CVE-2024-0291 in LR1200GBinfo

Summary

by MITRE • 01/08/2024

A vulnerability was found in Totolink LR1200GB 9.1.0u.6619_B20230130. It has been rated as critical. This issue affects the function UploadFirmwareFile of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument FileName leads to command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-249857 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 01/25/2024

The vulnerability identified as CVE-2024-0291 represents a critical command injection flaw in the Totolink LR1200GB router firmware version 9.1.0u.6619_B20230130. This issue resides within the UploadFirmwareFile function of the /cgi-bin/cstecgi.cgi component, making it accessible through web-based interfaces that manage router firmware updates. The vulnerability's classification as critical stems from its remote exploitability and the potential for arbitrary code execution on the affected device. The flaw specifically manifests when the FileName argument is manipulated during firmware upload operations, allowing attackers to inject malicious commands that execute with the privileges of the web server process. This represents a significant security risk as it could enable attackers to gain complete control over the router's operations, potentially leading to network compromise, data exfiltration, or the establishment of persistent backdoors.

The technical implementation of this vulnerability aligns with CWE-77 and CWE-94, which respectively address command injection and code injection flaws in web applications. The attack vector exploits the router's firmware upload functionality without requiring authentication, making it particularly dangerous for network administrators who may unknowingly initiate firmware updates from compromised systems. The vulnerability's exploitation involves crafting a malicious FileName parameter that bypasses input validation mechanisms, allowing command injection payloads to be executed within the router's operating environment. This type of vulnerability typically occurs when user-supplied input is directly incorporated into system commands without proper sanitization or escaping, creating an environment where attackers can manipulate the execution flow of legitimate system processes. The fact that this vulnerability has been publicly disclosed and is actively being used in the wild significantly increases the risk to unpatched devices, as it eliminates the element of surprise that attackers typically rely upon for successful exploitation.

The operational impact of CVE-2024-0291 extends beyond simple unauthorized access to encompass complete network compromise and potential lateral movement within affected environments. Once an attacker successfully exploits this vulnerability, they can execute arbitrary commands on the router, potentially gaining access to internal network resources, modifying firewall rules, intercepting network traffic, or establishing persistent access points. The router's role as a network gateway makes it a prime target for attackers seeking to maintain long-term access to corporate or residential networks, as it provides a stable foothold that can be used for further reconnaissance and attack progression. The vulnerability's remote exploitability means that attackers do not need physical access to the device or network, making it particularly concerning for organizations with distributed networks or remote workers who may be unknowingly using vulnerable devices. The lack of response from the vendor despite early disclosure indicates a potential delay in patch development or deployment, leaving affected users exposed to ongoing threats.

Organizations and individuals affected by this vulnerability should immediately implement mitigation strategies to reduce exposure risk. The primary recommendation involves applying vendor patches as soon as they become available, though the absence of vendor response suggests that users may need to consider alternative approaches such as firmware updates from third-party sources or network segmentation to isolate affected devices. Network monitoring should be enhanced to detect unusual traffic patterns or command execution attempts that may indicate exploitation attempts, with particular attention to outbound connections from the router or unexpected changes in network configuration. Additionally, implementing network access controls to restrict access to the router's web management interface from untrusted networks can help limit potential attack vectors. Security professionals should consider deploying intrusion detection systems that can identify command injection patterns in network traffic, as well as conducting comprehensive network assessments to identify all potentially affected devices. The vulnerability's disclosure and active use in the wild necessitates immediate action, as the window for exploitation remains open for any device that has not yet been patched or otherwise secured against this specific threat vector.

Responsible

VulDB

Reservation

01/07/2024

Disclosure

01/08/2024

Moderation

accepted

CPE

ready

Exploit

Download

EPSS

0.04407

KEV

no

Activities

low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!