CVE-2018-18375 in AirBox
Summary
by MITRE
goform/getProfileList in Orange AirBox Y858_FL_01.16_04 allows attackers to extract APN data (name, number, username, and password) via the rand parameter.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 04/02/2020
The vulnerability identified as CVE-2018-18375 resides within the Orange AirBox Y858_FL_01 device firmware, specifically affecting the goform/getProfileList functionality. This issue represents a critical information disclosure vulnerability that enables unauthenticated attackers to extract sensitive mobile network credentials including APN names, phone numbers, usernames, and passwords through manipulation of the rand parameter. The affected device operates as a wireless router or modem that connects to mobile networks using cellular data, making the exposure of these credentials particularly dangerous for network security.
The technical flaw manifests in the improper handling of input parameters within the web interface of the Orange AirBox device. When an attacker submits a crafted request to the goform/getProfileList endpoint with a manipulated rand parameter, the system fails to validate or sanitize the input properly, leading to the unauthorized disclosure of stored credentials. This vulnerability falls under CWE-200 - Information Exposure and demonstrates poor input validation practices that allow attackers to bypass authentication mechanisms and access sensitive configuration data. The rand parameter serves as an injection vector that triggers the system to return stored APN configuration details without proper authorization checks.
The operational impact of this vulnerability extends beyond simple credential exposure, as it provides attackers with comprehensive access to cellular network connectivity parameters. Mobile network credentials obtained through this vulnerability could enable attackers to establish unauthorized connections to cellular networks, potentially leading to data exfiltration, network infiltration, or even financial losses through unauthorized data usage. The exposure of APN names and associated credentials allows for sophisticated attacks including man-in-the-middle scenarios where attackers can intercept and manipulate network traffic. This vulnerability particularly affects devices deployed in enterprise environments or residential settings where cellular backup connectivity is configured, making it a significant concern for organizations relying on such connectivity.
Mitigation strategies for this vulnerability should prioritize immediate firmware updates from Orange or the device manufacturer to address the input validation flaw. Network administrators should implement strict access controls to limit exposure of the affected device to untrusted networks and consider disabling unnecessary web interfaces or services. The vulnerability demonstrates characteristics aligned with ATT&CK technique T1071.004 - Application Layer Protocol: DNS, where attackers can leverage exposed credentials to establish unauthorized network connections. Organizations should also implement network monitoring to detect unusual outbound cellular data usage patterns that may indicate credential compromise. Additionally, regular security assessments of network infrastructure should include evaluation of device firmware versions and configuration practices to prevent similar vulnerabilities from persisting in the network ecosystem.