PT-2014-4403 · Allied Telesis · Img624A+3

Sebastian Muniz

Published

2014-03-28

Updated

2014-03-31

CVE-2014-1982

CVSS v2.0

High

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Allied Telesis AT-RG634A ADSL Broadband router versions 3.3 and later Allied Telesis iMG624A firmware version 3.5 Allied Telesis iMG616LH firmware version 2.4 Allied Telesis iMG646BD firmware version 3.5

Description The administrative interface in the affected devices allows remote attackers to gain privileges and execute arbitrary commands via a direct request to "cli.html".

Recommendations For Allied Telesis AT-RG634A ADSL Broadband router versions 3.3 and later, restrict access to the administrative interface until a fix is available. For Allied Telesis iMG624A firmware version 3.5, avoid using the administrative interface until the issue is resolved. For Allied Telesis iMG616LH firmware version 2.4, consider disabling remote access to the administrative interface as a temporary workaround. For Allied Telesis iMG646BD firmware version 3.5, limit access to the "cli.html" endpoint to minimize the risk of exploitation.

Exploit

Fix

OS Command Injection

Improper Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-78CWE-287

Related Identifiers

CVE-2014-1982

Affected Products

At-Rg634A

Img616Lh

Img624A

Img646Bd

PT-2014-4403 · Allied Telesis · Img624A+3

CVE-2014-1982

Weakness Enumeration

Related Identifiers

Affected Products

References · 4