What's new

CVSS High 8.1 - CVE-2015-8960 with firmware 3004.388.8_2

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

datorexpert67

New Around Here

Vulnerability​

NameCVE-2015-8960
Severity
8.1 (High)
QoD75 %
Host192.168.50.1
Location

Detection Result​

The host carries the product: cpe:/a:ietf:transport_layer_security:1.2
It is vulnerable according to: CVE-2015-8960.
The product was found at: 8443/tcp.

The TLS protocol 1.2 and earlier supports the rsa_fixed_dh, dss_fixed_dh, rsa_fixed_ecdh, and ecdsa_fixed_ecdh values for ClientCertificateType but does not directly document the ability to compute the master secret in certain situations with a client secret key and server public key but not a server secret key, which makes it easier for man-in-the-middle attackers to spoof TLS servers by leveraging knowledge of the secret key for an arbitrary installed client X.509 certificate, aka the "Key Compromise Impersonation (KCI)" issue.

Product Detection Result​

 
So you really signed up just to post info on a vulnerability that was fixed shortly after it was found - in 2015?
 
@datorexpert67, FYI there is a specific subforum for Asus-Merlin firmware discussion:

If you have a specific question, like for example; is CVE-2015-8960 patched, its wise to ping the firmware developer @RMerlin to see if they can respond. It also helps to check the Asus-Merlin release notes to see if the CVE has already been patched.
 
Do you have any PoC showing how this is actually exploitable? I see the report comes from a scanning tool - these are notorious for generating false positives, as they don`t explicitly test for a vulnerability to be present, but just check for generic parameter such a software version, and assume vulnerability whenever these parameters are found. In the case of this specific CVE, quite a few tools will generate a false positive whenever a service allows TLS 1.2 connections.
 
@datorexpert67, FYI there is a specific subforum for Asus-Merlin firmware discussion:

If you have a specific question, like for example; is CVE-2015-8960 patched, its wise to ping the firmware developer @RMerlin to see if they can respond. It also helps to check the Asus-Merlin release notes to see if the CVE has already been patched.
Thanks, but nothing in the release notes. I will ping RMerlin.
 
I’m tempted to compile a list of all fixed vulnerabilities found within change logs by RMerlin & ASUS. But the effort involved in that would be quite a lot.

People need to understand that issues fixed by ASUS specifically are inherited by RMerlin through the GPL’s that ASUS provides him. Additionally if more vulnerabilities are found that can be patched by RMerlin usually he does so instead of waiting for ASUS. Which means not all vulnerabilities maybe documented by RMerlin because they exist elsewhere on ASUS’s website. This maybe inconvenient, but it is what it is.

Thanks, but nothing in the release notes. I will ping RMerlin.
 

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Staff online

Top