Vulnerability Note VU#774788
Belkin N150 path traversal vulnerability
Original Release date: 18 Jun 2014 | Last revised: 18 Jun 2014

Overview
Belkin N150 wireless routers contain a path traversal vulnerability.

Description
CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) – CVE-2014-2962
Belkin N150 wireless router firmware versions 1.00.07 and earlier contain a path traversal vulnerability through the built-in web interface. The webproc cgi module accepts a getpage parameter which takes an unrestricted file path as input. The web server runs with root privileges by default, allowing a malicious attacker to read any file on the system.

Impact
An unauthenticated attacker that is connected to the router’s LAN may be able to read critical system files on the router.

Solution
Belkin advises users to upgrade to firmware version 1.00.08. In addition, the following workaround is available:
Restrict Access

Ensure that appropriate firewall rules are in place to restrict access to port 80/tcp from external untrusted sources.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate UpdatedBelkin, Inc.Affected10 Mar 201409 Jun 2014If you are a vendor and your product is affected, let
us know.

CVSS Metrics (Learn More)

Group
Score
Vector

Base
7.8
AV:N/AC:L/Au:N/C:C/I:–/A:–

Temporal
6.1
E:POC/RL:OF/RC:C

Environmental
4.6
CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

http://www.belkin.com/us/support-article?articleNum=109400
http://cwe.mitre.org/data/definitions/22.html

Credit

Thanks to Aditya Lad for reporting this vulnerability.
This document was written by Todd Lewellen.

Other Information

CVE IDs:
CVE-2014-2962

Date Public:
18 Jun 2014

Date First Published:
18 Jun 2014

Date Last Updated:
18 Jun 2014

Document Revision:
13

FeedbackIf you have feedback, comments, or additional information about this vulnerability, please send us email.

Leave a Reply