PT-2016-3221 · Netcomm Wireless · Netcommwireless Hspa 3G10Wve
Bhadresh Patel
·
Published
2016-05-03
·
Updated
2018-10-09
·
CVE-2015-6024
CVSS v2.0
10
High
| Vector | AV:N/AC:L/Au:N/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
NetCommWireless HSPA 3G10WVE wireless routers versions prior to firmware 3G10WVE-L101-S306ETS-C01 R05
Description
The issue is related to the
ping.cgi script in the router's firmware, which lacks proper input sanitization. This allows a remote authenticated user to execute arbitrary commands by injecting shell metacharacters into the DIA IPADDRESS parameter.Recommendations
For versions prior to firmware 3G10WVE-L101-S306ETS-C01 R05, update the firmware to version 3G10WVE-L101-S306ETS-C01 R05 or later to resolve the issue.
As a temporary workaround, consider restricting access to the
ping.cgi script until the firmware can be updated.
Avoid using the DIA IPADDRESS parameter in the ping.cgi script with untrusted input until the issue is resolved.Exploit
Fix
Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Netcommwireless Hspa 3G10Wve