CVE-2018-0666 in RT57i
Summary
by MITRE
Yamaha routers RT57i Rev.8.00.95 and earlier, RT58i Rev.9.01.51 and earlier, NVR500 Rev.11.00.36 and earlier, RTX810 Rev.11.01.31 and earlier, allow an administrative user to embed arbitrary scripts to the configuration data through a certain form field of the configuration page, which may be executed on another administrative user's web browser. This is a different vulnerability from CVE-2018-0665.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 04/27/2020
This vulnerability represents a critical cross-site scripting flaw in Yamaha network infrastructure devices including RT57i, RT58i, NVR500, and RTX810 routers. The security issue stems from insufficient input validation within the web-based configuration interface where administrative users can inject malicious scripts into form fields that are subsequently stored in the device configuration data. When another administrative user accesses the configuration page, these stored scripts execute within their browser context, creating a persistent cross-site scripting attack vector. The vulnerability specifically affects versions 8.00.95 and earlier for RT57i, 9.01.51 and earlier for RT58i, 11.00.36 and earlier for NVR500, and 11.01.31 and earlier for RTX810 models, indicating a widespread issue across multiple device families. This type of vulnerability falls under CWE-79 which categorizes cross-site scripting as a critical web application security weakness. The attack scenario involves an attacker with administrative access to the device configuration interface who can embed malicious code that will persistently execute against other administrators who view the configuration page. The operational impact is severe as it allows attackers to escalate privileges, steal session cookies, perform unauthorized configuration changes, and potentially gain full administrative control over the affected devices. The vulnerability demonstrates a classic persistent XSS flaw where user input is not properly sanitized before being stored and later rendered back to users without adequate encoding or escaping mechanisms. This weakness creates a persistent threat that can compromise multiple administrators over time and allows for long-term unauthorized access to network infrastructure. The attack follows the typical ATT&CK framework pattern for credential access through web application attacks where the initial compromise occurs through manipulation of web interface elements rather than direct network exploitation. Organizations should immediately update affected devices to patched versions, implement network segmentation to limit administrative access, and conduct thorough security reviews of all web-based management interfaces. Additionally, administrative users should be trained to recognize suspicious configuration changes and implement multi-factor authentication for administrative access to reduce the impact of such vulnerabilities. The vulnerability highlights the importance of input validation and output encoding in web applications, particularly those handling administrative configuration data where the consequences of XSS attacks can be catastrophic for network security.