CVE-2016-10116

Description

NETGEAR Arlo base stations with firmware 1.7.5_6178 and earlier, Arlo Q devices with firmware 1.8.0_5551 and earlier, and Arlo Q Plus devices with firmware 1.8.1_6094 and earlier use a pattern of adjective, noun, and three-digit number for the customized password, which makes it easier for remote attackers to obtain access via a dictionary attack.

Related CPE's

onetgeararlo_base_station_firmware********

hnetgearvms3xx0-*******

hnetgearvmb30x0-*******

hnetgearvmk3xx0-*******

onetgeararlo_q_camera_firmware********

hnetgearvmc3040-*******

onetgeararlo_q_plus_camera_firmware********

hnetgearvmc3040s-*******

References

http://kb.netgear.com/30731/Arlo-WiFi-Default-Password-Security-Vulnerability

MitigationVendor Advisory

http://blog.newskysecurity.com/2016/09/brute-force-vulnerability-netgear-arlo/

Third Party Advisory

95266

Third Party AdvisoryVDB Entry

CvssV3 impact

BaseSeverity

HIGH

ConfidentialityImpact

HIGH

AttackComplexity

HIGH

Scope

UNCHANGED

AttackVector

NETWORK

AvailabilityImpact

HIGH

IntegrityImpact

HIGH

PrivilegesRequired

NONE

BaseScore

8.1

VectorString

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Version

3.0

UserInteraction

NONE

CvssV2 impact

Version

2.0

VectorString

AV:N/AC:M/Au:N/C:C/I:C/A:C

AccessVector

NETWORK

AccessComplexity

MEDIUM

Authentication

NONE

ConfidentialityImpact

COMPLETE

IntegrityImpact

COMPLETE

AvailabilityImpact

COMPLETE

BaseScore

9.300000190734863

Created by Yello
About Severity.io