CVE-2024-41691

This vulnerability exists in SyroTech SY-GPON-1110-WDONT Router due to storing of FTP credentials in plaintext within the SquashFS-root filesystem associated with the router's firmware. An attacker with physical access could exploit this by extracting the firmware and reverse engineer the binary data to access the plaintext FTP credentials from the vulnerable system. Successful exploitation of this vulnerability could allow the attacker to gain unauthorized access to the FTP server associated with the targeted system.
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:syrotech:sy-gpon-1110-wdont_firmware:3.1.02-231102:*:*:*:*:*:*:*
cpe:2.3:h:syrotech:sy-gpon-1110-wdont:-:*:*:*:*:*:*:*

History

05 Aug 2024, 21:06

Type Values Removed Values Added
References () https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2024-0225 - () https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2024-0225 - Third Party Advisory
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 4.6
First Time Syrotech sy-gpon-1110-wdont Firmware
Syrotech sy-gpon-1110-wdont
Syrotech
CPE cpe:2.3:o:syrotech:sy-gpon-1110-wdont_firmware:3.1.02-231102:*:*:*:*:*:*:*
cpe:2.3:h:syrotech:sy-gpon-1110-wdont:-:*:*:*:*:*:*:*

01 Aug 2024, 08:15

Type Values Removed Values Added
References
  • {'url': 'https://cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2024-0225', 'source': 'vdisclose@cert-in.org.in'}
  • () https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2024-0225 -
Summary
  • (es) Esta vulnerabilidad existe en el enrutador SyroTech SY-GPON-1110-WDONT debido al almacenamiento de credenciales FTP en texto plano dentro del sistema de archivos SquashFS-root asociado con el firmware del enrutador. Un atacante con acceso físico podría aprovechar esto extrayendo el firmware y aplicando ingeniería inversa a los datos binarios para acceder a las credenciales FTP en texto plano del sistema vulnerable. La explotación exitosa de esta vulnerabilidad podría permitir al atacante obtener acceso no autorizado al servidor FTP asociado con el sistema objetivo.

26 Jul 2024, 12:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-07-26 12:15

Updated : 2024-08-05 21:06


NVD link : CVE-2024-41691

Mitre link : CVE-2024-41691

CVE.ORG link : CVE-2024-41691


JSON object : View

Products Affected

syrotech

  • sy-gpon-1110-wdont
  • sy-gpon-1110-wdont_firmware
CWE
CWE-312

Cleartext Storage of Sensitive Information