{"vuid":"VU#525276","idnumber":"525276","name":"Philippine Long Distance Telephone SpeedSurf 504AN and Kasda KW58293 contain multiple vulnerabilities","keywords":["hardcoded","router","xss","buffer overflow"],"overview":"The Phillipine Long Distance Telephone (PLDT) company provides internet access in the Phillippines. The SpeedSurf 504AN and Kasda KW58293 modems distributed by PLDT contain multiple vulnerabilities. The BaudTec ADSL2+ Router may also be affected.","clean_desc":"PLDT provides SpeedSurf 504AN, firmware version GAN9.8U26-4-TX-R6B018-PH.EN, and the Kasda KW58293, to customers for internet access. These devices contains multiple vulnerabilities. CWE-352: Cross-Site Request Forgery (CSRF) - CVE-2015-5991 The form2WlanSetup.cgi page does not properly authenticate that administrative actions are being performed on purpose. An attacker may lure a user behind the router to click a malicious link when performs administrative actions such as changing the device's network settings. CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) - CVE-2015-5992 The form2WlanSetup.cgi page contains an \"ssid\" parameter which is vulnerable to cross-site scripting. CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') - CVE-2015-5993 The form2ping.cgi page may be used to send PING requests. An attacker may use this page to inject a large string (more than 1874 characters) in the parameter \"ipaddr\" with a POST request which may cause a denial of service on the router. The router requires manual rebooting to recover. CWE-798: Use of Hard-coded Credentials Both modems contain a hard-coded account named adminpldt with a hard-coded password. For more information, please see VU#950576. The reporter also states that the BaudTec (300Mbps WLAN ADSL2+ Router) with firmware version RNR4_A72T_PLD_0.19 may also be vulnerable to the above vulnerabilities. The CVSS score below is based on CVE-2015-5991.","impact":"A remote attacker may utilize these credentials to gain administrator access to the device. A remote attacker may also be able to cause a denial of service.","resolution":"The CERT/CC is currently unaware of a practical solution to this problem.","workarounds":"","sysaffected":"","thanks":"Thanks to Eskie Cirrus James Maquilang for reporting this vulnerability to us.","author":"This document was written by Garret Wassermann.","public":[],"cveids":["CVE-2015-5991","CVE-2015-5992","CVE-2015-5993"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2015-05-11T12:40:19Z","publicdate":"2015-08-31T00:00:00Z","datefirstpublished":"2015-08-31T17:25:05Z","dateupdated":"2016-04-17T23:16:08Z","revision":52,"vrda_d1_directreport":"1","vrda_d1_population":"3","vrda_d1_impact":"3","cam_widelyknown":"0","cam_exploitation":"0","cam_internetinfrastructure":"0","cam_population":"0","cam_impact":"0","cam_easeofexploitation":"0","cam_attackeraccessrequired":"0","cam_scorecurrent":"0","cam_scorecurrentwidelyknown":"0","cam_scorecurrentwidelyknownexploited":"0","ipprotocol":"","cvss_accessvector":"A","cvss_accesscomplexity":"M","cvss_authentication":null,"cvss_confidentialityimpact":"C","cvss_integrityimpact":"C","cvss_availabilityimpact":"C","cvss_exploitablity":null,"cvss_remediationlevel":"U","cvss_reportconfidence":"UR","cvss_collateraldamagepotential":"ND","cvss_targetdistribution":"M","cvss_securityrequirementscr":"ND","cvss_securityrequirementsir":"ND","cvss_securityrequirementsar":"ND","cvss_basescore":"7.4","cvss_basevector":"AV:A/AC:M/Au:S/C:C/I:C/A:C","cvss_temporalscore":"6.3","cvss_environmentalscore":"4.724792347968","cvss_environmentalvector":"CDP:ND/TD:M/CR:ND/IR:ND/AR:ND","metric":0.0,"vulnote":null}