PT-2021-9676 · Mofi Network · Mofi4500-4Gxelte

Published

2021-02-01

Updated

2021-07-21

CVE-2020-13859

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Mofi Network MOFI4500-4GXeLTE version 4.0.8-std

Description An issue was discovered that allows the undocumented system account mofidev to login to the "cgi-bin/luci/quick/wizard" management interface without a password. This is due to a format error in /etc/shadow and a logic bug in the LuCI - OpenWrt Configuration Interface framework, which can be exploited by abusing a forgotten-password feature.

Recommendations For Mofi Network MOFI4500-4GXeLTE version 4.0.8-std, consider disabling access to the cgi-bin/luci/quick/wizard management interface until a patch is available to prevent exploitation of the logic bug in the LuCI framework. Additionally, restrict the use of the undocumented system account mofidev to minimize the risk of unauthorized access.

Fix

Improper Authentication

Improper Handling of Exceptional Conditions

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-287CWE-755

Related Identifiers

CVE-2020-13859

Affected Products

Mofi4500-4Gxelte

PT-2021-9676 · Mofi Network · Mofi4500-4Gxelte

CVE-2020-13859

Weakness Enumeration

Related Identifiers

Affected Products

References · 6