CVE-2019-19494

09.01.2020, 13:15

Broadcom based cable modems across multiple vendors are vulnerable to a buffer overflow, which allows a remote attacker to execute arbitrary code at the kernel level via JavaScript run in a victim's browser. Examples of affected products include Sagemcom F@st 3890 prior to 50.10.21_T4, Sagemcom F@st 3890 prior to 05.76.6.3f, Sagemcom F@st 3686 3.428.0, Sagemcom F@st 3686 4.83.0, NETGEAR CG3700EMR 2.01.05, NETGEAR CG3700EMR 2.01.03, NETGEAR C6250EMR 2.01.05, NETGEAR C6250EMR 2.01.03, Technicolor TC7230 STEB 01.25, COMPAL 7284E 5.510.5.11, and COMPAL 7486E 5.510.5.11.

Classic Buffer Overflow

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	8.8 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
mitre	CNA	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 98%

Vendor	Product	Version
sagemcom	f\@st_3890_firmware	𝑥 < 50.10.21_t4
sagemcom	f\@st_3890_firmware	𝑥 < 05.76.6.3f
sagemcom	f\@st_3686_firmware	3.428.0
sagemcom	f\@st_3686_firmware	4.83.0
netgear	cg3700emr_firmware	2.01.03
netgear	cg3700emr_firmware	2.01.05
netgear	c6250emr_firmware	2.01.03
netgear	c6250emr_firmware	2.01.05
technicolor	tc7230_steb_firmware	01.25
compal	7284e_firmware	5.510.5.11
compal	7486e_firmware	5.510.5.11

𝑥

= Vulnerable software versions

Known Exploits!

Common Weakness Enumeration

CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
The program copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow.

References

https://cablehaunt.com

https://github.com/Lyrebirds/Cable-Haunt-Report/releases/download/2.4/report.pdf

https://github.com/Lyrebirds/Fast8690-exploit

https://www.broadcom.com

https://cablehaunt.com

https://github.com/Lyrebirds/Cable-Haunt-Report/releases/download/2.4/report.pdf

https://github.com/Lyrebirds/Fast8690-exploit

https://www.broadcom.com