CVE-2019-19494 : Broadcom based cable modems across multiple vendors are vulnerable to a buffer o

Broadcom based cable modems across multiple vendors are vulnerable to a buffer overflow, which allows a remote attacker to execute arbitrary code at the kernel level via JavaScript run in a victim's browser. Examples of affected products include Sagemcom F@st 3890 prior to 50.10.21_T4, Sagemcom F@st 3890 prior to 05.76.6.3f, Sagemcom F@st 3686 3.428.0, Sagemcom F@st 3686 4.83.0, NETGEAR CG3700EMR 2.01.05, NETGEAR CG3700EMR 2.01.03, NETGEAR C6250EMR 2.01.05, NETGEAR C6250EMR 2.01.03, Technicolor TC7230 STEB 01.25, COMPAL 7284E 5.510.5.11, and COMPAL 7486E 5.510.5.11.

Published 2020-01-09 13:15:11

Updated 2020-01-28 19:43:01

Source MITRE

View at NVD, CVE.org

Vulnerability category: OverflowExecute code

Products affected by CVE-2019-19494

Netgear » Cg3700emr Firmware » Version: 2.01.03
cpe:2.3:o:netgear:cg3700emr_firmware:2.01.03:*:*:*:*:*:*:*
Matching versions
When used together with: Netgear » Cg3700emr » Version: N/A
Netgear » Cg3700emr Firmware » Version: 2.01.05
cpe:2.3:o:netgear:cg3700emr_firmware:2.01.05:*:*:*:*:*:*:*
Matching versions
When used together with: Netgear » Cg3700emr » Version: N/A
Netgear » C6250emr Firmware » Version: 2.01.03
cpe:2.3:o:netgear:c6250emr_firmware:2.01.03:*:*:*:*:*:*:*
Matching versions
When used together with: Netgear » C6250emr » Version: N/A
Netgear » C6250emr Firmware » Version: 2.01.05
cpe:2.3:o:netgear:c6250emr_firmware:2.01.05:*:*:*:*:*:*:*
Matching versions
When used together with: Netgear » C6250emr » Version: N/A
Technicolor » Tc7230 Steb Firmware » Version: 01.25
cpe:2.3:o:technicolor:tc7230_steb_firmware:01.25:*:*:*:*:*:*:*
Matching versions
When used together with: Technicolor » Tc7230 Steb » Version: N/A
Sagemcom » F@st 3890 Firmware
Versions before (<) 05.76.6.3f
cpe:2.3:o:sagemcom:f\@st_3890_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Sagemcom » F@st 3890 » Version: N/A
Sagemcom » F@st 3890 Firmware
Versions before (<) 50.10.21_t4
cpe:2.3:o:sagemcom:f\@st_3890_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Sagemcom » F@st 3890 » Version: N/A
Sagemcom » F@st 3686 Firmware » Version: 3.428.0
cpe:2.3:o:sagemcom:f\@st_3686_firmware:3.428.0:*:*:*:*:*:*:*
Matching versions
When used together with: Sagemcom » F@st 3686 » Version: N/A
Sagemcom » F@st 3686 Firmware » Version: 4.83.0
cpe:2.3:o:sagemcom:f\@st_3686_firmware:4.83.0:*:*:*:*:*:*:*
Matching versions
When used together with: Sagemcom » F@st 3686 » Version: N/A
Compal » 7284e Firmware » Version: 5.510.5.11
cpe:2.3:o:compal:7284e_firmware:5.510.5.11:*:*:*:*:*:*:*
Matching versions
When used together with: Compal » 7284e » Version: N/A
Compal » 7486e Firmware » Version: 5.510.5.11
cpe:2.3:o:compal:7486e_firmware:5.510.5.11:*:*:*:*:*:*:*
Matching versions
When used together with: Compal » 7486e » Version: N/A

Exploit prediction scoring system (EPSS) score for CVE-2019-19494

EPSS FAQ

70.82%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 99 %

Percentile, the proportion of vulnerabilities that are scored at or less

Metasploit modules for CVE-2019-19494

"Cablehaunt" Cable Modem WebSocket DoS

Disclosure Date: 2020-01-07

First seen: 2020-04-26

auxiliary/dos/http/cable_haunt_websocket_dos

There exists a buffer overflow vulnerability in certain Cable Modem Spectrum Analyzer interfaces. This overflow is exploitable, but since an exploit would differ between every make, model, and firmware version (which also differs from ISP to ISP),

More information

CVSS scores for CVE-2019-19494

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
9.3	HIGH	AV:N/AC:M/Au:N/C:C/I:C/A:C	8.6	10.0	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete
8.8	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H	2.8	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2019-19494

CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2019-19494

https://cablehaunt.com

Cable Haunt
Exploit;Technical Description;Third Party Advisory

CVEs referencing this url
https://www.broadcom.com

Broadcom Inc. | Connecting Everything
Product

CVEs referencing this url
https://github.com/Lyrebirds/Cable-Haunt-Report/releases/download/2.4/report.pdf

Technical Description;Third Party Advisory

CVEs referencing this url
https://github.com/Lyrebirds/Fast8690-exploit

GitHub - Lyrebirds/Fast8690-exploit
Exploit;Third Party Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2019-19494