Vulnerability Details : CVE-2020-11964
In IQrouter through 3.3.1, the Lua function diag_set_password in the web-panel allows remote attackers to change the root password arbitrarily. Note: The vendor claims that this vulnerability can only occur on a brand-new network that, after initiating the forced initial configuration (which has a required step for setting a secure password on the system), makes this CVE invalid. This vulnerability is “true for any unconfigured release of OpenWRT, and true of many other new Linux distros prior to being configured for the first time”
Products affected by CVE-2020-11964
- cpe:2.3:o:evenroute:iqrouter_firmware:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-11964
0.43%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 74 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-11964
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:P/A:N |
10.0
|
2.9
|
NIST | |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2020-11964
-
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.Assigned by: nvd@nist.gov (Primary)
References for CVE-2020-11964
-
https://pastebin.com/grSCSBSu
> [Suggested description] > IQrouter through 3.3.1, when unconfigured, has > m - Pastebin.comThird Party Advisory
-
https://evenroute.com/
IQrouterProduct
-
https://evenroute.zendesk.com/hc/en-us/articles/216107838-How-do-I-configure-an-IQrouter-
How do I configure an IQrouter? – IQrouterThird Party Advisory
-
https://openwrt.org/docs/guide-quick-start/walkthrough_login
OpenWrt Project: Log into your router running OpenWrtThird Party Advisory
Jump to