Remote Control Vulnerability in TrueMobile 2300 Firmware

vendor:

TrueMobile 2300

by:

7.5

CVSS

HIGH

Remote Control

CWE

Product Name: TrueMobile 2300

Affected Version From: 3.0.0.8

Affected Version To: 5.1.1.6

Patch Exists: NO

Related CWE:

CPE: h:dell:truemobile_2300

Metasploit:

Other Scripts:

Platforms Tested:

Remote Control Vulnerability in TrueMobile 2300 Firmware

Remote attackers can gain control of a target TrueMobile 2300 device running firmware versions 3.0.0.8 and 5.1.1.6. The vulnerability is in an administrative component accessed through the web-based control interface. Unauthenticated attackers can reset the administrative credentials without authorization, allowing them to log in and perform malicious actions that could compromise the entire LAN behind the device.

Mitigation:

Unknown

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/15770/info

It is possible for remote attackers to gain control of a target TrueMobile 2300 running firmware versions 3.0.0.8 and 5.1.1.6. Other versions are likely affected. The vulnerability appears to be in an administrative component accessed through the web-based control interface. Unauthenticated attackers can force the device to reset the administrative credentials without authorization. Once credentials have been reset an attacker can log in and perform malicious actions, potentially compromising the entire LAN behind the device. 

http://target/apply.cgi?Page=adv_password.asp&action=ClearLog

A dialog requesting credentials may appear. The action will be performed, even if "cancel" is clicked.