CVE-2018-20392 in WebSTAR DPC2100
Summary
by MITRE
S-A WebSTAR DPC2100 v2.0.2r1256-060303 devices allow remote attackers to discover credentials via iso.3.6.1.4.1.4491.2.4.1.1.6.1.1.0 and iso.3.6.1.4.1.4491.2.4.1.1.6.1.2.0 SNMP requests.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 04/23/2020
The S-A WebSTAR DPC2100 series of network devices represents a class of broadband residential gateway appliances that provide internet connectivity and network management functions. These devices operate with embedded web servers and support various network protocols including SNMP for remote monitoring and management. The vulnerability in question affects version 2.0.2r1256-060303 of the device firmware, which was released in 2003 and represents an older generation of network infrastructure equipment. This particular model is designed for residential and small office use cases where it manages internet connectivity, firewall functions, and network monitoring capabilities. The device's SNMP implementation contains a critical flaw that exposes sensitive authentication credentials to remote attackers without requiring any authentication or privileged access.
The technical flaw manifests through the Simple Network Management Protocol implementation within the WebSTAR DPC2100 device. Specifically, the vulnerability occurs when SNMP GET requests are made to two particular Object Identifiers within the device's MIB structure: iso.3.6.1.4.1.4491.2.4.1.1.6.1.1.0 and iso.3.6.1.4.1.4491.2.4.1.1.6.1.2.0. These OIDs correspond to credential storage locations within the device's memory that should be protected from unauthorized access but are instead exposed through the SNMP interface. The first OID typically contains administrative usernames while the second contains corresponding password hashes or plaintext credentials. This represents a fundamental failure in access control within the SNMP implementation, where sensitive data elements are not properly secured or restricted from public access. The vulnerability is classified as a weakness in the device's information security controls and represents a failure in the principle of least privilege.
The operational impact of this vulnerability is severe for any organization or individual utilizing these devices in their network infrastructure. Remote attackers can exploit this vulnerability to gain unauthorized access to network management credentials, which would allow them to take control of the device's configuration and potentially the entire network segment it manages. The exposure of administrative credentials provides attackers with the ability to modify firewall rules, change network settings, redirect traffic, and potentially establish persistent access points within the network. This vulnerability aligns with ATT&CK technique T1078 which covers legitimate credentials use, and CWE-284 which addresses improper access control. The risk is amplified by the fact that these devices are often deployed in residential settings where network monitoring and security controls are minimal, making such attacks particularly dangerous. Network administrators who are unaware of these devices on their network may not have proper visibility into their configuration or security status.
Mitigation strategies for this vulnerability must be comprehensive and include immediate network segmentation to isolate affected devices from critical network infrastructure. Organizations should implement SNMP access control lists that restrict which IP addresses can query the device's MIB information and disable SNMPv1 support in favor of SNMPv3 which provides proper authentication and encryption. The most effective long-term solution involves replacing these legacy devices with modern network infrastructure that properly implements security controls and access restrictions. Network administrators should also conduct thorough inventory audits to identify all instances of these devices and ensure they are either properly secured or removed from production networks. Regular vulnerability scanning and network monitoring should be implemented to detect similar issues in other legacy network equipment. The vulnerability demonstrates the critical importance of maintaining updated network infrastructure and proper security configurations, as these devices represent a significant risk vector for network compromise.