CVE-2018-10561
Published: 04 May 2018
Summary
CVE-2018-10561 is a critical-severity Improper Authentication (CWE-287) vulnerability in Dasannetworks Gpon Router Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).
Deeper analysis
The vulnerability is an authentication bypass issue, tracked as CVE-2018-10561 and assigned CWE-287, that affects Dasan GPON home routers. It allows any URL normally requiring authentication to be accessed without credentials simply by appending the string "?images", as shown with paths such as /menu.html?images/ or /GponForm/diag_FORM?images/.
An unauthenticated attacker with network access can exploit the flaw to obtain full management access to the device. The issue carries a CVSS v3.1 base score of 9.8, reflecting that the attack requires no privileges, user interaction, or special conditions and can result in complete loss of confidentiality, integrity, and availability.
Public exploit code for the vulnerability has been published, and multiple technical analyses are available through the listed references. No official patch or mitigation details are provided in the supplied information.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2018-2633
Vulnerability details
An issue was discovered on Dasan GPON home routers. It is possible to bypass authentication simply by appending "?images" to any URL of the device that requires authentication, as demonstrated by the /menu.html?images/ or /GponForm/diag_FORM?images/ URI. One can then manage…
more
the device.
- CWE(s)
- KEV Date Added
- 31 March 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authenticated access decisions on device URLs and forms, blocking the ?images bypass that grants unauthenticated management access.
Requires identification and authentication of users prior to granting access to management functions, directly countering the complete authentication bypass.
Mandates secure remote-access mechanisms with authentication for network-exposed device interfaces, limiting exposure to the unauthenticated URL manipulation.