CVE-2018-20394 in DWG849
Summary
by MITRE
Thomson DWG849 STC0.01.16, DWG850-4 ST9C.05.25, DWG855 ST80.20.26, and TWG870 STB2.01.36 devices allow remote attackers to discover credentials via iso.3.6.1.4.1.4491.2.4.1.1.6.1.1.0 and iso.3.6.1.4.1.4491.2.4.1.1.6.1.2.0 SNMP requests.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 04/23/2020
This vulnerability exists in Thomson DWG849, DWG850-4, DWG855, and TWG870 network devices running specific firmware versions, where the Simple Network Management Protocol implementation contains a critical flaw that exposes sensitive authentication credentials. The vulnerability stems from improper handling of SNMP GET requests targeting specific Object Identifiers within the device management interface, specifically iso.3.6.1.4.1.4491.2.4.1.1.6.1.1.0 and iso.3.6.1.4.1.4491.2.4.1.1.6.1.2.0, which correspond to credential storage locations within the device's MIB structure. This issue represents a direct violation of security principles as defined by CWE-200, which addresses information exposure through improper access control mechanisms.
The technical exploitation of this vulnerability occurs when remote attackers send crafted SNMP GET requests to the affected devices, leveraging the specific OID paths to retrieve stored credentials without requiring authentication. The exposed credentials typically include administrative passwords and other sensitive authentication data that could be used to gain full control over the device. This vulnerability aligns with ATT&CK technique T1078 which covers valid accounts and privilege escalation through legitimate credentials, as attackers can leverage the exposed administrative credentials to bypass normal authentication mechanisms. The flaw demonstrates poor input validation and insufficient access controls within the SNMP implementation, allowing unauthorized information disclosure through a standard network management protocol.
The operational impact of this vulnerability is severe as it provides attackers with immediate access to administrative credentials for network infrastructure devices, potentially enabling full device compromise and subsequent network infiltration. Once credentials are obtained, attackers can modify device configurations, redirect traffic, or establish persistent access points within the network. This vulnerability affects multiple device models from the same manufacturer, indicating a systemic flaw in the firmware implementation rather than isolated incidents. The exposure of credentials through SNMP queries creates a significant risk for network security, as SNMP is commonly enabled in enterprise environments and often lacks proper security configurations. Organizations may face unauthorized access to critical network infrastructure, potential data breaches, and complete loss of device control, as highlighted by the NIST vulnerability database classifications for such information disclosure flaws.
Organizations should immediately implement network segmentation to isolate affected devices from critical network segments, disable SNMP if not required for management purposes, and enforce strong access controls for SNMP communication. Device firmware should be updated to versions that address the credential exposure issue, with patches specifically designed to prevent unauthorized SNMP GET requests from accessing sensitive MIB data. Network monitoring should be enhanced to detect suspicious SNMP traffic patterns, particularly GET requests targeting the vulnerable OIDs, and regular security audits should verify that SNMP configurations do not expose sensitive information. Additionally, implementing SNMPv3 with strong authentication and encryption mechanisms, rather than SNMPv1 or v2c, would provide better protection against such attacks as defined in the IETF RFC standards for secure network management protocols.