CVE-2019-6015

FON2601E-SE, FON2601E-RE, FON2601E-FSW-S, and FON2601E-FSW-B with firmware versions 1.1.7 and earlier contain an issue where they may behave as open resolvers. If this vulnerability is exploited, FON routers may be leveraged for DNS amplification attacks to some other entities.

Published : 2019-10-04 19:15 Updated : 2019-10-10 19:11

7.8

CVSS Score More info

Score 7.8 / 10

Access vector NETWORK

A vulnerability exploitable with network access means the vulnerable software is bound to the network stack and the attacker does not require local network access or local access. Such a vulnerability is often termed "remotely exploitable". An example of a network attack is an RPC buffer overflow.

Access complexity LOW

Specialized access conditions or extenuating circumstances do not exist. The following are examples:

The affected product typically requires access to a wide range of systems and users, possibly anonymous and untrusted (e.g., Internet-facing web or mail server).
The affected configuration is default or ubiquitous.
The attack can be performed manually and requires little skill or additional information gathering.
The race condition is a lazy one (i.e., it is technically a race but easily winnable).

CPE (4)
Tree view

Vendor	Product	Version	URI
Fon	Fon2601e-fsw-b Firmware	1.1.7	cpe:/o:fon:fon2601e-fsw-b_firmware:1.1.7
Fon	Fon2601e-fsw-s Firmware	1.1.7	cpe:/o:fon:fon2601e-fsw-s_firmware:1.1.7
Fon	Fon2601e-re Firmware	1.1.7	cpe:/o:fon:fon2601e-re_firmware:1.1.7
Fon	Fon2601e-se Firmware	1.1.7	cpe:/o:fon:fon2601e-se_firmware:1.1.7

Fon (4) Search CVE
1. Fon2601e-fsw-s Firmware (1) Search CVE
  1. 1.1.7
2. Fon2601e-fsw-b Firmware (1) Search CVE
  1. 1.1.7
3. Fon2601e-re Firmware (1) Search CVE
  1. 1.1.7
4. Fon2601e-se Firmware (1) Search CVE
  1. 1.1.7

CWE

ID	Name	Description	Links
CWE-20	Improper Input Validation	The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.		CVE

References

Source	Link
MISC	https://fonjapan.zendesk.com/hc/ja/articles/360000558942
MISC	http://jvn.jp/en/vu/JVNVU94678942/index.html

History of changes

Date

Event

2019-10-10 19:11

CPEs changed

4 added

cpe:/o:fon:fon2601e-fsw-b_firmware:1.1.7 (Fon / Fon2601e-fsw-b Firmware)
cpe:/o:fon:fon2601e-fsw-s_firmware:1.1.7 (Fon / Fon2601e-fsw-s Firmware)
cpe:/o:fon:fon2601e-re_firmware:1.1.7 (Fon / Fon2601e-re Firmware)
cpe:/o:fon:fon2601e-se_firmware:1.1.7 (Fon / Fon2601e-se Firmware)

CVSS changed

New score : 7.8
No old score

CWEs changed

Added : CWE-20

References changed

2 changed

https://fonjapan.zendesk.com/hc/ja/articles/360000558942	UNKNOWN->VENDOR_ADVISORY
http://jvn.jp/en/vu/JVNVU94678942/index.html	UNKNOWN->VENDOR_ADVISORY

2019-10-04 19:23

CVE-2019-6015

Score 7.8 / 10

Access vector NETWORK

Access complexity LOW

Authentication NONE

Confidentiality impact NONE

Integrity impact NONE

Availability impact COMPLETE

CWE