CVE-2017-5135
published 2017-04-27CVE-2017-5135: Certain Technicolor devices have an SNMP access-control bypass, possibly involving an ISP customization in some cases. The Technicolor (formerly Cisco)…
PriorityP271critical9.1CVSS 3.0
AVNACLPRNUINSUCHIHAN
EXPLOIT
EPSS
17.40%
96.7th percentile
Certain Technicolor devices have an SNMP access-control bypass, possibly involving an ISP customization in some cases. The Technicolor (formerly Cisco) DPC3928SL with firmware D3928SL-P15-13-A386-c3420r55105-160127a could be reached by any SNMP community string from the Internet; also, you can write in the MIB because it provides write properties, aka Stringbleed. NOTE: the string-bleed/StringBleed-CVE-2017-5135 GitHub repository is not a valid reference as of 2017-04-27; it contains Trojan horse code purported to exploit this vulnerability.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| technicolor | dpc3928sl_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect SNMP GetNextRequest (PDU type 0xa1) packets sent with a randomly generated UUID-format community string (e.g., matching pattern [0-9a-f]{8}-[0-9a-f]{4}-...) from external/Internet-facing interfaces — this is the StringBleed exploit pattern. ↗
- →Alert on SNMP responses from Technicolor DPC3928SL devices that echo back a community string different from (or not matching) any configured community — indicates the SNMP access-control bypass is active. ↗
- →Monitor for SNMP GetNextRequest packets (ASN.1 PDU type 0xa1) targeting OID 1.3.6.1.2.1.1.1.0 (sysDescr) originating from the Internet toward Technicolor DPC3928SL devices; successful responses with non-empty varbind data indicate exploitation. ↗
- →Flag any SNMP write (SetRequest) operations accepted by the device from untrusted/Internet sources — the vulnerability exposes writable MIB properties to any community string. ↗
- ·The GitHub repository string-bleed/StringBleed-CVE-2017-5135 is NOT a valid reference and contains Trojan horse code — do not use or execute code from that repository. ↗
- ·The bypass may be ISP-customization-dependent; not all Technicolor devices are necessarily affected — scope detection to firmware D3928SL-P15-13-A386-c3420r55105-160127a on DPC3928SL. ↗
CVSS provenance
nvdv3.09.1CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:P/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://www.securityfocus.com/bid/98092https://stringbleed.github.io/https://www.reddit.com/r/netsec/comments/67qt6u/cve_20175135_snmp_authentication_bypass/http://www.securityfocus.com/bid/98092https://stringbleed.github.io/https://www.reddit.com/r/netsec/comments/67qt6u/cve_20175135_snmp_authentication_bypass/
2017-04-27
Published