CVE-2018-0626

Vulnerability

Aterm WG1200HP firmware Ver1.0.31 and earlier contains an OS command injection vulnerability (CWE-78) via the sysCmd parameter in the formWsc component. An attacker with administrative privileges can inject arbitrary OS commands through this parameter. The affected firmware versions are all prior to Ver1.0.31 [1].

Exploitation

To exploit this vulnerability, an attacker must already have administrative access to the device. The attacker then sends a crafted request containing malicious OS commands in the sysCmd parameter of the formWsc CGI interface. No user interaction beyond the initial administrative login is required. The attack vector is adjacent network (AV:A), requiring the attacker to be on the same network segment as the device [1].

Impact

Successful exploitation allows the attacker to execute arbitrary OS commands on the device with the privileges of the web server process. This leads to full compromise of confidentiality, integrity, and availability (CIA) of the device. The CVSS v3 score is 6.8 (Medium) with vector AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H, indicating a high impact on all three security objectives [1].

Mitigation

NEC Corporation has released updated firmware. Users should apply the latest firmware version available from the vendor's support site. The advisory strongly recommends updating immediately. No workaround is provided other than applying the patch [1].