Full Report
A authenticated attacker with low privileges can extract password hash information for all users.
Analysis Summary
# Vulnerability: Eltex ESR-200 Router Information Disclosure (Password Hash Exposure)
## CVE Details
- CVE ID: CVE-2018-15357
- CVSS Score: 5.3 (Medium) *Note: The provided CVSS string calculates to 5.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)*
- CWE: (Not explicitly stated, vulnerability relates to Improper Access Control/Information Exposure)
## Affected Systems
- Products: Eltex ESR-200 Router
- Versions: Firmware version 1.2.0
- Configurations: Requires successful low-privilege authentication.
## Vulnerability Description
An authenticated attacker, holding low-privilege credentials, can exploit this vulnerability to extract the password hash information belonging to all users configured on the system. This is achieved through an uncontrolled information leak resulting from insufficient access control measures after initial login.
## Exploitation
- Status: Unknown (Existence of exploit is unknown)
- Complexity: Low (AC:L - Low Attack Complexity, PR:L - Low Privilege Required)
- Attack Vector: Network (AV:N)
## Impact
- Confidentiality: High (C:H) - Full password hashes for all users can be revealed.
- Integrity: None (I:N)
- Availability: None (A:N)
## Remediation
### Patches
- Update firmware to version **1.3.0** or later.
### Workarounds
- No explicit workarounds were provided in the source material, but standard practice would suggest:
- Ensuring only necessary low-privilege accounts exist.
- Monitoring authentication success/failure logs for unusual activity.
## Detection
- **Indicators of Compromise:** Look for unusual requests or abnormal data retrieval patterns originating from authenticated user sessions, specifically targeting user management or configuration retrieval endpoints.
- **Detection Methods and Tools:** Intrusion Detection Systems (IDS) or Web Application Firewalls (WAF) configured with signatures monitoring for unauthorized access attempts to configuration or user databases after a successful low-level login.
## References
- Vendor Advisories: Vendor notified that patch is available August 2018
- Relevant Links: ics-cert.kaspersky.com/advisories/2018/08/17/klcert-18-013-eltex-esp-200-router-information-disclosure/