CVE-2023-31473

11.05.2023, 11:15

An issue was discovered on GL.iNet devices before 3.216. There is an arbitrary file write in which an empty file can be created anywhere on the filesystem. This is caused by a command injection vulnerability with a filter applied. Through the software installation feature, it is possible to inject arbitrary parameters in a request to cause opkg to read an arbitrary file name while using root privileges. The -f option can be used with a configuration file.

Command Injection

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	4.9 MEDIUM	NETWORK	LOW	HIGH	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
mitre	CNA	---				---
CVE	ADP	---				---
CISA-ADP	ADP	4.9 MEDIUM	NETWORK	LOW	HIGH	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 80%

Vendor	Product	Version
gl-inet	gl-s20_firmware	𝑥 < 3.216
gl-inet	gl-x3000_firmware	𝑥 < 3.216
gl-inet	gl-mt3000_firmware	𝑥 < 3.216
gl-inet	gl-mt2500_firmware	𝑥 < 3.216
gl-inet	gl-mt2500a_firmware	𝑥 < 3.216
gl-inet	gl-axt1800_firmware	𝑥 < 3.216
gl-inet	gl-a1300_firmware	𝑥 < 3.216
gl-inet	gl-ax1800_firmware	𝑥 < 3.216
gl-inet	gl-sft1200_firmware	𝑥 < 3.216
gl-inet	gl-mt1300_firmware	𝑥 < 3.216
gl-inet	gl-e750_firmware	𝑥 < 3.216
gl-inet	gl-mv1000_firmware	𝑥 < 3.216
gl-inet	gl-mv1000w_firmware	𝑥 < 3.216
gl-inet	gl-s10_firmware	𝑥 < 3.216
gl-inet	gl-s200_firmware	𝑥 < 3.216
gl-inet	gl-s1300_firmware	𝑥 < 3.216
gl-inet	gl-sf1200_firmware	𝑥 < 3.216
gl-inet	gl-b1300_firmware	𝑥 < 3.216
gl-inet	gl-b2200_firmware	𝑥 < 3.216
gl-inet	gl-ap1300_firmware	𝑥 < 3.216
gl-inet	gl-ap1300lte_firmware	𝑥 < 3.216
gl-inet	gl-x1200_firmware	𝑥 < 3.216
gl-inet	gl-x750_firmware	𝑥 < 3.216
gl-inet	gl-x300b_firmware	𝑥 < 3.216
gl-inet	gl-xe300_firmware	𝑥 < 3.216
gl-inet	gl-ar750s_firmware	𝑥 < 3.216
gl-inet	gl-ar750_firmware	𝑥 < 3.216
gl-inet	gl-mifi_firmware	𝑥 < 3.216
gl-inet	gl-mt300n-v2_firmware	𝑥 < 3.216
gl-inet	gl-ar300m_firmware	𝑥 < 3.216
gl-inet	gl-usb150_firmware	𝑥 < 3.216
gl-inet	microuter-n300_firmware	𝑥 < 3.216

𝑥

= Vulnerable software versions

Known Exploits!

Common Weakness Enumeration

CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
The software constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

References

https://github.com/gl-inet/CVE-issues/blob/main/3.215/Arbitrary_File_Read.md

https://www.gl-inet.com

https://github.com/gl-inet/CVE-issues/blob/main/3.215/Arbitrary_File_Read.md

https://www.gl-inet.com