Vulnerability Details : CVE-2020-11966
In IQrouter through 3.3.1, the Lua function reset_password in the web-panel allows remote attackers to change the root password arbitrarily. Note: The vendor claims that this vulnerability can only occur on a brand-new network that, after initiating the forced initial configuration (which has a required step for setting a secure password on the system), makes this CVE invalid. This vulnerability is “true for any unconfigured release of OpenWRT, and true of many other new Linux distros prior to being configured for the first time”
Products affected by CVE-2020-11966
- cpe:2.3:o:evenroute:iqrouter_firmware:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-11966
1.44%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 86 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-11966
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST | |
|
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2020-11966
-
The product does not require that users should have strong passwords, which makes it easier for attackers to compromise user accounts.Assigned by: nvd@nist.gov (Primary)
References for CVE-2020-11966
-
https://pastebin.com/grSCSBSu
> [Suggested description] > IQrouter through 3.3.1, when unconfigured, has > m - Pastebin.comThird Party Advisory
-
https://evenroute.com/
IQrouterProduct
-
https://evenroute.zendesk.com/hc/en-us/articles/216107838-How-do-I-configure-an-IQrouter-
How do I configure an IQrouter? – IQrouter
-
https://openwrt.org/docs/guide-quick-start/walkthrough_login
OpenWrt Project: Log into your router running OpenWrt
Jump to