CVE-2024-45261 in MT6000
Summary
by MITRE • 10/25/2024
An issue was discovered on certain GL-iNet devices, including MT6000, MT3000, MT2500, AXT1800, and AX1800 4.6.2. The SID generated for a specific user is not tied to that user itself, which allows other users to potentially use it for authentication. Once an attacker bypasses the application's authentication procedures, they can generate a valid SID, escalate privileges, and gain full control.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 10/29/2024
This vulnerability affects several GL-iNet router models including MT6000, MT3000, MT2500, AXT1800, and AX1800 running firmware version 4.6.2. The core issue lies in the session management implementation where session identifiers are not properly bound to individual user accounts. This represents a critical flaw in the authentication system that directly violates security principles outlined in CWE-613, which addresses insufficient session expiration and weak session management practices. The vulnerability stems from improper session binding mechanisms that allow session identifiers to be reused across different user contexts.
The technical flaw manifests when the system generates session identifiers that are not cryptographically tied to specific user credentials or account information. This creates a scenario where a successful attacker can obtain a valid session identifier from one user and subsequently use it to impersonate that user or gain unauthorized access to other accounts. The vulnerability enables what security researchers classify as session hijacking or session prediction attacks, which fall under the ATT&CK framework category of T1566 for credential access through session manipulation. The system's failure to properly validate session ownership creates a fundamental weakness in the authentication boundary.
The operational impact of this vulnerability is severe as it allows attackers to bypass standard authentication procedures entirely. Once an attacker gains access to a valid session identifier, they can escalate privileges and achieve full administrative control over the affected devices. This compromises the entire network infrastructure since these routers typically serve as gateways for network traffic and often contain sensitive configuration data. The vulnerability affects not just individual user accounts but potentially the entire device management interface, making it a critical concern for network administrators who rely on these devices for security operations. The risk is amplified because these devices are commonly deployed in enterprise and residential environments where they control network access and security policies.
Mitigation strategies should focus on implementing proper session binding mechanisms that ensure session identifiers are cryptographically tied to specific user accounts and authentication contexts. Organizations should immediately update to the latest firmware versions that address this vulnerability, as GL-iNet has likely released patches to resolve the session management flaw. Network administrators should also implement additional monitoring for unusual authentication patterns and session usage that could indicate exploitation attempts. The solution aligns with security best practices described in NIST SP 800-116 for session management and should include proper session invalidation upon user logout or session timeout. Regular security assessments of network device configurations are essential to prevent similar vulnerabilities in other network infrastructure components.