Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
talosTalos IntelligenceTALOS-2023-1852
HistoryMay 01, 2024 - 12:00 a.m.

Milesight UR32L luci2-io file-import firmware update vulnerability

2024-05-0100:00:00
Talos Intelligence
www.talosintelligence.com
6
milesight ur32l
luci2-io
file-import
firmware update
vulnerability
network request
arbitrary
cve-2023-47166
cisco talos
industrial cellular router
vendor response

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

7.4 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

19.4%

JSON

Talos Vulnerability Report

TALOS-2023-1852

Milesight UR32L luci2-io file-import firmware update vulnerability

May 1, 2024
CVE Number

CVE-2023-47166

SUMMARY

A firmware update vulnerability exists in the luci2-io file-import functionality of Milesight UR32L v32.3.0.7-r2. A specially crafted network request can lead to arbitrary firmware update. An attacker can send a network request to trigger this vulnerability.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Milesight UR32L v32.3.0.7-r2

PRODUCT URLS

UR32L - <https://www.milesight-iot.com/cellular/router/ur32l/&gt;

CVSSv3 SCORE

8.8 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-285 - Improper Authorization

DETAILS

The Milesight UR32L is an industrial cellular router. The router features include support for multiple VPNs, a router console shell, firewall and many others.

The UR32L router offers the functionality to upgrade the firmware with a newer one. The UR32L, throughout the whole firmware upgrade process, never checks the validity of the uploaded firmware. This allows an attacker to upgrade the router with an arbitrary firmware.

VENDOR RESPONSE

No current patch available.

TIMELINE

2023-12-06 - Vendor Disclosure
2023-12-06 - Vendor acknowledged receipt
2023-12-12 - Vendor reply
2023-12-12 - Reply to issues brought up by vendor
2023-12-14 - Request to confirm receipt
2023-12-17 - Receipt confirmed by vendor
2023-12-18 - Further clarification
2024-01-03 - Patch provided by vendor
2024-01-15 - Feedback to vendor
2024-01-17 - Vendor replies
2024-01-17 - Feedback provided to vendor
2024-02-01 - Request for a status update
2024-02-01 - New firmware provided by vendor
2024-02-07 - New firmware appears to close the vulnerability
2024-02-13 - Request for an update on the patch release status
2024-02-21 - Request for an update on the patch release status
2024-02-27 - Request for an update on the patch release status
2024-02-27 - Vendor replies with firmware release date β€œaround April”
2024-02-28 - Release date extended to April 1st
2024-04-02 - Request for an update on the firmware release
2024-04-02 - Vendor informed of upcoming publication date
2024-05-01 - Public Release

Credit

Discovered by Francesco Benvenuto of Cisco Talos.

Vulnerability Reports Next Report

TALOS-2023-1889

Previous Report

TALOS-2023-1848

Related

cvelist 1
cve 1
nvd 1
talosblog 1
cvelist
cvelist
CVE-2023-47166
2024-05-01 15:31:02
cve
cve
CVE-2023-47166
2024-05-01 16:15:06
nvd
nvd
CVE-2023-47166
2024-05-01 16:15:06
talosblog
talosblog
Talos discloses multiple zero-day vulnerabilities, two of which could lead to code execution
2024-05-08 16:00:40

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

7.4 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

19.4%

JSON
Related for TALOS-2023-1852
cvelist1cve1nvd1talosblog1