CVE-2018-18320 in Merlin.PHP
Summary
by MITRE
** DISPUTED ** An issue was discovered in the Merlin.PHP component 0.6.6 for Asuswrt-Merlin devices. An attacker can execute arbitrary commands because exec.php has a popen call. NOTE: the vendor indicates that Merlin.PHP is designed only for use on a trusted intranet network, and intentionally allows remote code execution.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 08/05/2024
The vulnerability identified as CVE-2018-18320 affects the Merlin.PHP component version 0.6.6 within Asuswrt-Merlin firmware systems, representing a critical security flaw that enables unauthorized command execution. This vulnerability exists within the exec.php file which utilizes a popen function call, creating an avenue for malicious actors to inject and execute arbitrary commands on affected devices. The issue stems from insufficient input validation and improper sanitization of user-supplied parameters that are processed through the popen system call, which directly interfaces with the underlying operating system shell.
The technical exploitation of this vulnerability occurs through the manipulation of parameters passed to the exec.php script, which then utilizes the popen function to execute system commands without proper sanitization. This design flaw falls under the category of command injection vulnerabilities, specifically aligning with CWE-77 and CWE-88 within the Common Weakness Enumeration framework. The popen function in PHP creates a pipe to a process specified by the command argument, allowing direct execution of shell commands when user input is not properly validated or escaped. Attackers can leverage this weakness to execute malicious commands with the privileges of the web server process, potentially leading to complete system compromise.
From an operational perspective, the impact of this vulnerability extends beyond simple command execution as it fundamentally undermines the security boundaries of the affected network infrastructure. The vulnerability is particularly concerning because it enables remote code execution capabilities that can be exploited from external networks, despite the vendor's claim that the component is intended for trusted intranet use only. This misalignment between intended security posture and actual vulnerability exposure creates a significant risk for organizations that may have deployed these devices in environments where external network access is possible, or where network segmentation is inadequate. The vulnerability affects the core router functionality and can potentially enable attackers to gain persistent access to network infrastructure, modify routing tables, intercept traffic, or establish backdoors for continued access.
The vendor's statement that this component is designed for use only on trusted intranet networks does not adequately address the reality of modern network deployments where devices may be exposed to untrusted networks or where internal network boundaries are not properly secured. This vulnerability demonstrates the importance of principle of least privilege and defense in depth strategies in network security architecture. Organizations should consider implementing network segmentation, access controls, and regular security assessments to prevent exploitation of such vulnerabilities. The recommended mitigations include immediate firmware updates from Asus when available, network segmentation to isolate affected devices, disabling unnecessary web interfaces, and implementing intrusion detection systems to monitor for suspicious command execution patterns. This vulnerability also highlights the necessity of proper input validation and the avoidance of dangerous functions like popen in web applications, aligning with ATT&CK framework techniques related to command and control operations and privilege escalation.