CVE-2018-20388 – This vulnerability allows remote attackers to r... (How to Fix)

Q: What is the severity of CVE-2018-20388?

CVE-2018-20388 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows remote attackers to retrieve administrative credentials from Comtrend CM-6200un and CM-6300n devices via specific SNMP OID requests. Attackers can obtain usernames and passwords without authentication, potentially gaining full control of affected devices. This affects users of these specific Comtrend router models with vulnerable firmware versions.

📋 TL;DR

This vulnerability allows remote attackers to retrieve administrative credentials from Comtrend CM-6200un and CM-6300n devices via specific SNMP OID requests. Attackers can obtain usernames and passwords without authentication, potentially gaining full control of affected devices. This affects users of these specific Comtrend router models with vulnerable firmware versions.

💻 Affected Systems

Products:

Comtrend CM-6200un
Comtrend CM-6300n

Versions: CM-6200un: 123.447.007, CM-6300n: 123.553mp1.005

Operating Systems: Embedded firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists when SNMP service is enabled (often default). The specific OIDs expose credential information.

📦 What is this software?

Cm 6200un Firmware by Comtrend

View all CVEs affecting Cm 6200un Firmware →

Cm 6300n Firmware by Comtrend

View all CVEs affecting Cm 6300n Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device takeover allowing attackers to reconfigure network settings, intercept traffic, install malware, or use the device as a pivot point into internal networks.

🟠

Likely Case

Attackers gain administrative access to the router, enabling them to change DNS settings, redirect traffic, or disable security features.

🟢

If Mitigated

If SNMP is disabled or properly secured, the attack vector is eliminated and credentials remain protected.

🌐 Internet-Facing: HIGH - Devices exposed to the internet can be directly attacked without any authentication required.

🏢 Internal Only: MEDIUM - Internal attackers or malware could exploit this if they can reach the SNMP service on affected devices.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple SNMP queries to the specific OIDs (iso.3.6.1.4.1.4491.2.4.1.1.6.1.1.0 and iso.3.6.1.4.1.4491.2.4.1.1.6.1.2.0) return credentials. Tools like snmpwalk can be used.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch available. Check Comtrend website for firmware updates. If unavailable, implement workarounds.

🔧 Temporary Workarounds

Disable SNMP Service

all

Completely disable SNMP on affected devices to eliminate the attack vector.

Access router admin interface -> Advanced Settings -> SNMP -> Disable

Restrict SNMP Access

all

If SNMP must remain enabled, restrict access to trusted IP addresses only.

Access router admin interface -> Advanced Settings -> SNMP -> Set allowed IPs to specific management hosts

🧯 If You Can't Patch

Change all administrative credentials immediately
Isolate affected devices in separate network segments with strict firewall rules

🔍 How to Verify

Check if Vulnerable:

Run: snmpwalk -v2c -c public [device_ip] iso.3.6.1.4.1.4491.2.4.1.1.6.1.1.0 and iso.3.6.1.4.1.4491.2.4.1.1.6.1.2.0. If credentials are returned, device is vulnerable.

Check Version:

Check firmware version in router admin interface under System Status or similar section.

Verify Fix Applied:

After disabling SNMP or implementing restrictions, repeat the SNMP query. It should timeout or return access denied.

📡 Detection & Monitoring

Log Indicators:

SNMP queries to OIDs: 1.3.6.1.4.1.4491.2.4.1.1.6.1.1.0 and 1.3.6.1.4.1.4491.2.4.1.1.6.1.2.0
Multiple failed login attempts after SNMP queries

Network Indicators:

UDP port 161 (SNMP) traffic from unexpected sources
SNMP queries containing the vulnerable OID strings

SIEM Query:

source_port=161 AND (oid="1.3.6.1.4.1.4491.2.4.1.1.6.1.1.0" OR oid="1.3.6.1.4.1.4491.2.4.1.1.6.1.2.0")

📊 Metadata

CVE ID: CVE-2018-20388

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-522

Published: December 23, 2018

Last Updated: November 21, 2024

🔗 References

https://github.com/ezelf/sensitivesOids/blob/master/oidpassswordleaks.csv Third Party Advisory
https://misteralfa-hack.blogspot.com/2018/12/stringbleed-y-ahora-que-passwords-leaks.html Exploit,Third Party Advisory
https://github.com/ezelf/sensitivesOids/blob/master/oidpassswordleaks.csv Third Party Advisory
https://misteralfa-hack.blogspot.com/2018/12/stringbleed-y-ahora-que-passwords-leaks.html Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2018-20388, you might also want to check these: