CVE-2018-20400 – This vulnerability in Ubee DVW2108 and DVW2110 ... (How to Fix)

Q: What is the severity of CVE-2018-20400?

CVE-2018-20400 has a CVSS score of 9.8 (CRITICAL). This vulnerability in Ubee DVW2108 and DVW2110 routers allows remote attackers to retrieve device credentials via specific SNMP OID requests. Attackers can obtain sensitive authentication information without authentication, potentially compromising the entire network. Affected users are those running vulnerable firmware versions on these specific Ubee router models.

📋 TL;DR

This vulnerability in Ubee DVW2108 and DVW2110 routers allows remote attackers to retrieve device credentials via specific SNMP OID requests. Attackers can obtain sensitive authentication information without authentication, potentially compromising the entire network. Affected users are those running vulnerable firmware versions on these specific Ubee router models.

💻 Affected Systems

Products:

Ubee DVW2108
Ubee DVW2110

Versions: DVW2108 6.28.1017 and DVW2110 6.28.2012

Operating Systems: Embedded router firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in default SNMP configuration that exposes sensitive OIDs without proper access controls.

📦 What is this software?

Dvw2108 Firmware by Ubeeinteractive

View all CVEs affecting Dvw2108 Firmware →

Dvw2110 Firmware by Ubeeinteractive

View all CVEs affecting Dvw2110 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete network compromise where attackers gain administrative access to routers, intercept all network traffic, deploy malware, and pivot to other connected devices.

🟠

Likely Case

Attackers obtain router credentials, change configuration settings, redirect DNS, intercept sensitive data, and potentially gain access to connected devices.

🟢

If Mitigated

Limited impact with proper network segmentation, SNMP disabled, and strong perimeter controls preventing external SNMP access.

🌐 Internet-Facing: HIGH - SNMP is often exposed to WAN interfaces on consumer routers, allowing remote exploitation from anywhere on the internet.

🏢 Internal Only: MEDIUM - Internal attackers or malware could exploit this to gain router access and pivot within the network.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only SNMP access and knowledge of the specific OIDs (iso.3.6.1.4.1.4491.2.4.1.1.6.1.1.0 and iso.3.6.1.4.1.4491.2.4.1.1.6.1.2.0). Public scripts and tools exist for this vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: No official vendor advisory found

Restart Required: No

Instructions:

1. Check Ubee support for firmware updates. 2. If update available, download from official source. 3. Backup current configuration. 4. Apply firmware update via web interface. 5. Restore configuration if needed. 6. Verify SNMP is disabled or properly secured.

🔧 Temporary Workarounds

Disable SNMP Service

all

Completely disable SNMP service on affected routers to prevent credential exposure.

Access router web interface -> Advanced Settings -> SNMP -> Disable SNMP

Restrict SNMP Access

all

Configure SNMP to only allow access from trusted IP addresses with proper community strings.

Access router web interface -> Advanced Settings -> SNMP -> Set read-only community string and restrict IP access

🧯 If You Can't Patch

Replace affected routers with newer models that don't have this vulnerability
Implement network segmentation to isolate routers from critical systems and restrict SNMP traffic at firewall

🔍 How to Verify

Check if Vulnerable:

Use snmpwalk or similar SNMP tool to query OIDs iso.3.6.1.4.1.4491.2.4.1.1.6.1.1.0 and iso.3.6.1.4.1.4491.2.4.1.1.6.1.2.0. If they return credential data, the device is vulnerable.

Check Version:

Check router web interface status page or use SNMP to query system description OID (1.3.6.1.2.1.1.1.0)

Verify Fix Applied:

After applying workarounds, attempt the same SNMP queries. They should return no data or access denied errors.

📡 Detection & Monitoring

Log Indicators:

Multiple SNMP requests to specific OIDs from single source
Failed login attempts following SNMP queries
Configuration changes from unknown sources

Network Indicators:

SNMP traffic to router from external IPs
SNMP queries for OIDs containing '4491.2.4.1.1.6.1'
Unusual outbound traffic patterns after SNMP access

SIEM Query:

source="router_logs" AND (oid="*4491.2.4.1.1.6.1*" OR protocol="SNMP") | stats count by src_ip

📊 Metadata

CVE ID: CVE-2018-20400

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-522

Published: December 23, 2018

Last Updated: November 21, 2024

🔗 References

https://github.com/ezelf/sensitivesOids/blob/master/oidpassswordleaks.csv Third Party Advisory
https://misteralfa-hack.blogspot.com/2018/12/stringbleed-y-ahora-que-passwords-leaks.html Exploit,Third Party Advisory
https://github.com/ezelf/sensitivesOids/blob/master/oidpassswordleaks.csv Third Party Advisory
https://misteralfa-hack.blogspot.com/2018/12/stringbleed-y-ahora-que-passwords-leaks.html Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2018-20400, you might also want to check these: