{"vuid":"VU#278204","idnumber":"278204","name":"Verizon Fios Actiontec model MI424WR-GEN3I router vulnerable to cross-site request forgery","keywords":["verizon","fios","actiontec","router","csrf","cwe-352"],"overview":"The Verizon FIOS Actiontec router model MI424WR-GEN3I is susceptible to cross-site request forgery attacks. (CWE-352)","clean_desc":"The Verizon FIOS Actiontec router model MI424WR-GEN3I is susceptible to cross-site request forgery attacks. (CWE-352) A remote attacker that is able to trick a user into clicking a malicious link while logged into the router may be able to compromise the router.","impact":"A remote unauthenticated attacker that is able to trick a user into clicking a malicious link while they are logged into the router may be able to compromise the router.","resolution":"We are currently unaware of a practical solution to this problem. Please consider the following workarounds.","workarounds":"Restrict Access Verify the router's web interface is not Internet accessible. As a general good security practice, only allow connections from trusted hosts and networks. Note that restricting access does not prevent CSRF attacks since the attack comes as an HTTP request from a legitimate user's host. Restricting access would prevent an attacker from accessing the router web interface using stolen credentials from a blocked network location. Do Not Stay Logged Into the Router's Management Interface Always log out of the router's management interface when done using it.","sysaffected":"","thanks":"Thanks to Jacob Holcomb of \nIndependent Security Evaluators\n for reporting this vulnerability.","author":"This document was written by Jared Allar.","public":["http://infosec42.blogspot.com/2013/03/verizon-fios-router-csrf-cve-2013-0126.html","http://cwe.mitre.org/data/definitions/352.html"],"cveids":["CVE-2013-0126"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2013-01-31T15:16:06Z","publicdate":"2013-03-18T00:00:00Z","datefirstpublished":"2013-03-18T21:01:21Z","dateupdated":"2013-12-05T21:34:50Z","revision":21,"vrda_d1_directreport":"1","vrda_d1_population":"3","vrda_d1_impact":"3","cam_widelyknown":"0","cam_exploitation":"0","cam_internetinfrastructure":"0","cam_population":"0","cam_impact":"0","cam_easeofexploitation":"0","cam_attackeraccessrequired":"0","cam_scorecurrent":"0","cam_scorecurrentwidelyknown":"0","cam_scorecurrentwidelyknownexploited":"0","ipprotocol":"","cvss_accessvector":"N","cvss_accesscomplexity":"M","cvss_authentication":null,"cvss_confidentialityimpact":"P","cvss_integrityimpact":"P","cvss_availabilityimpact":"P","cvss_exploitablity":null,"cvss_remediationlevel":"W","cvss_reportconfidence":"UR","cvss_collateraldamagepotential":"ND","cvss_targetdistribution":"M","cvss_securityrequirementscr":"ND","cvss_securityrequirementsir":"ND","cvss_securityrequirementsar":"ND","cvss_basescore":"6.8","cvss_basevector":"AV:N/AC:M/Au:N/C:P/I:P/A:P","cvss_temporalscore":"5.5","cvss_environmentalscore":"4.15608174666464","cvss_environmentalvector":"CDP:ND/TD:M/CR:ND/IR:ND/AR:ND","metric":0.0,"vulnote":null}