CVE-2018-20398 – This vulnerability allows remote attackers to r... (How to Fix)

Q: What is the severity of CVE-2018-20398?

CVE-2018-20398 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows remote attackers to retrieve device credentials via SNMP requests using specific OIDs. It affects multiple Skyworth CM5100 cable modem models, exposing authentication information to unauthenticated network requests.

📋 TL;DR

This vulnerability allows remote attackers to retrieve device credentials via SNMP requests using specific OIDs. It affects multiple Skyworth CM5100 cable modem models, exposing authentication information to unauthenticated network requests.

💻 Affected Systems

Products:

Skyworth CM5100
Skyworth CM5100-440
Skyworth CM5100-511
Skyworth CM5100-GHD00
Skyworth CM5100.g2

Versions: V1.1.0, V1.2.1, 4.1.0.14, V1.2.2, 4.1.0.17

Operating Systems: Embedded firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in default SNMP configuration across listed firmware versions.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain administrative access to cable modems, enabling network compromise, traffic interception, device takeover, and lateral movement to connected networks.

🟠

Likely Case

Credential theft leading to unauthorized device access, configuration changes, and potential service disruption for affected customers.

🟢

If Mitigated

Limited to credential exposure without successful authentication bypass if strong access controls and network segmentation are implemented.

🌐 Internet-Facing: HIGH - SNMP is typically network-accessible, and the exploit requires no authentication, making internet-exposed devices immediately vulnerable.

🏢 Internal Only: HIGH - Even internally, the vulnerability allows credential discovery without authentication, posing significant risk to network security.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only SNMP access and knowledge of the specific OIDs, making it trivial for attackers with network access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: No public vendor advisory found

Restart Required: No

Instructions:

Check with Skyworth for firmware updates. If unavailable, apply workarounds immediately.

🔧 Temporary Workarounds

Disable SNMP or restrict access

all

Disable SNMP service entirely or configure access control lists to restrict SNMP access to trusted management hosts only.

# Configuration varies by device - consult device documentation for SNMP disable/ACL commands

Change default credentials

all

Change all device credentials immediately, as exposed credentials may be reused elsewhere.

# Use device web interface or CLI to change administrative passwords

🧯 If You Can't Patch

Network segmentation: Isolate affected devices in separate VLANs with strict firewall rules blocking SNMP from untrusted networks.
Monitoring and alerting: Implement network monitoring for SNMP requests to the vulnerable OIDs and set up alerts for credential exposure attempts.

🔍 How to Verify

Check if Vulnerable:

Use snmpwalk or similar SNMP tool to query iso.3.6.1.4.1.4491.2.4.1.1.6.1.1.0 and iso.3.6.1.4.1.4491.2.4.1.1.6.1.2.0 OIDs. If they return credential data, the device is vulnerable.

Check Version:

# Check device web interface or use SNMP to query system description OID: snmpget -v2c -c public [device_ip] .1.3.6.1.2.1.1.1.0

Verify Fix Applied:

After applying workarounds, verify SNMP service is disabled or OIDs no longer return credential data. Test from both internal and external networks.

📡 Detection & Monitoring

Log Indicators:

SNMP authentication failures
Unusual SNMP query patterns
Access from unexpected source IPs to SNMP port 161

Network Indicators:

SNMP queries to iso.3.6.1.4.1.4491.2.4.1.1.6.1.1.0 or iso.3.6.1.4.1.4491.2.4.1.1.6.1.2.0 OIDs
High volume of SNMP traffic to vulnerable devices

SIEM Query:

source_port=161 AND (oid="iso.3.6.1.4.1.4491.2.4.1.1.6.1.1.0" OR oid="iso.3.6.1.4.1.4491.2.4.1.1.6.1.2.0")

📊 Metadata

CVE ID: CVE-2018-20398

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-522

Published: December 23, 2018

Last Updated: November 21, 2024

🔗 References

https://github.com/ezelf/sensitivesOids/blob/master/oidpassswordleaks.csv Third Party Advisory
https://misteralfa-hack.blogspot.com/2018/12/stringbleed-y-ahora-que-passwords-leaks.html Exploit,Third Party Advisory
https://github.com/ezelf/sensitivesOids/blob/master/oidpassswordleaks.csv Third Party Advisory
https://misteralfa-hack.blogspot.com/2018/12/stringbleed-y-ahora-que-passwords-leaks.html Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2018-20398, you might also want to check these: