CVE-2019-12789 Information

Description

An issue was discovered on Actiontec T2200H T2200H-31.128L.08 devices as distributed by Telus. By attaching a UART adapter to the UART pins on the system board an attacker can use a special key sequence (Ctrl-\) to obtain a shell with root privileges. After gaining root access the attacker can mount the filesystem read-write and make permanent modifications to the device including bricking of the device disabling vendor management of the device preventing automatic upgrades and permanently installing malicious code on the device.

CVSS Vector

CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Reference

http://seclists.org/fulldisclosure/2019/Jun/10 https://www.actiontec.com/blog/

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

6.8