CVE-2019-19494

Broadcom based cable modems across multiple vendors are vulnerable to a buffer overflow, which allows a remote attacker to execute arbitrary code at the kernel level via JavaScript run in a victim's browser. Examples of affected products include Sagemcom F@st 3890 prior to 50.10.21_T4, Sagemcom F@st 3890 prior to 05.76.6.3f, Sagemcom F@st 3686 3.428.0, Sagemcom F@st 3686 4.83.0, NETGEAR CG3700EMR 2.01.05, NETGEAR CG3700EMR 2.01.03, NETGEAR C6250EMR 2.01.05, NETGEAR C6250EMR 2.01.03, Technicolor TC7230 STEB 01.25, COMPAL 7284E 5.510.5.11, and COMPAL 7486E 5.510.5.11.

CVSS v3.0 8.8 HIGH
CVSS v2.0 9.3 HIGH

8.8^/10

CVSS v3.0 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

9.3^/10

CVSS v2.0 : HIGH

V2 Legend

Vector : AV:N/AC:M/Au:N/C:C/I:C/A:C

Exploitability : 8.6 / Impact : 10.0

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
https://cablehaunt.com	Exploit Technical Description Third Party Advisory
https://www.broadcom.com	Product
https://github.com/Lyrebirds/Cable-Haunt-Report/releases/download/2.4/report.pdf	Technical Description Third Party Advisory
https://github.com/Lyrebirds/Fast8690-exploit	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:sagemcom:f\@st_3890_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:sagemcom:f\@st_3890:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND

cpe:2.3:o:sagemcom:f\@st_3890_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:sagemcom:f\@st_3890:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND

OR	cpe:2.3:o:sagemcom:f\@st_3686_firmware:3.428.0:::::::*
	cpe:2.3:o:sagemcom:f\@st_3686_firmware:4.83.0:::::::*

cpe:2.3:h:sagemcom:f\@st_3686:-:*:*:*:*:*:*:*

Configuration 4 (hide)

AND

OR	cpe:2.3:o:netgear:cg3700emr_firmware:2.01.03:::::::*
	cpe:2.3:o:netgear:cg3700emr_firmware:2.01.05:::::::*

cpe:2.3:h:netgear:cg3700emr:-:*:*:*:*:*:*:*

Configuration 5 (hide)

AND

OR	cpe:2.3:o:netgear:c6250emr_firmware:2.01.03:::::::*
	cpe:2.3:o:netgear:c6250emr_firmware:2.01.05:::::::*

cpe:2.3:h:netgear:c6250emr:-:*:*:*:*:*:*:*

Configuration 6 (hide)

AND

cpe:2.3:o:technicolor:tc7230_steb_firmware:01.25:*:*:*:*:*:*:*

cpe:2.3:h:technicolor:tc7230_steb:-:*:*:*:*:*:*:*

Configuration 7 (hide)

AND

cpe:2.3:o:compal:7284e_firmware:5.510.5.11:*:*:*:*:*:*:*

cpe:2.3:h:compal:7284e:-:*:*:*:*:*:*:*

Configuration 8 (hide)

AND

cpe:2.3:o:compal:7486e_firmware:5.510.5.11:*:*:*:*:*:*:*

cpe:2.3:h:compal:7486e:-:*:*:*:*:*:*:*

Information

Published : 2020-01-09 05:15

Updated : 2020-01-28 11:43

NVD link : CVE-2019-19494

Mitre link : CVE-2019-19494

JSON object : View

CWE

CWE-120

Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

Products Affected

sagemcom

f\@st_3686
f\@st_3890
f\@st_3686_firmware
f\@st_3890_firmware

compal

7486e
7284e
7284e_firmware
7486e_firmware

netgear

c6250emr_firmware
cg3700emr_firmware
cg3700emr
c6250emr

technicolor

tc7230_steb
tc7230_steb_firmware

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "https://cablehaunt.com", "name": "https://cablehaunt.com", "tags": ["Exploit", "Technical Description", "Third Party Advisory"], "refsource": "MISC"}, {"url": "https://www.broadcom.com", "name": "https://www.broadcom.com", "tags": ["Product"], "refsource": "MISC"}, {"url": "https://github.com/Lyrebirds/Cable-Haunt-Report/releases/download/2.4/report.pdf", "name": "https://github.com/Lyrebirds/Cable-Haunt-Report/releases/download/2.4/report.pdf", "tags": ["Technical Description", "Third Party Advisory"], "refsource": "MISC"}, {"url": "https://github.com/Lyrebirds/Fast8690-exploit", "name": "https://github.com/Lyrebirds/Fast8690-exploit", "tags": ["Exploit", "Third Party Advisory"], "refsource": "MISC"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "Broadcom based cable modems across multiple vendors are vulnerable to a buffer overflow, which allows a remote attacker to execute arbitrary code at the kernel level via JavaScript run in a victim's browser. Examples of affected products include Sagemcom F@st 3890 prior to 50.10.21_T4, Sagemcom F@st 3890 prior to 05.76.6.3f, Sagemcom F@st 3686 3.428.0, Sagemcom F@st 3686 4.83.0, NETGEAR CG3700EMR 2.01.05, NETGEAR CG3700EMR 2.01.03, NETGEAR C6250EMR 2.01.05, NETGEAR C6250EMR 2.01.03, Technicolor TC7230 STEB 01.25, COMPAL 7284E 5.510.5.11, and COMPAL 7486E 5.510.5.11."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-120"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2019-19494", "ASSIGNER": "cve@mitre.org"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 9.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "authentication": "NONE", "integrityImpact": "COMPLETE", "accessComplexity": "MEDIUM", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "severity": "HIGH", "acInsufInfo": false, "impactScore": 10.0, "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}, "baseMetricV3": {"cvssV3": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}}, "publishedDate": "2020-01-09T13:15Z", "configurations": {"nodes": [{"children": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:o:sagemcom:f\\@st_3890_firmware:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "50.10.21_t4"}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:h:sagemcom:f\\@st_3890:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}]}], "operator": "AND", "cpe_match": []}, {"children": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:o:sagemcom:f\\@st_3890_firmware:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "05.76.6.3f"}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:h:sagemcom:f\\@st_3890:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}]}], "operator": "AND", "cpe_match": []}, {"children": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:o:sagemcom:f\\@st_3686_firmware:3.428.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:sagemcom:f\\@st_3686_firmware:4.83.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:h:sagemcom:f\\@st_3686:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}]}], "operator": "AND", "cpe_match": []}, {"children": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:o:netgear:cg3700emr_firmware:2.01.03:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:netgear:cg3700emr_firmware:2.01.05:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:h:netgear:cg3700emr:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}]}], "operator": "AND", "cpe_match": []}, {"children": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:o:netgear:c6250emr_firmware:2.01.03:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:netgear:c6250emr_firmware:2.01.05:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:h:netgear:c6250emr:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}]}], "operator": "AND", "cpe_match": []}, {"children": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:o:technicolor:tc7230_steb_firmware:01.25:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:h:technicolor:tc7230_steb:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}]}], "operator": "AND", "cpe_match": []}, {"children": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:o:compal:7284e_firmware:5.510.5.11:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:h:compal:7284e:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}]}], "operator": "AND", "cpe_match": []}, {"children": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:o:compal:7486e_firmware:5.510.5.11:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:h:compal:7486e:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}]}], "operator": "AND", "cpe_match": []}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2020-01-28T19:43Z"}

8.8 /10