Login Sign Up

CVE-2018-20380

9.8 CRITICAL
Authentication Bypass

📋 TL;DR

This vulnerability allows remote attackers to retrieve device credentials via specific SNMP OID requests without authentication. It affects multiple Ambit router models including DDW2600, DDW2602, T60C926, and U10C019 devices. Attackers can exploit this to gain administrative access to vulnerable routers.

💻 Affected Systems

Products:
  • Ambit DDW2600
  • Ambit DDW2602
  • Ambit T60C926
  • Ambit U10C019
Versions: DDW2600 5.100.1009, DDW2602 5.105.1003, T60C926 4.64.1012, U10C019 5.66.1026
Operating Systems: Embedded router firmware
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability exists in default SNMP configuration exposing credential OIDs.

📦 What is this software?

Ambit Ddw2600 Firmware by Ubeeinteractive

View all CVEs affecting Ambit Ddw2600 Firmware →

Ambit Ddw2602 Firmware by Ubeeinteractive

View all CVEs affecting Ambit Ddw2602 Firmware →

Ambit T60c926 Firmware by Ubeeinteractive

View all CVEs affecting Ambit T60c926 Firmware →

Ambit U10c019 Firmware by Ubeeinteractive

View all CVEs affecting Ambit U10c019 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of router with credential theft leading to network takeover, traffic interception, and lateral movement to connected devices.

🟠

Likely Case

Unauthorized access to router administration interface allowing configuration changes, network disruption, and credential harvesting.

🟢

If Mitigated

Limited impact if SNMP is disabled or access restricted, though default configurations are vulnerable.

🌐 Internet-Facing: HIGH - Remote exploitation without authentication via SNMP requests.
🏢 Internal Only: HIGH - Internal attackers can also exploit via SNMP on local network.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Simple SNMP GET requests to specific OIDs (iso.3.6.1.4.1.4491.2.4.1.1.6.1.1.0 and iso.3.6.1.4.1.4491.2.4.1.1.6.1.2.0) return credentials.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: No vendor advisory found

Restart Required: No

Instructions:

No official patch available. Check with vendor for firmware updates or replace affected devices.

🔧 Temporary Workarounds

Disable SNMP Service

all

Completely disable SNMP service on affected routers to prevent credential exposure.

Access router admin interface → Advanced Settings → SNMP → Disable SNMP

Restrict SNMP Access

all

Configure SNMP access control lists to limit which IP addresses can query SNMP.

Access router admin interface → Advanced Settings → SNMP → Configure ACLs

🧯 If You Can't Patch

  • Isolate affected routers in separate VLAN with strict firewall rules
  • Implement network monitoring for SNMP requests to vulnerable OIDs

🔍 How to Verify

Check if Vulnerable:

Run SNMP GET requests to OIDs iso.3.6.1.4.1.4491.2.4.1.1.6.1.1.0 and iso.3.6.1.4.1.4491.2.4.1.1.6.1.2.0. If credentials are returned, device is vulnerable.

Check Version:

Check router admin interface or use SNMP to query system version OID (1.3.6.1.2.1.1.1.0)

Verify Fix Applied:

After disabling SNMP or applying workarounds, repeat SNMP GET requests to verify no credentials are returned.

📡 Detection & Monitoring

Log Indicators:

  • SNMP GET requests to OIDs containing .4491.2.4.1.1.6.1.1 or .4491.2.4.1.1.6.1.2

Network Indicators:

  • UDP port 161 traffic to affected devices with specific OID patterns

SIEM Query:

source_port=161 AND (oid:"*4491.2.4.1.1.6.1.1*" OR oid:"*4491.2.4.1.1.6.1.2*")

📊 Metadata

CVE ID: CVE-2018-20380
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: December 23, 2018
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON