CVE-2019-11060

HG100 contains an Uncontrolled Resource Consumption vulnerability

CVSS 7.4 HIGHEPSS 3.0%CWE-400

In short

The ASUS HG100 router's web server can be knocked offline by an attacker sending HTTP requests very slowly, keeping connections open and exhausting the device's resources until it stops responding to legitimate users.

Technical detail

The web API server on port 8080 in ASUS HG100 firmware ≤1.05.12 is vulnerable to Slowloris HTTP DoS attacks (CWE-400: Uncontrolled Resource Consumption). An unauthenticated attacker on the adjacent network can send HTTP headers at a slow rate to exhaust connection resources and cause service unavailability. CVSS 3.0 score 7.4 reflects high availability impact with low attack complexity.

Summary generated and translated by AI from the official description.

The web api server on Port 8080 of ASUS HG100 firmware up to 1.05.12, which is vulnerable to Slowloris HTTP Denial of Service: an attacker can cause a Denial of Service (DoS) by sending headers very slowly to keep HTTP or HTTPS connections and associated resources alive for a long period of time. CVSS 3.0 Base score 7.4 (Availability impacts). CVSS vector: (CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H).

CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

Affected products

ASUS · HG100 firmware

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://tvn.twcert.org.tw/taiwanvn/TVN-201906002 http://surl.twcert.org.tw/aarVJ https://www.exploit-db.com/exploits/46720