Dasan GPON Home Router GponForm/diag_Form diag_action=ping command injection

Summaryinfo

A vulnerability, which was classified as problematic, has been found in Dasan GPON Home Router. Affected by this issue is some unknown functionality of the file GponForm/diag_Form. This manipulation of the argument diag_action=ping causes command injection. The identification of this vulnerability is CVE-2018-10562. It is possible to initiate the attack remotely. Furthermore, there is an exploit available. It is advisable to implement restrictive firewalling.

Detailsinfo

A vulnerability was found in Dasan GPON Home Router (Router Operating System) (affected version unknown). It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file GponForm/diag_Form. The manipulation of the argument diag_action=ping with an unknown input leads to a command injection vulnerability. The CWE definition for the vulnerability is CWE-77. The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. As an impact it is known to affect confidentiality, integrity, and availability. The summary by CVE is:

An issue was discovered on Dasan GPON home routers. Command Injection can occur via the dest_host parameter in a diag_action=ping request to a GponForm/diag_Form URI. Because the router saves ping results in /tmp and transmits them to the user when the user revisits /diag.html, it's quite simple to execute commands and retrieve their output.

The bug was discovered 05/01/2018. The weakness was shared 05/04/2018 (Website). The advisory is shared at exploit-db.com. This vulnerability is known as CVE-2018-10562 since 04/30/2018. The attack can be launched remotely. The exploitation doesn't need any form of authentication. Technical details and also a public exploit are known. MITRE ATT&CK project uses the attack technique T1202 for this issue.

It is possible to download the exploit at exploit-db.com. It is declared as attacked. The vulnerability was handled as a non-public zero-day exploit for at least 2 days. During that time the estimated underground price was around $0-$5k. The commercial vulnerability scanner Qualys is able to test this issue with plugin 11985 (Dasan GPON Home Routers Remote Code Execution Vulnerability). The CISA Known Exploited Vulnerabilities Catalog lists this issue since 03/31/2022 with a due date of 04/21/2022:

The impacted product is end-of-life and should be disconnected if still in use.

Proper firewalling of is able to address this issue.

The vulnerability is also documented in the vulnerability database at Exploit-DB (44576). Additional details are provided at tech.slashdot.org. The entry VDB-117348 is related to this item. If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Productinfo

Type

• Router Operating System

Vendor

• Dasan

Name

• GPON Home Router

CPE 2.3info

• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍

Video

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Discussion