CVE-2017-8835
published 2017-06-05CVE-2017-8835: SQL injection exists on Peplink Balance 305, 380, 580, 710, 1350, and 2500 devices with firmware before…
PriorityP275critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
61.58%
99.1th percentile
SQL injection exists on Peplink Balance 305, 380, 580, 710, 1350, and 2500 devices with firmware before fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093. An attack vector is the bauth cookie to cgi-bin/MANGA/admin.cgi. One impact is enumeration of user accounts by observing whether a session ID can be retrieved from the sessions database.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| peplink | 1350hw2_firmware | — | — |
| peplink | 2500_firmware | — | — |
| peplink | 380hw6_firmware | — | — |
| peplink | 580hw2_firmware | — | — |
| peplink | 710hw3_firmware | — | — |
| peplink | b305hw2_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP requests to cgi-bin/MANGA/admin.cgi containing anomalous or SQL-crafted values in the bauth cookie, which is the attack vector for this unauthenticated SQLi. ↗
- →Exploitation goal is session cookie theft from the sessions database; alert on unexpected or bulk session ID retrievals from Peplink Balance admin interfaces. ↗
- →Attackers (and the Metasploit module) specifically target the most recently created sessions; look for rapid or repeated unauthenticated requests to the admin CGI endpoint with varying bauth cookie payloads. ↗
- →Peplink Balance devices running firmware up to 7.0.0-build1904 are vulnerable; identify and prioritize patching or monitoring of these specific firmware versions. ↗
- ·Session lifetime is configurable by the admin (default 4 hours); the effective exploitation window depends on this setting, meaning attacker urgency to use stolen session cookies will vary per deployment. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Peplink Balance Routers 7.0.0-build1904 - SQL Injection / Cross-Site Scripting / Information Disclosure
exploitdb·2017-06-06·CVSS 9.8
CVE-2017-8841 [CRITICAL] Peplink Balance Routers 7.0.0-build1904 - SQL Injection / Cross-Site Scripting / Information Disclosure
Peplink Balance Routers 7.0.0-build1904 - SQL Injection / Cross-Site Scripting / Information Disclosure
---
X41 D-Sec GmbH Security Advisory: X41-2017-005
Multiple Vulnerabilities in peplink balance routers
Overview
Confirmed Affected Versions: 7.0.0-build1904
Confirmed Patched Versions:
fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093.bin
Vulnerable Firmware:
fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.0-build1904.bin
Models: Balance Routers 305, 380, 580, 710, 1350, 2500
Vendor: Peplink
Vendor URL: https://www.peplink.com/
Vector: Network
Credit: X41 D-Sec GmbH, Eric Sesterhenn
Additional Credits: Claus Overbeck (Abovo IT)
Status: Public
Advisory-URL: https://www.x41-dsec.de/lab/advisories/x41-2017-005-peplink/
Summary and Impact
Several issues have been identified
Metasploit
Peplink Balance routers SQLi
metasploit
Peplink Balance routers SQLi
Peplink Balance routers SQLi
Firmware versions up to 7.0.0-build1904 of Peplink Balance routers are affected by an unauthenticated SQL injection vulnerability in the bauth cookie, successful exploitation of the vulnerability allows an attacker to retrieve the cookies of authenticated users, bypassing the web portal authentication. By default, a session expires 4 hours after login (the setting can be changed by the admin), for this reason, the module attempts to retrieve the most recently created sessions.
No writeups or analysis indexed.
2017-06-05
Published