PT-2019-9997 · Fastweb · Fastgate

Published

2019-02-21

Updated

2020-08-24

CVE-2018-20122

CVSS v3.1

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions FASTGate Fastweb devices with firmware through 0.00.47 FW 200 Askey 2017-05-17 FASTGate Fastweb devices with software through 1.0.1b

Description The web interface on FASTGate Fastweb devices exposed a CGI binary that is vulnerable to a command injection issue, allowing remote code execution with root privileges without requiring authentication.

Recommendations For firmware through 0.00.47 FW 200 Askey 2017-05-17, update the firmware to a version later than 0.00.47 FW 200 Askey 2017-05-17. For software through 1.0.1b, update the software to a version later than 1.0.1b. As a temporary workaround, consider restricting access to the CGI binary to minimize the risk of exploitation.

Fix

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-78

Related Identifiers

CVE-2018-20122

Affected Products

Fastgate

PT-2019-9997 · Fastweb · Fastgate

CVE-2018-20122

Weakness Enumeration

Related Identifiers

Affected Products

References · 3