CVE-2024-28077 in A1300info

Summary

by MITRE • 08/26/2024

A denial-of-service issue was discovered on certain GL-iNet devices. Some websites can detect devices exposed to the external network through DDNS, and consequently obtain the IP addresses and ports of devices that are exposed. By using special usernames and special characters (such as half parentheses or square brackets), one can call the login interface and cause the session-management program to crash, resulting in customers being unable to log into their devices. This affects MT6000 4.5.6, XE3000 4.4.5, X3000 4.4.6, MT3000 4.5.0, MT2500 4.5.0, AXT1800 4.5.0, AX1800 4.5.0, A1300 4.5.0, S200 4.1.4-0300, X750 4.3.7, SFT1200 4.3.7, MT1300 4.3.10, AR750 4.3.10, AR750S 4.3.10, AR300M 4.3.10, AR300M16 4.3.10, B1300 4.3.10, MT300N-V2 4.3.10, and XE300 4.3.16.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 06/14/2025

The vulnerability identified as CVE-2024-28077 represents a critical denial-of-service flaw affecting multiple GL-iNet device models, exposing them to unauthorized session manipulation and potential system compromise. This issue stems from inadequate input validation within the device's login interface, specifically targeting the session management program that handles authentication requests. The vulnerability manifests when specially crafted usernames containing special characters such as half parentheses or square brackets are submitted to the authentication endpoint, triggering a crash in the session management service. This flaw fundamentally compromises the device's availability and accessibility, preventing legitimate users from accessing their network devices through normal authentication processes. The affected device lineup spans various product categories including routers, mesh systems, and wireless access points, with firmware versions ranging from 4.1.4 to 4.5.6 across different model series, indicating a widespread impact across GL-iNet's product portfolio.

The technical exploitation of this vulnerability demonstrates a classic buffer overflow or input sanitization failure within the authentication subsystem, which aligns with CWE-121 CWE-122 and CWE-20 categories related to buffer overflows and improper input validation. The session management program appears to lack proper bounds checking when processing username inputs, allowing maliciously formatted strings to cause memory corruption or program termination. This vulnerability directly maps to ATT&CK technique T1110.003 (Credential Access: Password Guessing) and T1499.004 (Impact: Service Stop) as it enables both unauthorized access attempts and system availability disruption. The exploitation requires minimal technical sophistication, as attackers only need to craft specific username strings and submit them to the login interface, making this vulnerability particularly dangerous in environments where devices are exposed to external networks.

The operational impact of CVE-2024-28077 extends beyond simple service disruption, potentially creating persistent access points for attackers who can exploit the device's exposure through Dynamic Domain Name System (DDNS) services. When devices are exposed to external networks, the vulnerability allows remote attackers to identify active devices by leveraging DDNS detection mechanisms, subsequently targeting the specific IP addresses and ports of vulnerable systems. This creates a cascading effect where legitimate users lose access to their network infrastructure while attackers gain intelligence about exposed devices. The vulnerability affects devices running firmware versions that have been widely deployed in both residential and small business environments, potentially compromising network security for numerous end-users. The session management crash results in complete authentication failure, forcing users to physically access devices or perform factory resets to regain access, creating significant operational disruption.

Mitigation strategies for this vulnerability require immediate firmware updates from GL-iNet, as the root cause lies within the device's authentication implementation and session management subsystem. Network administrators should implement immediate network segmentation to prevent external exposure of affected devices, particularly those running vulnerable firmware versions. The recommended approach includes disabling remote management features where possible and implementing strict firewall rules that limit access to device management interfaces to trusted networks only. Additionally, users should be advised to change default administrative credentials immediately and monitor network traffic for suspicious authentication attempts. The vulnerability highlights the importance of proper input validation in authentication systems and underscores the need for robust session management practices in embedded network devices, as outlined in NIST SP 800-160 and ISO/IEC 27034 standards for secure software development lifecycle practices. Organizations should also consider implementing intrusion detection systems to monitor for exploitation attempts and maintain detailed logs of authentication events for forensic analysis.

Responsible

MITRE

Reservation

03/03/2024

Disclosure

08/26/2024

Moderation

accepted

CPE

ready

EPSS

0.00431

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!