CVE-2019-9161 - OpenCVE

WAC on the Sangfor Sundray WLAN Controller version 3.7.4.2 and earlier has a Remote Code Execution issue allowing remote attackers to achieve full access to the system, because shell metacharacters in the nginx_webconsole.php Cookie header can be used to read an etc/config/wac/wns_cfg_admin_detail.xml file containing the admin password. (The password for root is the WebUI admin password concatenated with a static string.)

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:N/AC:L/Au:N/C:C/I:C/A:C

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Xinruidz	Sundray Wan Controller Sundray Wan Controller Firmware

Configuration 1 [-]

AND

cpe:2.3:o:xinruidz:sundray_wan_controller_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:xinruidz:sundray_wan_controller:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://www.cnvd.org.cn/flaw/show/CNVD-2019-07679

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2019-04-18T22:01:22

Updated: 2024-08-04T21:38:46.622Z

Reserved: 2019-02-25T00:00:00

Link: CVE-2019-9161

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2019-04-18T23:29:00.517

Modified: 2020-08-24T17:37:01.140

Link: CVE-2019-9161

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2019-04-12T00:00:00", "descriptions": [{"lang": "en", "value": "WAC on the Sangfor Sundray WLAN Controller version 3.7.4.2 and earlier has a Remote Code Execution issue allowing remote attackers to achieve full access to the system, because shell metacharacters in the nginx_webconsole.php Cookie header can be used to read an etc/config/wac/wns_cfg_admin_detail.xml file containing the admin password. (The password for root is the WebUI admin password concatenated with a static string.)"}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-04-18T22:01:22", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "http://www.cnvd.org.cn/flaw/show/CNVD-2019-07679"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-9161", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "WAC on the Sangfor Sundray WLAN Controller version 3.7.4.2 and earlier has a Remote Code Execution issue allowing remote attackers to achieve full access to the system, because shell metacharacters in the nginx_webconsole.php Cookie header can be used to read an etc/config/wac/wns_cfg_admin_detail.xml file containing the admin password. (The password for root is the WebUI admin password concatenated with a static string.)"}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "http://www.cnvd.org.cn/flaw/show/CNVD-2019-07679", "refsource": "MISC", "url": "http://www.cnvd.org.cn/flaw/show/CNVD-2019-07679"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T21:38:46.622Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://www.cnvd.org.cn/flaw/show/CNVD-2019-07679"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-9161", "datePublished": "2019-04-18T22:01:22", "dateReserved": "2019-02-25T00:00:00", "dateUpdated": "2024-08-04T21:38:46.622Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:xinruidz:sundray_wan_controller_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "CD50CB36-35ED-4711-B60B-45AD55ABA1DA", "versionEndIncluding": "3.7.4.2", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:xinruidz:sundray_wan_controller:-:*:*:*:*:*:*:*", "matchCriteriaId": "1886D972-4F79-4692-9F80-58FD959438C7", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "WAC on the Sangfor Sundray WLAN Controller version 3.7.4.2 and earlier has a Remote Code Execution issue allowing remote attackers to achieve full access to the system, because shell metacharacters in the nginx_webconsole.php Cookie header can be used to read an etc/config/wac/wns_cfg_admin_detail.xml file containing the admin password. (The password for root is the WebUI admin password concatenated with a static string.)"}, {"lang": "es", "value": "WAC en el controlador Sangfor Sundray WLAN versi\u00f3n 3.7.4.2 y anteriores, presenta un problema de ejecuci\u00f3n de c\u00f3digo remota que permite a atacantes remotos lograr acceso completo al sistema, porque los metacaracteres Shell en el archivo nginx_webconsole.php en el encabezado Cookie puede ser usado para leer un archivo etc/config/wac/wns_cfg_admin_detail.xml que contiene la contrase\u00f1a de administrador. (La contrase\u00f1a para root es la contrase\u00f1a de administrador de WebUI concatenada con una cadena est\u00e1tica.)"}], "id": "CVE-2019-9161", "lastModified": "2020-08-24T17:37:01.140", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 10.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-04-18T23:29:00.517", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "http://www.cnvd.org.cn/flaw/show/CNVD-2019-07679"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "nvd@nist.gov", "type": "Primary"}]}