CVE-2019-13269

{"id": "CVE-2019-13269", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.8, "accessVector": "ADJACENT_NETWORK", "vectorString": "AV:A/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 6.5, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 8.8, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2019-08-27T18:15:11.030", "references": [{"url": "https://orenlab.sise.bgu.ac.il/publications/CrossRouter", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.usenix.org/system/files/woot19-paper_ovadia.pdf", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-20"}]}], "descriptions": [{"lang": "en", "value": "Edimax BR-6208AC V1 devices have Insufficient Compartmentalization between a host network and a guest network that are established by the same device. A DHCP Request is sent to the router with a certain Transaction ID field. Following the DHCP protocol, the router responds with an ACK or NAK message. Studying the NAK case revealed that the router erroneously sends the NAK to both Host and Guest networks with the same Transaction ID as found in the DHCP Request. This allows encoding of data to be sent cross-router into the 32-bit Transaction ID field."}, {"lang": "es", "value": "Los dispositivos Br-6208AC V1 de Edimax tienen una compartimentaci\u00f3n insuficiente entre una red host y una red de invitados establecida por el mismo dispositivo. Una petici\u00f3n DHCP se env\u00eda al router con un determinado campo del ID de transacci\u00f3n. Siguiendo el protocolo DHCP, el router responde con un mensaje ACK o NAK. El estudio del caso NAK revel\u00f3 que el router env\u00eda err\u00f3neamente el NAK a las redes del host y del invitado con el mismo ID de transacci\u00f3n que se encuentra en la petici\u00f3n DHCP. Esto permite que la codificaci\u00f3n de los datos se env\u00ede entre enrutadores en el campo ID de transacci\u00f3n de 32 bits."}], "lastModified": "2019-09-04T00:43:15.510", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:edimax:br-6208ac_v1_firmware:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D5A84D9B-E71E-4C6A-B178-0338BE069EAF"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:edimax:br-6208ac_v1:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "1ABDDEA4-BA8C-499C-9403-6039466A2AEE"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "cve@mitre.org"}