CVE-2024-0997 in N200REinfo

Summary

by MITRE • 01/29/2024

A vulnerability was found in Totolink N200RE 9.3.5u.6139_B20201216 and classified as critical. Affected by this issue is the function setOpModeCfg of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument pppoeUser leads to stack-based buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-252266 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 02/21/2024

The vulnerability identified as CVE-2024-0997 represents a critical stack-based buffer overflow flaw in the Totolink N200RE router firmware version 9.3.5u.6139_B20201216. This issue resides within the setOpModeCfg function of the /cgi-bin/cstecgi.cgi web interface component, making it accessible through the device's web management portal. The vulnerability specifically manifests when processing the pppoeUser parameter, which serves as an input argument to the affected function. This flaw constitutes a direct violation of the CWE-121 stack-based buffer overflow weakness category, where insufficient bounds checking allows malicious input to overwrite adjacent memory locations on the stack.

The technical exploitation of this vulnerability occurs through remote manipulation of the pppoeUser parameter via the web interface, enabling an attacker to craft malicious input that exceeds the allocated buffer size. When the router processes this oversized input during the setOpModeCfg function execution, it overflows the stack buffer and potentially overwrites return addresses, function pointers, and other critical stack data. This type of buffer overflow vulnerability falls under the ATT&CK framework's technique T1210 - Exploitation of Remote Services, as it leverages network-accessible web interfaces to achieve remote code execution capabilities. The stack-based nature of the overflow means that attackers can manipulate the program's execution flow by overwriting the return address, potentially leading to arbitrary code execution on the affected device.

The operational impact of this vulnerability is severe as it provides remote attackers with the capability to completely compromise the affected router. Successful exploitation could enable attackers to gain full administrative control over the device, allowing them to modify network configurations, establish persistent backdoors, intercept network traffic, or use the compromised device as a pivot point for attacking other systems within the local network. The public disclosure of the exploit (VDB-252266) significantly increases the risk profile, as it provides threat actors with ready-made tools to target vulnerable devices. Given that this is a remote attack vector with no authentication required, any device running the affected firmware version is potentially accessible to attackers worldwide, making it particularly dangerous in unsecured or poorly managed networks.

Security mitigations for this vulnerability should begin with immediate firmware updates from the vendor, though the lack of response to prior vendor contact suggests potential delays in official patching. Network segmentation and access control measures should be implemented to limit exposure, including blocking external access to the router's web management interface and restricting internal access to trusted users only. Network monitoring should be enhanced to detect unusual traffic patterns or exploitation attempts targeting the affected web interface. Additionally, implementing web application firewalls and input validation controls at network perimeters can help detect and prevent exploitation attempts. Organizations should also consider conducting vulnerability assessments to identify other potentially affected devices within their network infrastructure, as similar vulnerabilities may exist in other router models or firmware versions. The lack of vendor response underscores the importance of proactive security measures and maintaining awareness of publicly disclosed vulnerabilities in embedded network devices.

Responsible

VulDB

Reservation

01/29/2024

Disclosure

01/29/2024

Moderation

accepted

CPE

ready

Exploit

Download

EPSS

0.01250

KEV

no

Activities

low

Sources

Do you need the next level of professionalism?

Upgrade your account now!