CVE-2024-1004 in N200REinfo

Summary

by MITRE • 01/29/2024

A vulnerability, which was classified as critical, was found in Totolink N200RE 9.3.5u.6139_B20201216. This affects the function loginAuth of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument http_host leads to stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-252273 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 02/21/2024

The vulnerability identified as CVE-2024-1004 represents a critical stack-based buffer overflow flaw in the Totolink N200RE router firmware version 9.3.5u.6139_B20201216. This issue resides within the loginAuth function of the /cgi-bin/cstecgi.cgi component, which serves as a crucial interface for authentication and administrative operations. The vulnerability specifically manifests when the http_host argument is manipulated, creating conditions that allow attackers to overflow stack memory buffers. This type of vulnerability falls under CWE-121, stack-based buffer overflow, which is classified as a high-risk vulnerability due to its potential for arbitrary code execution and system compromise. The affected device operates with a web-based management interface that processes HTTP requests through the cgi-bin framework, making it susceptible to remote exploitation without requiring physical access or authentication.

The technical exploitation of this vulnerability occurs through remote manipulation of the http_host parameter in HTTP requests sent to the router's web interface. When an attacker crafts a malicious request containing an oversized http_host value, the buffer overflow condition is triggered during the loginAuth function execution. This overflow can overwrite adjacent memory locations including return addresses and control data, potentially allowing an attacker to execute arbitrary code with the privileges of the web server process. The stack-based nature of this vulnerability means that the attack vector can be initiated through HTTP GET or POST requests, making it particularly dangerous as it requires no local network access or user interaction. The disclosure of a working exploit and assignment of VDB-252273 indicates that this vulnerability is actively being exploited in the wild, as confirmed by public exploit availability and security researcher analysis.

The operational impact of this vulnerability extends beyond simple remote code execution to encompass complete system compromise of affected routers. An attacker who successfully exploits this vulnerability could gain full administrative control over the router, enabling them to modify network configurations, redirect traffic through malicious proxies, implement man-in-the-middle attacks, or establish persistent backdoors for continued access. The compromised router could then serve as a pivot point for attacking internal network devices, potentially providing attackers with access to sensitive corporate or residential networks. This vulnerability particularly affects home and small office networks where router security is often overlooked, creating significant risk for both individual users and organizations that rely on these devices for network security. The lack of vendor response to early disclosure attempts exacerbates the risk, leaving users without official patches or mitigation guidance during an active exploitation period.

Security professionals should implement immediate network segmentation and monitoring to detect potential exploitation attempts, particularly focusing on unusual HTTP requests targeting the /cgi-bin/cstecgi.cgi endpoint. Network administrators should consider deploying intrusion detection systems with signatures specific to this vulnerability and monitor for patterns of oversized http_host parameters in web traffic. The recommended mitigation strategies include upgrading to firmware versions that address this vulnerability if available, implementing network access controls to restrict access to router management interfaces, and disabling unnecessary services on affected devices. Organizations should also consider using network monitoring tools to identify devices running vulnerable firmware versions and establish procedures for firmware updates. According to ATT&CK framework, this vulnerability maps to T1210 (Exploitation of Remote Services) and T1059 (Command and Scripting Interpreter), as attackers can leverage the compromised router for further network infiltration and command execution. The vulnerability also aligns with T1566 (Phishing) and T1071 (Application Layer Protocol) as attackers may use compromised routers for malicious web traffic routing and phishing campaign support. Given the public availability of exploits and the critical nature of this vulnerability, immediate action is required to protect network infrastructure from potential compromise.

Responsible

VulDB

Reservation

01/29/2024

Disclosure

01/29/2024

Moderation

accepted

CPE

ready

Exploit

Download

EPSS

0.01276

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!