CVE-2018-20394 – This vulnerability allows remote attackers to r... (How to Fix)

Q: What is the severity of CVE-2018-20394?

CVE-2018-20394 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows remote attackers to retrieve device credentials via SNMP requests to specific OIDs. Affected are Thomson DWG849, DWG850-4, DWG855, and TWG870 devices running vulnerable firmware versions, potentially exposing administrative passwords to unauthorized parties.

📋 TL;DR

This vulnerability allows remote attackers to retrieve device credentials via SNMP requests to specific OIDs. Affected are Thomson DWG849, DWG850-4, DWG855, and TWG870 devices running vulnerable firmware versions, potentially exposing administrative passwords to unauthorized parties.

💻 Affected Systems

Products:

Thomson DWG849
Thomson DWG850-4
Thomson DWG855
Thomson TWG870

Versions: DWG849 STC0.01.16, DWG850-4 ST9C.05.25, DWG855 ST80.20.26, TWG870 STB2.01.36

Operating Systems: Embedded firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in default SNMP configuration that exposes sensitive OIDs without proper access controls.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain administrative access to the device, enabling complete compromise including configuration changes, traffic interception, and use as a pivot point into internal networks.

🟠

Likely Case

Attackers harvest credentials to gain unauthorized access to device management interfaces, potentially leading to network disruption or data exfiltration.

🟢

If Mitigated

With proper network segmentation and SNMP access controls, impact is limited to credential exposure without subsequent exploitation.

🌐 Internet-Facing: HIGH - Devices exposed to the internet can be scanned and exploited remotely without authentication.

🏢 Internal Only: MEDIUM - Internal attackers or compromised systems could exploit this, but requires network access to SNMP service.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only SNMP read access to specific OIDs using standard SNMP tools like snmpwalk or snmpget.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: No official vendor advisory found

Restart Required: No

Instructions:

Check with device vendor for firmware updates. If unavailable, implement workarounds below.

🔧 Temporary Workarounds

Disable SNMP or restrict access

all

Disable SNMP service entirely or configure access control lists to restrict SNMP access to trusted hosts only.

Configuration varies by device - consult device administration interface

Change default credentials

all

Change all default administrative passwords immediately to prevent credential reuse if exposed.

Use device web interface or CLI to change admin passwords

🧯 If You Can't Patch

Segment affected devices into isolated network zones with strict firewall rules
Implement network monitoring for SNMP requests to sensitive OIDs and alert on suspicious activity

🔍 How to Verify

Check if Vulnerable:

Run snmpwalk command: snmpwalk -v2c -c public [device_ip] .1.3.6.1.4.1.4491.2.4.1.1.6.1.1.0 and .1.3.6.1.4.1.4491.2.4.1.1.6.1.2.0 - if they return values, device is vulnerable.

Check Version:

Check device web interface or use snmpwalk to query system description OID: .1.3.6.1.2.1.1.1.0

Verify Fix Applied:

After applying workarounds, repeat the snmpwalk command - it should return noSuchInstance or access denied errors.

📡 Detection & Monitoring

Log Indicators:

Multiple SNMP GET requests to OIDs .1.3.6.1.4.1.4491.2.4.1.1.6.1.1.0 and .1.3.6.1.4.1.4491.2.4.1.1.6.1.2.0 from untrusted sources

Network Indicators:

SNMP traffic (UDP port 161) from external IPs to affected devices
Pattern of SNMP queries to sensitive OIDs

SIEM Query:

source_ip NOT IN trusted_networks AND dest_port=161 AND (oid="1.3.6.1.4.1.4491.2.4.1.1.6.1.1.0" OR oid="1.3.6.1.4.1.4491.2.4.1.1.6.1.2.0")

📊 Metadata

CVE ID: CVE-2018-20394

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-522

Published: December 23, 2018

Last Updated: November 21, 2024

🔗 References

https://github.com/ezelf/sensitivesOids/blob/master/oidpassswordleaks.csv Third Party Advisory
https://misteralfa-hack.blogspot.com/2018/12/stringbleed-y-ahora-que-passwords-leaks.html Exploit,Third Party Advisory
https://github.com/ezelf/sensitivesOids/blob/master/oidpassswordleaks.csv Third Party Advisory
https://misteralfa-hack.blogspot.com/2018/12/stringbleed-y-ahora-que-passwords-leaks.html Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2018-20394, you might also want to check these: