CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS
Percentile
31.5%
DESCRIPTION
A logic flaw in LuCI’s HTTP routing component led to ineffective CSRF token testing for various request endpoints, specifically ones using the arcombine()
dispatch action.
This allows 3rd party web pages running in the same browser session as an active LuCI login session to perform unintended operations on the device without user intervention, such as changing firewall rules or reconfiguring the network.
*[HTTP]: Hypertext Transfer Protocol
REQUIREMENTS
In order to exploit this vulnerability, a user needs to be logged into LuCI while visiting malicious websites in the same browser session, e.g. within a different tab.
MITIGATIONS
To fix this issue, update the affected LuCI package using the command below.
opkg update; opkg upgrade luci-base
The fix is contained in the following and later versions:
OpenWrt master: git-19.282.28544-f8c6eb6
OpenWrt 19.07: git-19.282.28544-f8c6eb6
OpenWrt 18.06: git-19.282.28671-ee38da9
To workaround the problem, avoid visiting malicious sites while being logged into LuCI. Changing the default router IP and hostname can also help to mitigate the issue somewhat as CSRF exploits require predictable URL targets to work.
*[IP]: Internet Protocol
*[URL]: Uniform Resource Locator
AFFECTED VERSIONS
To our knowledge, LuCI packages with OpenWrt versions 18.06.0 to 18.06.4 are affected.
The fixed LuCI packages are integrated in the OpenWrt 18.06.5, OpenWrt 19.07.0-rc1 and subsequent releases. Older versions of OpenWrt (e.g. OpenWrt 15.05 and LEDE 17.01) are end of life and not supported any more.
CREDITS
The issue has been reported by Abhinav Mohanty <amohant1 at uncc.edu>, Parag Mhatre <pmhatre1 at uncc.edu> and Dr. Meera Sridhar <msridhar at uncc.edu> from the University of North Carolina, Charlotte on 8th October 2019.
The issue has been fixed by Jo-Philipp Wich <jo at mein.io>
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS
Percentile
31.5%