CVE-2018-10080 in RiS-11
Summary
by MITRE
Secutech RiS-11, RiS-22, and RiS-33 devices with firmware V5.07.52_es_FRI01 allow DNS settings changes via a goform/AdvSetDns?GO=wan_dns.asp request in conjunction with a crafted admin cookie.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 01/24/2020
The vulnerability CVE-2018-10080 affects Securtech RiS-11, RiS-22, and RiS-33 network security devices running firmware version V5.07.52_es_FRI01. These devices are designed for enterprise network protection and security monitoring, making them critical components in corporate and institutional network infrastructures. The vulnerability stems from improper authentication and authorization mechanisms within the web-based management interface of these devices, creating a significant security risk that could allow unauthorized modification of critical network parameters.
The technical flaw manifests through a specific HTTP request handler that processes DNS configuration changes without adequate validation of administrative privileges. When an attacker crafts a request to the goform/AdvSetDns?GO=wan_dns.asp endpoint and includes a manipulated admin cookie, the device accepts the DNS modification request without proper authentication checks. This represents a classic authorization bypass vulnerability where the system fails to verify that the requesting user possesses the necessary administrative permissions to modify network settings. The vulnerability is categorized under CWE-287, which addresses improper authentication issues, and specifically aligns with ATT&CK technique T1078.004 for valid accounts and T1566.001 for spearphishing attachments, as the attack vector likely involves social engineering to obtain valid administrative credentials or session cookies.
The operational impact of this vulnerability is substantial as it allows attackers to modify DNS settings on critical network infrastructure devices. An attacker could redirect network traffic through malicious DNS servers, potentially enabling man-in-the-middle attacks, data exfiltration, or network disruption. The ability to change DNS configurations could also facilitate further attacks by redirecting internal network traffic to attacker-controlled systems, creating a foothold for lateral movement within the network. This vulnerability particularly affects organizations that rely on these devices for network security, as it could compromise the integrity of their network communications and potentially lead to complete network infiltration.
Mitigation strategies should focus on immediate firmware updates from Securtech to address the authentication bypass flaw, along with network segmentation to limit access to administrative interfaces. Organizations should implement strict access controls for administrative accounts, including multi-factor authentication and regular credential rotation. Network monitoring should be enhanced to detect unusual DNS configuration changes, and security teams should conduct regular vulnerability assessments targeting network security appliances. The ATT&CK framework suggests implementing defensive measures such as network traffic analysis and endpoint detection to identify suspicious administrative activities. Additionally, organizations should review their incident response procedures to ensure rapid detection and remediation of similar authentication bypass vulnerabilities in their network infrastructure components.