CVE-2022-24372 in MR9600
Summary
by MITRE • 04/27/2022
Linksys MR9600 devices before 2.0.5 allow attackers to read arbitrary files via a symbolic link to the root directory of a NAS SMB share.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 04/30/2022
The CVE-2022-24372 vulnerability affects Linksys MR9600 wireless routers running firmware versions prior to 2.0.5, presenting a critical security flaw that enables remote attackers to access arbitrary files through improper handling of symbolic links within Network Attached Storage SMB shares. This vulnerability resides in the device's SMB server implementation and represents a classic path traversal attack vector that exploits insufficient input validation and access control mechanisms.
The technical flaw manifests when the router processes symbolic links within SMB shares, specifically allowing attackers to create or manipulate symbolic links that point to the root directory of the NAS filesystem. This misconfiguration enables unauthorized file system access, potentially exposing sensitive system files, configuration data, user credentials, and other confidential information stored on the connected storage device. The vulnerability operates at the application layer and can be exploited remotely without requiring authentication, making it particularly dangerous in networked environments where these devices are exposed to untrusted networks.
The operational impact of this vulnerability extends beyond simple data exposure, as it can enable attackers to escalate privileges, extract system configuration details, and potentially establish persistent access to the network infrastructure. Security professionals should recognize this as a path traversal vulnerability that aligns with CWE-22, which describes improper limitation of a pathname to a restricted directory. The attack vector specifically maps to ATT&CK technique T1071.004 for application layer protocol usage and T1083 for file and directory discovery, indicating that adversaries could leverage this vulnerability for reconnaissance and further exploitation activities.
Organizations utilizing Linksys MR9600 devices should immediately implement firmware updates to version 2.0.5 or later, which addresses this vulnerability through proper symbolic link validation and enhanced access control mechanisms. Network segmentation and firewall rules should be implemented to restrict SMB traffic to trusted networks only, while regular security audits should verify that no symbolic links exist that could be exploited for path traversal. Additionally, monitoring should be enabled to detect unusual SMB access patterns and potential exploitation attempts, as the vulnerability can be leveraged for lateral movement within networks where these devices are integrated with storage infrastructure.