CVE-2018-0665 in RT57i
Summary
by MITRE
Yamaha routers RT57i Rev.8.00.95 and earlier, RT58i Rev.9.01.51 and earlier, NVR500 Rev.11.00.36 and earlier, RTX810 Rev.11.01.31 and earlier, allow an administrative user to embed arbitrary scripts to the configuration data through a certain form field of the configuration page, which may be executed on another administrative user's web browser. This is a different vulnerability from CVE-2018-0666.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 04/27/2020
This vulnerability represents a critical cross-site scripting flaw in Yamaha network infrastructure devices including routers and network video recorders. The issue affects multiple product lines including RT57i, RT58i, NVR500, and RTX810 models with specific firmware versions. The vulnerability stems from insufficient input validation within the web-based configuration interface where administrative users can inject malicious scripts into form fields that are subsequently stored in the device configuration data. When another administrative user accesses the configuration page, these stored scripts execute within their browser context, creating a persistent cross-site scripting attack vector.
The technical implementation of this vulnerability aligns with CWE-79, which specifically addresses cross-site scripting flaws in web applications. The flaw occurs because the device configuration interface fails to properly sanitize or escape user-supplied input before storing it in the configuration database. This allows attackers with administrative access to craft malicious payloads that can execute in the browser of other administrators who view the affected configuration pages. The vulnerability is particularly concerning because it leverages legitimate administrative privileges to create a persistent threat that can compromise the integrity of the web interface and potentially escalate to full system compromise.
The operational impact of this vulnerability extends beyond simple script execution, as it can enable attackers to steal administrative sessions, modify configuration data, or redirect users to malicious sites. The attack requires an administrative user to be logged into the device and view the compromised configuration page, but this access can be achieved through various means including credential theft, session hijacking, or social engineering attacks that trick administrators into visiting compromised pages. This vulnerability can be exploited in conjunction with other attack vectors to create a complete compromise of the network infrastructure, making it particularly dangerous for enterprise environments where these devices are commonly deployed.
Mitigation strategies should focus on immediate firmware updates from Yamaha to address the specific XSS vulnerability, along with implementing network segmentation to limit access to administrative interfaces. Organizations should also consider implementing web application firewalls to detect and block malicious script injection attempts, while establishing strict access controls and monitoring for unusual administrative activities. Regular security assessments of network infrastructure devices should be conducted to identify similar vulnerabilities, and administrative users should be trained to recognize potential social engineering attempts that could lead to exploitation of such flaws. The vulnerability demonstrates the importance of proper input validation and output escaping in web applications, particularly in administrative interfaces where privileged access is involved, and aligns with ATT&CK technique T1059.005 for command and script injection in web applications.