" was disclosed by reverse engineering the CPE's firmware. As a result, it is possible to forge valid \"chk\" values for any given MAC address and therefore receive the configuration settings of other subscribers' CPEs. The configuration settings often contain sensitive values, for example credentials (username/password) for VoIP services. This issue affects Genexis B.V. GAPS up to 7.2."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "20171219 CVE-2017-6094 - Genexis GAPS Access Control Vulnerability", "refsource": "FULLDISC", "url": "http://seclists.org/fulldisclosure/2017/Dec/62"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T15:18:49.781Z"}, "title": "CVE Program Container", "references": [{"name": "20171219 CVE-2017-6094 - Genexis GAPS Access Control Vulnerability", "tags": ["mailing-list", "x_refsource_FULLDISC", "x_transferred"], "url": "http://seclists.org/fulldisclosure/2017/Dec/62"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2017-6094", "datePublished": "2017-12-20T20:00:00", "dateReserved": "2017-02-18T00:00:00", "dateUpdated": "2024-08-05T15:18:49.781Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:genexis:gaps:*:*:*:*:*:*:*:*", "matchCriteriaId": "B390447F-1540-4A24-AD01-57E95DF00953", "versionEndExcluding": "7.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "CPEs used by subscribers on the access network receive their individual configuration settings from a central GAPS instance. A CPE identifies itself by the MAC address of its WAN interface and a certain \"chk\" value (48bit) derived from the MAC. The algorithm used to compute the \"chk\" was disclosed by reverse engineering the CPE's firmware. As a result, it is possible to forge valid \"chk\" values for any given MAC address and therefore receive the configuration settings of other subscribers' CPEs. The configuration settings often contain sensitive values, for example credentials (username/password) for VoIP services. This issue affects Genexis B.V. GAPS up to 7.2."}, {"lang": "es", "value": "Los CPE utilizados por los suscriptores en la red de acceso reciben su configuraci\u00f3n individual desde una instancia GAPS central. Un CPE se identifica por la direcci\u00f3n MAC de su interfaz WAN y un valor determinado \"chk\" (48bit) derivado del MAC. El algoritmo utilizado para calcular el \"chk\" fue revelado mediante ingenier\u00eda inversa en el firmware del CPE. Como resultado, es posible forjar valores \"chk\" v\u00e1lidos para cualquier direcci\u00f3n MAC dada y por lo tanto recibir los ajustes de configuraci\u00f3n de CPE de otros suscriptores. Los ajustes de configuraci\u00f3n suelen contener valores sensibles, por ejemplo, credenciales (nombre de usuario/contrase\u00f1a) para servicios VoIP. Esta situaci\u00f3n afecta a Genexis B. V. GAPS hasta la versi\u00f3n 7.2."}], "id": "CVE-2017-6094", "lastModified": "2018-01-11T15:10:05.010", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-12-20T20:29:00.573", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Mailing List", "Mitigation", "Third Party Advisory"], "url": "http://seclists.org/fulldisclosure/2017/Dec/62"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "nvd@nist.gov", "type": "Primary"}]}