MidnightBSD

Advisories for peplink

CVE-2017-8835 HIGH

SQL injection exists on Peplink Balance 305, 380, 580, 710, 1350, and 2500 devices with firmware before fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093. An attack vector is the bauth cookie to cgi-bin/MANGA/admin.cgi. One impact is enumeration of user accounts by observing whether a session ID can be retrieved from the sessions database.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,

Products Affected

Vendor Product Version
peplink 2500_firmware 7.0.1
peplink 710hw3_firmware 7.0.1
peplink 580hw2_firmware 7.0.1
peplink b305hw2_firmware 7.0.1
peplink 1350hw2_firmware 7.0.1
peplink 380hw6_firmware 7.0.1
CVE-2017-8836 MEDIUM

CSRF exists on Peplink Balance 305, 380, 580, 710, 1350, and 2500 devices with firmware before fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093. The CGI scripts in the administrative interface are affected. This allows an attacker to execute commands, if a logged in user visits a malicious website. This can for example be used to change the credentials of the administrative webinterface.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
peplink 2500_firmware 7.0.1
peplink 710hw3_firmware 7.0.1
peplink 580hw2_firmware 7.0.1
peplink b305hw2_firmware 7.0.1
peplink 1350hw2_firmware 7.0.1
peplink 380hw6_firmware 7.0.1
CVE-2017-8837 MEDIUM

Cleartext password storage exists on Peplink Balance 305, 380, 580, 710, 1350, and 2500 devices with firmware before fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093. The files in question are /etc/waipass and /etc/roapass. In case one of these devices is compromised, the attacker can gain access to passwords and abuse them to compromise further systems.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-522,

Products Affected

Vendor Product Version
peplink 2500_firmware 7.0.1
peplink 710hw3_firmware 7.0.1
peplink 580hw2_firmware 7.0.1
peplink b305hw2_firmware 7.0.1
peplink 1350hw2_firmware 7.0.1
peplink 380hw6_firmware 7.0.1
CVE-2017-8838 MEDIUM

XSS via syncid exists on Peplink Balance 305, 380, 580, 710, 1350, and 2500 devices with firmware before fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093. The affected script is cgi-bin/HASync/hasync.cgi.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
peplink 2500_firmware 7.0.1
peplink 710hw3_firmware 7.0.1
peplink 580hw2_firmware 7.0.1
peplink b305hw2_firmware 7.0.1
peplink 1350hw2_firmware 7.0.1
peplink 380hw6_firmware 7.0.1
CVE-2017-8839 MEDIUM

XSS via orig_url exists on Peplink Balance 305, 380, 580, 710, 1350, and 2500 devices with firmware before fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093. The affected script is guest/preview.cgi.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
peplink 2500_firmware 7.0.1
peplink 710hw3_firmware 7.0.1
peplink 580hw2_firmware 7.0.1
peplink b305hw2_firmware 7.0.1
peplink 1350hw2_firmware 7.0.1
peplink 380hw6_firmware 7.0.1
CVE-2017-8840 MEDIUM

Debug information disclosure exists on Peplink Balance 305, 380, 580, 710, 1350, and 2500 devices with firmware before fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093. A direct request to cgi-bin/HASync/hasync.cgi?debug=1 shows Master LAN Address, Serial Number, HA Group ID, Virtual IP, and Submitted syncid.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
peplink 2500_firmware 7.0.1
peplink 710hw3_firmware 7.0.1
peplink 580hw2_firmware 7.0.1
peplink b305hw2_firmware 7.0.1
peplink 1350hw2_firmware 7.0.1
peplink 380hw6_firmware 7.0.1
CVE-2017-8841 HIGH

Arbitrary file deletion exists on Peplink Balance 305, 380, 580, 710, 1350, and 2500 devices with firmware before fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093. The attack methodology is absolute path traversal in cgi-bin/MANGA/firmware_process.cgi via the upfile.path parameter.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-22,

Products Affected

Vendor Product Version
peplink 2500_firmware 7.0.1
peplink 710hw3_firmware 7.0.1
peplink 580hw2_firmware 7.0.1
peplink b305hw2_firmware 7.0.1
peplink 1350hw2_firmware 7.0.1
peplink 380hw6_firmware 7.0.1
CVE-2020-24246 MEDIUM

Peplink Balance before 8.1.0rc1 allows an unauthenticated attacker to download PHP configuration files (/filemanager/php/connector.php) from Web Admin.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
peplink max_br1_mini_firmware *
peplink balance_580_firmware *
peplink max_br1_classic_firmware *
peplink mediafast_500_firmware *
peplink mediafast_750_firmware *
peplink sdx_firmware *
peplink balance_710_firmware *
peplink mbx_firmware *
peplink balance_30_firmware *
peplink max_br1__ip67_firmware *
peplink balance_305_firmware *
peplink max_hd4_firmware *
peplink max_br1_pro_firmware *
peplink max_transit_duo_firmware *
peplink mediafast_hd4_firmware *
peplink balance_two_firmware *
peplink balance_20x_firmware *
peplink balance_30_lte_firmware *
peplink max_br1_m2m_firmware *
peplink max_hotspot_firmware *
peplink max_br1_ip55_firmware *
peplink max_br1_mk2_firmware *
peplink balance_380_firmware *
peplink balance_30_pro_firmware *
peplink max_br1_ent_firmware *
peplink balance_1350_firmware *
peplink balance_50_firmware *
peplink balance_210_firmware *
peplink max_hd2_firmware *
peplink mediafast_200_firmware *
peplink max_hd4_ip67_firmware *
peplink max_700_firmware *
peplink max_br2_firmware *
peplink balance_2500_firmware *
peplink max_hd2_mini_firmware *
peplink ubr_lte_firmware *
peplink max_on-the-go_firmware *
peplink balance_310_firmware *
peplink speedfusion_sfe_firmware *
peplink max_transit_firmware *
peplink fusionhub_firmware *
peplink max_hd2_ip67_firmware *
peplink surf_soho_mk3_firmware *
peplink max_hd1_dome_firmware *
peplink epx_firmware *
peplink surf_soho_firmware *
peplink balance_310x_firmware *
peplink balance_20_firmware *
peplink mediafast_hd2_firmware *
peplink max_transit_mini_firmware *
peplink balance_one_firmware *
peplink speedfusion_sfe_cam_firmware *
peplink max_br1_slim_firmware *
peplink max_br2_ip55_firmware *
peplink max_hd2_dome_firmware *
CVE-2023-27380

An OS command injection vulnerability exists in the admin.cgi USSD_send functionality of peplink Surf SOHO HW1 v6.3.5 (in QEMU). A specially crafted HTTP request can lead to command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
talos-cna@cisco.com 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 1.2 5.9
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
peplink surf_soho_firmware 6.3.5
CVE-2023-28381

An OS command injection vulnerability exists in the admin.cgi MVPN_trial_init functionality of peplink Surf SOHO HW1 v6.3.5 (in QEMU). A specially crafted HTTP request can lead to command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
talos-cna@cisco.com 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 1.2 5.9
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
peplink surf_soho_firmware 6.3.5
CVE-2023-34354

A stored cross-site scripting (XSS) vulnerability exists in the upload_brand.cgi functionality of peplink Surf SOHO HW1 v6.3.5 (in QEMU). A specially crafted HTTP request can lead to execution of arbitrary javascript in another user's browser. An attacker can make an authenticated HTTP request to trigger this vulnerability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
talos-cna@cisco.com 3.4 LOW CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:N/A:N 1.7 1.4
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

Products Affected

Vendor Product Version
peplink surf_soho_firmware 6.3.5
CVE-2023-34356

An OS command injection vulnerability exists in the data.cgi xfer_dns functionality of peplink Surf SOHO HW1 v6.3.5 (in QEMU). A specially crafted HTTP request can lead to command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
talos-cna@cisco.com 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 1.2 5.9
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
peplink surf_soho_firmware 6.3.5
CVE-2023-35193

An OS command injection vulnerability exists in the api.cgi cmd.mvpn.x509.write functionality of peplink Surf SOHO HW1 v6.3.5 (in QEMU). A specially crafted HTTP request can lead to command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.This vulnerability is specifically for the `system` call in the file `/web/MANGA/cgi-bin/api.cgi` for firmware version 6.3.5 at offset 0x4bddb8.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9
talos-cna@cisco.com 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 1.2 5.9

Products Affected

Vendor Product Version
peplink surf_soho_firmware 6.3.5
CVE-2023-35194

An OS command injection vulnerability exists in the api.cgi cmd.mvpn.x509.write functionality of peplink Surf SOHO HW1 v6.3.5 (in QEMU). A specially crafted HTTP request can lead to command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.This vulnerability is specifically for the `system` call in the file `/web/MANGA/cgi-bin/api.cgi` for firmware version 6.3.5 at offset `0x4bde44`.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9
talos-cna@cisco.com 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 1.2 5.9

Products Affected

Vendor Product Version
peplink surf_soho_firmware 6.3.5
CVE-2023-39367

An OS command injection vulnerability exists in the web interface mac2name functionality of Peplink Smart Reader v1.2.0 (in QEMU). A specially crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
talos-cna@cisco.com 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H 2.3 6.0

Products Affected

Vendor Product Version
peplink smart_reader_firmware 1.2.0
CVE-2023-40146

A privilege escalation vulnerability exists in the /bin/login functionality of Peplink Smart Reader v1.2.0 (in QEMU). A specially crafted command line argument can lead to a limited-shell escape and elevated capabilities. An attacker can authenticate with hard-coded credentials and execute unblocked default busybox functionality to trigger this vulnerability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
talos-cna@cisco.com 6.8 MEDIUM CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 0.9 5.9

Products Affected

Vendor Product Version
peplink smart_reader_firmware 1.2.0
CVE-2023-43491

An information disclosure vulnerability exists in the web interface /cgi-bin/debug_dump.cgi functionality of Peplink Smart Reader v1.2.0 (in QEMU). A specially crafted HTTP request can lead to a disclosure of sensitive information. An attacker can make an unauthenticated HTTP request to trigger this vulnerability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
talos-cna@cisco.com 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

Products Affected

Vendor Product Version
peplink smart_reader_firmware 1.2.0
CVE-2023-45209

An information disclosure vulnerability exists in the web interface /cgi-bin/download_config.cgi functionality of Peplink Smart Reader v1.2.0 (in QEMU). A specially crafted HTTP request can lead to a disclosure of sensitive information. An attacker can make an unauthenticated HTTP request to trigger this vulnerability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
talos-cna@cisco.com 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

Products Affected

Vendor Product Version
peplink smart_reader_firmware 1.2.0
CVE-2023-45744

A data integrity vulnerability exists in the web interface /cgi-bin/upload_config.cgi functionality of Peplink Smart Reader v1.2.0 (in QEMU). A specially crafted HTTP request can lead to configuration modification. An attacker can make an unauthenticated HTTP request to trigger this vulnerability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
talos-cna@cisco.com 8.3 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:H 2.8 5.5

Products Affected

Vendor Product Version
peplink smart_reader_firmware 1.2.0
CVE-2023-49226

An issue was discovered in Peplink Balance Two before 8.4.0. Command injection in the traceroute feature of the administration console allows users with admin privileges to execute arbitrary commands as root.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 1.2 5.9

Products Affected

Vendor Product Version
peplink balance_two_firmware *
CVE-2023-49228

An issue was discovered in Peplink Balance Two before 8.4.0. Console port authentication uses hard-coded credentials, which allows an attacker with physical access and sufficient knowledge to execute arbitrary commands as root.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.4 MEDIUM CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 0.5 5.9

Products Affected

Vendor Product Version
peplink balance_two_firmware *
CVE-2023-49229

An issue was discovered in Peplink Balance Two before 8.4.0. A missing authorization check in the administration web service allows read-only, unprivileged users to obtain sensitive information about the device configuration.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 2.8 1.4

Products Affected

Vendor Product Version
peplink balance_two_firmware *
CVE-2023-49230

An issue was discovered in Peplink Balance Two before 8.4.0. A missing authorization check in captive portals allows attackers to modify the portals' configurations without prior authentication.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
peplink balance_two_firmware *