CVE-2019-13140

Name of the Vulnerable Software and Affected Versions Inteno EG200 EG200-WU7P1U ADAMO version 3.16.4-190226 1650

Description The issue is related to a JUCI ACL misconfiguration. This misconfiguration allows the user account to extract the 3DES key via JSON commands to ubus. The 3DES key is used for decrypting the provisioning file, which is provided by Adamo Telecom on a public URL via cleartext HTTP.

Recommendations For Inteno EG200 EG200-WU7P1U ADAMO version 3.16.4-190226 1650, as a temporary workaround, consider restricting access to the ubus JSON commands to prevent the extraction of the 3DES key. Additionally, avoid using cleartext HTTP for provisioning files. At the moment, there is no information about a newer version that contains a fix for this issue.