Vulnerability Details CVE-2020-16134
An issue was discovered on Swisscom Internet Box 2, Internet Box Standard, Internet Box Plus prior to 10.04.38, Internet Box 3 prior to 11.01.20, and Internet Box light prior to 08.06.06. Given the (user-configurable) credentials for the local Web interface or physical access to a device's plus or reset button, an attacker can create a user with elevated privileges on the Sysbus-API. This can then be used to modify local or remote SSH access, thus allowing a login session as the superuser.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 33.7%
CVSS Severity
CVSS v3 Score 8.0
CVSS v2 Score 7.7
References
- https://www.swisscom.ch
- https://www.swisscom.ch/content/dam/swisscom/de/about/nachhaltigkeit/digitale-schweiz/sicherheit/bug-bounty/files/cve-2020-16134.txt
- https://www.swisscom.ch
- https://www.swisscom.ch/content/dam/swisscom/de/about/nachhaltigkeit/digitale-schweiz/sicherheit/bug-bounty/files/cve-2020-16134.txt
Products affected by CVE-2020-16134
-
cpe:2.3:h:swisscom:internet-box_2:-
-
cpe:2.3:h:swisscom:internet-box_3:-
-
cpe:2.3:h:swisscom:internet-box_light:-
-
cpe:2.3:h:swisscom:internet-box_plus:-
-
cpe:2.3:h:swisscom:internet-box_standard:-
-
cpe:2.3:o:swisscom:internet-box_2_firmware:-
-
cpe:2.3:o:swisscom:internet-box_2_firmware:09.00.60
-
cpe:2.3:o:swisscom:internet-box_2_firmware:09.01.44
-
cpe:2.3:o:swisscom:internet-box_2_firmware:09.01.60
-
cpe:2.3:o:swisscom:internet-box_2_firmware:09.02.08
-
cpe:2.3:o:swisscom:internet-box_2_firmware:09.04.00
-
cpe:2.3:o:swisscom:internet-box_3_firmware:-
-
cpe:2.3:o:swisscom:internet-box_light_firmware:-
-
cpe:2.3:o:swisscom:internet-box_light_firmware:08.04.26
-
cpe:2.3:o:swisscom:internet-box_light_firmware:08.04.36
-
cpe:2.3:o:swisscom:internet-box_light_firmware:08.05.02
-
cpe:2.3:o:swisscom:internet-box_plus_firmware:-
-
cpe:2.3:o:swisscom:internet-box_plus_firmware:09.01.52
-
cpe:2.3:o:swisscom:internet-box_plus_firmware:09.02.08
-
cpe:2.3:o:swisscom:internet-box_plus_firmware:09.04.00
-
cpe:2.3:o:swisscom:internet-box_standard_firmware:-
-
cpe:2.3:o:swisscom:internet-box_standard_firmware:09.01.28
-
cpe:2.3:o:swisscom:internet-box_standard_firmware:09.02.08
-
cpe:2.3:o:swisscom:internet-box_standard_firmware:09.04.00