Scans Probing for LB-Link and Vinga WR-AC1200 routers CVE-2023-24796
Before diving into the vulnerability, a bit about the affected devices. LB-Link, the make of the devices affected by this vulnerability, produces various wireless equipment that is sometimes sold under different brands and labels. This will make it difficult to identify affected devices. These devices are often low-cost "no name" solutions or, in some cases, may even be embedded, which makes it even more difficult to find firmware updates.
Before buying any IoT device, WiFi router, or similar piece of equipment, please make sure the vendor does:
- Offer firmware updates for download from an easy-to-find location.
- Provide an "end of life" policy stating how long a particular device will receive updates.
Alternatively, you may want to verify if the device can be "re-flashed" using an open source firmware.
But let us go back to this vulnerability. There are two URLs affected, one of which showed up in our "First Seen URLs":
/goform/sysTools
/goform/set_LimitClient_cfg
The second one has been used more in the past, the first is relatively new in our logs. The graph below shows how "set_LimitClient.cfg" is much more popular. We only saw a significant number of scans for "sysTools" on May 1st.
The full requests we are seeing:
POST /goform/set_LimitClient_cfg HTTP/1.1
Cookie: user=admin
And yes, the vulnerability evolves around the "user=admin" cookie and a command injection in the password parameter. This is too stupid to waste any more time on, but it is common enough to just give up and call it a day. The NVD entry for the vulnerability was updated last week, adding an older PoC exploit to it. Maybe that got some kids interested in this vulnerability again.
---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|
Application Security: Securing Web Apps, APIs, and Microservices | Online | US Eastern | Jan 27th - Feb 1st 2025 |
Comments