CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
---|---|---|
7.3 | $0-$5k | 0.00 |
A vulnerability was found in Genexis GAPS up to 7.2. It has been classified as critical. This affects some unknown processing of the component CPE Command Handler. The manipulation with an unknown input leads to a information disclosure vulnerability. CWE is classifying the issue as CWE-200. The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. This is going to have an impact on confidentiality, and integrity. The summary by CVE is:
CPEs used by subscribers on the access network receive their individual configuration settings from a central GAPS instance. A CPE identifies itself by the MAC address of its WAN interface and a certain "chk" value (48bit) derived from the MAC. The algorithm used to compute the "chk" was disclosed by reverse engineering the CPE's firmware. As a result, it is possible to forge valid "chk" values for any given MAC address and therefore receive the configuration settings of other subscribers' CPEs. The configuration settings often contain sensitive values, for example credentials (username/password) for VoIP services. This issue affects Genexis B.V. GAPS up to 7.2.
The bug was discovered 01/13/2017. The weakness was shared 12/18/2017 by Antoine Neuenschwander (ant0inet) with CSNC as Genexis GAPS Access Control Vulnerability as confirmed mailinglist post (Full-Disclosure). The advisory is shared at seclists.org. The vendor cooperated in the coordination of the public release. This vulnerability is uniquely identified as CVE-2017-6094 since 02/18/2017. It is possible to initiate the attack remotely. No form of authentication is needed for exploitation. Technical details are unknown but a public exploit is available. MITRE ATT&CK project uses the attack technique T1592 for this issue.
A public exploit has been developed by Antoine Neuenschwander (ant0inet) and been published 2 days after the advisory. The exploit is shared for download at seclists.org. It is declared as proof-of-concept. The vulnerability was handled as a non-public zero-day exploit for at least 339 days. During that time the estimated underground price was around $0-$5k. The code used by the exploit is:
def chk(mac): a = [int(x, 16) for x in mac.split(':', 6)] chk = [0] * 6 chk[5] = 1*a[0] + 3*a[1] + 7*a[2] + 115 & 0xff chk[3] = 7*a[1] + 1*a[2] + 3*a[3] + 101 & 0xff chk[0] = 3*a[2] + 7*a[3] + 1*a[4] + 99 & 0xff chk[4] = 1*a[3] + 3*a[4] + 7*a[5] + 114 & 0xff chk[1] = 3*a[0] + 7*a[4] + 1*a[5] + 101 & 0xff chk[2] = 7*a[0] + 1*a[1] + 3*a[5] + 116 & 0xff return ':'.join(['{:02x}'.format(x) for x in chk])
Upgrading to version 6.2 or 7.3 eliminates this vulnerability. A possible mitigation has been published immediately after the disclosure of the vulnerability.
Further details are available at twitter.com.
Product
Vendor
Name
Version
CPE 2.3
CPE 2.2
CVSSv4
VulDB CVSS-B Score: 🔍VulDB CVSS-BT Score: 🔍
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 8.1VulDB Meta Temp Score: 7.8
VulDB Base Score: 6.5
VulDB Temp Score: 5.9
VulDB Vector: 🔍
VulDB Reliability: 🔍
NVD Base Score: 9.8
NVD Vector: 🔍
CVSSv2
AV | AC | Au | C | I | A |
---|---|---|---|---|---|
💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
---|---|---|---|---|---|
unlock | unlock | unlock | unlock | unlock | unlock |
unlock | unlock | unlock | unlock | unlock | unlock |
unlock | unlock | unlock | unlock | unlock | unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Information disclosureCWE: CWE-200 / CWE-284 / CWE-266
CAPEC: 🔍
ATT&CK: 🔍
Local: No
Remote: Yes
Availability: 🔍
Access: Public
Status: Proof-of-Concept
Author: Antoine Neuenschwander (ant0inet)
Download: 🔍
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
0-Day | unlock | unlock | unlock | unlock |
---|---|---|---|---|
Today | unlock | unlock | unlock | unlock |
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
Reaction Time: 🔍
0-Day Time: 🔍
Exposure Time: 🔍
Exploit Delay Time: 🔍
Upgrade: GAPS 6.2/7.3
Timeline
01/13/2017 🔍01/16/2017 🔍
01/17/2017 🔍
02/18/2017 🔍
12/18/2017 🔍
12/18/2017 🔍
12/18/2017 🔍
12/20/2017 🔍
12/20/2017 🔍
12/21/2017 🔍
12/21/2017 🔍
Sources
Advisory: Genexis GAPS Access Control VulnerabilityResearcher: Antoine Neuenschwander (ant0inet)
Organization: CSNC
Status: Confirmed
Coordinated: 🔍
CVE: CVE-2017-6094 (🔍)
scip Labs: https://www.scip.ch/en/?labs.20161013
Misc.: 🔍
Entry
Created: 12/21/2017 08:49Changes: 12/21/2017 08:49 (80)
Complete: 🔍
Cache ID: 3:A3D:103
No comments yet. Languages: en.
Please log in to comment.