CVE-2020-16134

An issue was discovered on Swisscom Internet Box 2, Internet Box Standard, Internet Box Plus prior to 10.04.38, Internet Box 3 prior to 11.01.20, and Internet Box light prior to 08.06.06. Given the (user-configurable) credentials for the local Web interface or physical access to a device's plus or reset button, an attacker can create a user with elevated privileges on the Sysbus-API. This can then be used to modify local or remote SSH access, thus allowing a login session as the superuser.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8 HIGH
ADJACENT_NETWORK
LOW
LOW
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 33%
VendorProductVersion
swisscominternet-box_2_firmware
𝑥
< 10.04.38
swisscominternet-box_standard_firmware
𝑥
< 10.04.38
swisscominternet-box_plus_firmware
𝑥
< 10.04.38
swisscominternet-box_3_firmware
𝑥
< 11.01.20
swisscominternet-box_light_firmware
𝑥
< 08.06.06
𝑥
= Vulnerable software versions