PT-2019-8307 · Billion · Billion 5200W-T

Pedro Ribeiro

Published

2019-05-02

Updated

2019-10-03

CVE-2017-18372

CVSS v2.0

9.0

High

Vector

AV:N/AC:L/Au:S/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Billion 5200W-T TCLinux Fw version 7.3.8.0 v008 130603

Description The issue concerns a command injection vulnerability in the Time Setting function of the Billion 5200W-T TCLinux Fw router. This vulnerability is located in the tools time.asp page and can be exploited through the uiViewSNTPServer parameter. It is notable that access to this function requires authentication.

Recommendations For Billion 5200W-T TCLinux Fw version 7.3.8.0 v008 130603, as a temporary workaround, consider restricting access to the tools time.asp page and avoid using the uiViewSNTPServer parameter until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-78

Related Identifiers

CVE-2017-18372

Affected Products

Billion 5200W-T

PT-2019-8307 · Billion · Billion 5200W-T

CVE-2017-18372

Weakness Enumeration

Related Identifiers

Affected Products

References · 6