Vulnerability Note VU#213046

Virtual Access GW6110A router privilege escalation vulnerability

Original Release date: 25 Mar 2014 | Last revised: 25 Mar 2014

Overview

Virtual Access GW6110A routers contain a privilege escalation vulnerability which could allow an authenticated user to escalate their privileges.

Description

CWE-472: External Control of Assumed-Immutable Web Parameter

Virtual Access GW6110A routers contain a privilege escalation vulnerability which could allow an authenticated user to escalate their privileges by modifying a javascript variable that checks for user access level on the web interface.

Impact

An authenticated user could escalate their privileges on the router, allowing them access to administration features.

Solution

Update

The vendor has released an update to address this vulnerability. Affected users are advised to upgrade to one of the following versions.

    Users of software branch 9.00 are advised to update to version 9.09.27 or later.
    Users of software branch 9.50 are advised to update to version 9.50.21 or later.
    Users of software branch 10.00 are advised to update to version 10.00.21 or later.

Restrict access

As a general good security practice, only allow connections from trusted hosts and networks.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
Virtual AccessAffected29 Jan 201418 Mar 2014
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base 2.3 AV:A/AC:M/Au:S/C:P/I:N/A:N
Temporal 1.8 E:U/RL:U/RC:UC
Environmental 0.7 CDP:L/TD:L/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to James Premo for reporting this vulnerability.

This document was written by Michael Orlando.

Other Information

  • CVE IDs: CVE-2014-0343
  • Date Public: 25 Mar 2014
  • Date First Published: 25 Mar 2014
  • Date Last Updated: 25 Mar 2014
  • Document Revision: 13

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.