CVE-2018-20377
published 2018-12-23CVE-2018-20377: Orange Livebox 00.96.320S devices allow remote attackers to discover Wi-Fi credentials via /get_getnetworkconf.cgi on port 8080, leading to full control if the…
PriorityP266critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
7.72%
93.9th percentile
Orange Livebox 00.96.320S devices allow remote attackers to discover Wi-Fi credentials via /get_getnetworkconf.cgi on port 8080, leading to full control if the admin password equals the Wi-Fi password or has the default admin value. This is related to Firmware 01.11.2017-11:43:44, Boot v0.70.03, Modem 5.4.1.10.1.1A, Hardware 02, and Arcadyan ARV7519RW22-A-L T VR9 1.2.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| orange | arv7519rw22_livebox_2.1_firmware | — | — |
| orange | arv7519rw22_livebox_2.1_firmware | — | — |
| orange | arv7519rw22_livebox_2.1_firmware | — | — |
| orange | arv7519rw22_livebox_2.1_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http1 $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Observed Orange LiveBox Router Information Leakage Attempt (CVE-2018-20377)"; flow:established,to_server; http.request_line; content:"GET|20|"; startswith; content:"/get_getnetworkconf.cgi|20|HTTP/1.1"; fast_pattern; endswith; http.header_names; content:!"Referer"; reference:url,badpackets.net/over-19000-orange-livebox-adsl-modems-are-leaking-their-wifi-credentials; reference:cve,2018-20377; classtype:trojan-activity; sid:2029091; rev:3; metadata:affected_product Router, attack_target Client_Endpoint, created_at 2019_12_03, cve CVE_2018_20377, deployment Perimeter, signature_severity Major, updated_at 2024_04_04, reviewed_at 2024_02_20;)
- →Exploit requests target GET /get_getnetworkconf.cgi HTTP/1.1 on port 8080 with no Referer header present — the absence of a Referer header is a key discriminator for automated/scripted exploitation vs. browser-originated requests.
- →Successful exploitation leaks Wi-Fi credentials in the response; follow-on full device compromise is likely if the admin password equals the Wi-Fi password or retains the default 'admin' value.
- →The Emerging Threats rule (sid:2029091) is classified as trojan-activity with Perimeter deployment, indicating this endpoint should be monitored at the network boundary for inbound exploitation attempts.
- ·Vulnerability is confirmed on a specific firmware/hardware combination; defenders should verify device version before assuming exposure. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET EXPLOIT Observed Orange LiveBox Router Information Leakage Attempt (CVE-2018-20377)
suricata·2019-12-03·CVSS 9.8
CVE-2018-20377 [CRITICAL] ET EXPLOIT Observed Orange LiveBox Router Information Leakage Attempt (CVE-2018-20377)
ET EXPLOIT Observed Orange LiveBox Router Information Leakage Attempt (CVE-2018-20377)
Rule: alert http1 $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Observed Orange LiveBox Router Information Leakage Attempt (CVE-2018-20377)"; flow:established,to_server; http.request_line; content:"GET|20|"; startswith; content:"/get_getnetworkconf.cgi|20|HTTP/1.1"; fast_pattern; endswith; http.header_names; content:!"Referer"; reference:url,badpackets.net/over-19000-orange-livebox-adsl-modems-are-leaking-their-wifi-credentials; reference:cve,2018-20377; classtype:trojan-activity; sid:2029091; rev:3; metadata:affected_product Router, attack_target Client_Endpoint, created_at 2019_12_03, cve CVE_2018_20377, deployment Perimeter, signature_severity Major, updated_at 2024_04_04, reviewed_at 2024_02_2
No public exploits indexed.
No writeups or analysis indexed.
https://badpackets.net/over-19000-orange-livebox-adsl-modems-are-leaking-their-wifi-credentials/https://github.com/zadewg/LIVEBOX-0DAYhttps://news.ycombinator.com/item?id=18745533https://web.archive.org/web/20181223120225/https://badpackets.net/over-19000-orange-livebox-adsl-modems-are-leaking-their-wifi-credentials/https://badpackets.net/over-19000-orange-livebox-adsl-modems-are-leaking-their-wifi-credentials/https://github.com/zadewg/LIVEBOX-0DAYhttps://news.ycombinator.com/item?id=18745533https://web.archive.org/web/20181223120225/https://badpackets.net/over-19000-orange-livebox-adsl-modems-are-leaking-their-wifi-credentials/
2018-12-23
Published