CVE-2024-0293 in LR1200GB
Summary
by MITRE • 01/08/2024
A vulnerability classified as critical was found in Totolink LR1200GB 9.1.0u.6619_B20230130. Affected by this vulnerability is the function setUploadSetting of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument FileName leads to os command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-249859. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 01/25/2024
The vulnerability identified as CVE-2024-0293 represents a critical command injection flaw in the Totolink LR1200GB router firmware version 9.1.0u.6619_B20230130. This issue resides within the setUploadSetting function of the /cgi-bin/cstecgi.cgi file, which serves as a critical interface for router administration and configuration. The vulnerability manifests when an attacker manipulates the FileName argument, allowing arbitrary operating system commands to be executed within the router's environment. This represents a severe security weakness that directly compromises the device's integrity and operational security.
The technical implementation of this vulnerability aligns with CWE-77 and CWE-94, which respectively describe improper neutralization of special elements used in OS commands and improper control of generation of code. The flaw occurs because the application fails to properly sanitize or validate user input passed to the FileName parameter, creating an environment where malicious commands can be injected and executed with the privileges of the web server process. This command injection vulnerability operates at the application layer and can be exploited through the web interface, making it particularly dangerous as it requires no physical access to the device.
The operational impact of this vulnerability extends far beyond simple unauthorized access, as it provides attackers with complete control over the affected router. An attacker can execute arbitrary commands including but not limited to modifying network configurations, installing malicious software, creating backdoors, or exfiltrating sensitive data from the network. The remote exploitation capability means that adversaries can target these devices from anywhere on the internet, potentially turning them into part of a botnet or using them as pivoting points for further attacks within a network. The disclosed exploit status significantly increases the risk level as it removes the requirement for advanced exploitation techniques.
Security professionals should immediately implement network segmentation and access controls to limit exposure of these devices to external threats. Network administrators should consider disabling unnecessary services and implementing firewall rules that restrict access to the affected CGI endpoint. The vulnerability's classification as critical according to CVSS v3.1 scoring indicates that immediate remediation is essential, including firmware updates from the vendor when available. Organizations should also monitor for any suspicious network activity or unauthorized configuration changes that may indicate exploitation attempts. According to ATT&CK framework, this vulnerability maps to T1059.001 (Command and Scripting Interpreter: PowerShell) and T1566.001 (Phishing: Spearphishing Attachment) as attackers may use the compromised router as a command and control channel or through initial compromise vectors that lead to this exploitation. The lack of vendor response to early disclosure attempts further compounds the risk, leaving affected organizations without official mitigation guidance during the critical window of vulnerability exposure.