cbcvebase.
CVE-2017-5135
published 2017-04-27

CVE-2017-5135: Certain Technicolor devices have an SNMP access-control bypass, possibly involving an ISP customization in some cases. The Technicolor (formerly Cisco)…

PriorityP271critical9.1CVSS 3.0
AVNACLPRNUINSUCHIHAN
EXPLOIT
EPSS
17.40%
96.7th percentile
Certain Technicolor devices have an SNMP access-control bypass, possibly involving an ISP customization in some cases. The Technicolor (formerly Cisco) DPC3928SL with firmware D3928SL-P15-13-A386-c3420r55105-160127a could be reached by any SNMP community string from the Internet; also, you can write in the MIB because it provides write properties, aka Stringbleed. NOTE: the string-bleed/StringBleed-CVE-2017-5135 GitHub repository is not a valid reference as of 2017-04-27; it contains Trojan horse code purported to exploit this vulnerability.

Affected

1 ranges
VendorProductVersion rangeFixed in
technicolordpc3928sl_firmware

Detection & IOCsextracted from sources · hover to see the quote

  • Detect SNMP GetNextRequest (PDU type 0xa1) packets sent with a randomly generated UUID-format community string (e.g., matching pattern [0-9a-f]{8}-[0-9a-f]{4}-...) from external/Internet-facing interfaces — this is the StringBleed exploit pattern.
  • Alert on SNMP responses from Technicolor DPC3928SL devices that echo back a community string different from (or not matching) any configured community — indicates the SNMP access-control bypass is active.
  • Monitor for SNMP GetNextRequest packets (ASN.1 PDU type 0xa1) targeting OID 1.3.6.1.2.1.1.1.0 (sysDescr) originating from the Internet toward Technicolor DPC3928SL devices; successful responses with non-empty varbind data indicate exploitation.
  • Flag any SNMP write (SetRequest) operations accepted by the device from untrusted/Internet sources — the vulnerability exposes writable MIB properties to any community string.
  • ·The GitHub repository string-bleed/StringBleed-CVE-2017-5135 is NOT a valid reference and contains Trojan horse code — do not use or execute code from that repository.
  • ·The bypass may be ISP-customization-dependent; not all Technicolor devices are necessarily affected — scope detection to firmware D3928SL-P15-13-A386-c3420r55105-160127a on DPC3928SL.

CVSS provenance

nvdv3.09.1CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:P/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.