CVE-2018-11094 – This vulnerability allows unauthenticated attac... (How to Fix)

Q: What is the severity of CVE-2018-11094?

CVE-2018-11094 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows unauthenticated attackers to access sensitive configuration data and execute administrative functions on Intelbras NCLOUD 300 devices. Attackers can retrieve credentials, reboot systems, and modify VPN settings without authentication. This affects all users of Intelbras NCLOUD 300 version 1.0 devices.

📋 TL;DR

This vulnerability allows unauthenticated attackers to access sensitive configuration data and execute administrative functions on Intelbras NCLOUD 300 devices. Attackers can retrieve credentials, reboot systems, and modify VPN settings without authentication. This affects all users of Intelbras NCLOUD 300 version 1.0 devices.

💻 Affected Systems

Products:

Intelbras NCLOUD 300

Versions: 1.0

Operating Systems: Embedded Linux

Default Config Vulnerable: ⚠️ Yes

Notes: All devices running version 1.0 are vulnerable in default configuration.

📦 What is this software?

Ncloud 300 Firmware by Intelbras

View all CVEs affecting Ncloud 300 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise with credential theft, unauthorized VPN configuration, and persistent backdoor installation leading to network infiltration.

🟠

Likely Case

Credential harvesting leading to unauthorized access, device configuration changes, and service disruption through forced reboots.

🟢

If Mitigated

Limited impact with proper network segmentation and access controls preventing external exploitation.

🌐 Internet-Facing: HIGH - Devices exposed to the internet can be directly exploited without authentication.

🏢 Internal Only: MEDIUM - Internal attackers or malware could exploit this if they reach the device's management interface.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple HTTP POST requests to vulnerable endpoints can retrieve credentials and execute commands. Public exploit code is available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: No official vendor advisory found

Restart Required: No

Instructions:

No official patch available. Contact Intelbras support for firmware updates or replacement options.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate NCLOUD 300 devices from untrusted networks and restrict access to management interface.

Firewall Rules

all

Block external access to device management ports (typically 80/443) and restrict internal access to authorized IPs only.

🧯 If You Can't Patch

Replace vulnerable devices with updated models or alternative solutions
Implement strict network access controls and monitor for exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Send HTTP POST request to /cgi-bin/ExportSettings.sh endpoint without authentication. If it returns configuration data, device is vulnerable.

Check Version:

Check device web interface or console for firmware version information.

Verify Fix Applied:

Test if authentication is now required for /cgi-bin/ExportSettings.sh, /goform/updateWPS, /goform/RebootSystem, and /goform/vpnBasicSettings endpoints.

📡 Detection & Monitoring

Log Indicators:

Unauthenticated POST requests to vulnerable endpoints
Configuration export events without user authentication
Unexpected system reboots

Network Indicators:

HTTP POST requests to /cgi-bin/ExportSettings.sh from unauthorized sources
Traffic to management interface from unexpected IPs

SIEM Query:

http.method:POST AND (http.uri:"/cgi-bin/ExportSettings.sh" OR http.uri:"/goform/updateWPS" OR http.uri:"/goform/RebootSystem" OR http.uri:"/goform/vpnBasicSettings") AND NOT user_agent:authorized_client

📊 Metadata

CVE ID: CVE-2018-11094

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-798

Published: May 15, 2018

Last Updated: November 21, 2024

🔗 References

https://blog.kos-lab.com/Hello-World/ Exploit,Third Party Advisory
https://www.exploit-db.com/exploits/44637/ Exploit,Third Party Advisory,VDB Entry
https://blog.kos-lab.com/Hello-World/ Exploit,Third Party Advisory
https://www.exploit-db.com/exploits/44637/ Exploit,Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2018-11094, you might also want to check these: