Alcatel-Lucent I-240W-Q GPON ONT 3FE54567BOZJ19 /GponForm/fsetup_Form HTTP POST Request memory corruption
CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
---|---|---|
8.4 | $0-$5k | 0.00 |
A vulnerability, which was classified as critical, was found in Alcatel-Lucent I-240W-Q GPON ONT 3FE54567BOZJ19. Affected is some unknown processing of the file /GponForm/fsetup_Form. The manipulation as part of a HTTP POST Request leads to a memory corruption vulnerability. CWE is classifying the issue as CWE-119. The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer. This is going to have an impact on confidentiality, integrity, and availability. CVE summarizes:
The Alcatel Lucent I-240W-Q GPON ONT using firmware version 3FE54567BOZJ19 is vulnerable to a stack buffer overflow via crafted HTTP POST request sent by a remote, unauthenticated attacker to /GponForm/fsetup_Form. An attacker can leverage this vulnerability to potentially execute arbitrary code.
The bug was discovered 02/27/2019. The weakness was published 03/05/2019. This vulnerability is traded as CVE-2019-3922 since 01/03/2019. It is possible to launch the attack remotely. The exploitation doesn't require any form of authentication. There are known technical details, but no exploit is available.
The vulnerability was handled as a non-public zero-day exploit for at least 6 days. During that time the estimated underground price was around $0-$5k.
It is possible to mitigate the weakness by firewalling .
Similar entries are available at 131339, 131338, 131337 and 131336.
Product
Vendor
Name
Version
CPE 2.3
CPE 2.2
CVSSv4
VulDB CVSS-B Score: 🔍VulDB CVSS-BT Score: 🔍
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 8.5VulDB Meta Temp Score: 8.4
VulDB Base Score: 7.3
VulDB Temp Score: 7.1
VulDB Vector: 🔍
VulDB Reliability: 🔍
NVD Base Score: 9.8
NVD Vector: 🔍
CVSSv2
AV | AC | Au | C | I | A |
---|---|---|---|---|---|
💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
---|---|---|---|---|---|
unlock | unlock | unlock | unlock | unlock | unlock |
unlock | unlock | unlock | unlock | unlock | unlock |
unlock | unlock | unlock | unlock | unlock | unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Memory corruptionCWE: CWE-119
CAPEC: 🔍
ATT&CK: 🔍
Local: No
Remote: Yes
Availability: 🔍
Status: Not defined
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
0-Day | unlock | unlock | unlock | unlock |
---|---|---|---|---|
Today | unlock | unlock | unlock | unlock |
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: FirewallStatus: 🔍
0-Day Time: 🔍
Timeline
01/03/2019 🔍02/27/2019 🔍
03/05/2019 🔍
03/06/2019 🔍
07/26/2023 🔍
Sources
Advisory: tenable.comStatus: Not defined
CVE: CVE-2019-3922 (🔍)
See also: 🔍
Entry
Created: 03/06/2019 08:20Updated: 07/26/2023 14:25
Changes: 03/06/2019 08:20 (56), 05/13/2020 18:39 (1), 07/26/2023 14:25 (4)
Complete: 🔍
No comments yet. Languages: en.
Please log in to comment.