Published: 21/02/2019 Updated: 22/02/2019
CVSS v2 Base Score: 9 | Impact Score: 8.5 | Exploitability Score: 10
CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9

Vulnerability Summary

On Netis WF2880 and WF2411 2.1.36123 devices, there is a stack-based buffer overflow that does not require authentication. This can cause denial of service (device restart) or remote code execution. This vulnerability can be triggered by a GET request with a long HTTP "Authorization: Basic" header that is mishandled by user_auth->user_ok in /bin/boa.

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:C
Access Complexity: LOW
Authentication: NONE
Access Vector: NETWORK
Confidentiality Impact: PARTIAL
Integrity Impact: PARTIAL
Availability Impact: COMPLETE

Vulnerability Trend

Affected Products

Vendor Product Versions
Netis-systemsWf2411 Firmware2.1.36123
Netis-systemsWf2880 Firmware2.1.36123