CVE-2024-7335 in EX200info

Summary

by MITRE • 08/01/2024

A vulnerability classified as critical has been found in TOTOLINK EX200 4.0.3c.7646_B20201211. Affected is the function getSaveConfig of the file /cgi-bin/cstecgi.cgi?action=save&setting. The manipulation of the argument http_host leads to buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-273258 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 08/09/2024

The vulnerability identified as CVE-2024-7335 represents a critical buffer overflow flaw within the TOTOLINK EX200 router firmware version 4.0.3c.7646_B20201211. This vulnerability exists in the web-based management interface through the cgi-bin/cstecgi.cgi script, specifically within the getSaveConfig function that handles the action=save&setting parameter. The flaw manifests when the http_host argument is manipulated, creating conditions that allow an attacker to overflow a buffer in memory, potentially leading to arbitrary code execution or system compromise. The vulnerability's classification as critical stems from its remote exploitability and the fact that a public exploit has been disclosed, making it immediately dangerous to unpatched devices. The affected device is a consumer-grade router that typically operates in home or small office environments, making it a potentially attractive target for attackers seeking to establish persistent access points within networks.

The technical implementation of this buffer overflow occurs through improper input validation within the getSaveConfig function of the web server component. When the http_host parameter is processed, the application fails to properly bounds-check the input data before copying it into a fixed-size buffer, creating an exploitable condition where attacker-controlled data can overwrite adjacent memory locations. This type of vulnerability directly maps to CWE-121, which describes stack-based buffer overflow conditions, and potentially CWE-122 for heap-based buffer overflows if the vulnerable code uses dynamic memory allocation. The attack vector requires no authentication and can be executed through a specially crafted HTTP request sent to the router's web interface, making it particularly dangerous for devices with exposed management ports. The exploitation process typically involves crafting a malicious http_host parameter that exceeds the allocated buffer size, causing memory corruption that can be leveraged to redirect program execution flow or inject malicious code.

The operational impact of this vulnerability extends beyond simple device compromise, as it enables attackers to gain unauthorized administrative access to network infrastructure. Once exploited, an attacker could modify router configurations, redirect traffic, establish persistent backdoors, or use the device as a pivot point for attacking other systems within the local network. The router's role as a network gateway makes it a critical component for maintaining network security, and its compromise could lead to widespread network disruption or data exfiltration. The vulnerability's remote exploitability means that attackers do not need physical access to the device or network access to launch attacks, significantly expanding the threat surface. Given that this is a consumer router model, many devices may remain unpatched for extended periods, particularly in environments where network administrators lack visibility into all connected devices, creating persistent attack vectors that could be used for advanced persistent threats or large-scale network intrusions.

Mitigation strategies for CVE-2024-7335 should prioritize immediate firmware updates from TOTOLINK, although the vendor's lack of response to early disclosure concerns suggests potential delays in patch availability. Network administrators should implement network segmentation to isolate affected devices from critical systems and consider disabling remote management access where possible. The ATT&CK framework's T1071.004 technique for application layer protocol: web protocols should be considered when monitoring network traffic for exploitation attempts, as attackers may attempt to leverage this vulnerability through HTTP requests. Additional defensive measures include implementing intrusion detection systems with signatures for known exploit patterns, monitoring for unusual traffic patterns to and from affected devices, and ensuring that network devices are not exposed to the public internet without proper firewall rules. Organizations should also consider conducting network scans to identify all instances of the affected router model and establish incident response procedures for potential exploitation attempts. The vulnerability highlights the importance of maintaining up-to-date firmware for network infrastructure devices and the risks associated with vendors who do not respond to security disclosures in a timely manner.

Responsible

VulDB

Disclosure

08/01/2024

Moderation

accepted

CPE

ready

Exploit

Download

EPSS

0.01157

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!