CVE-2017-8835
📋 TL;DR
This CVE describes a SQL injection vulnerability in Peplink Balance router firmware that allows attackers to execute arbitrary SQL commands via the bauth cookie parameter. Affected are Peplink Balance 305, 380, 580, 710, 1350, and 2500 devices running firmware versions before fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093.
💻 Affected Systems
- Peplink Balance 305
- Peplink Balance 380
- Peplink Balance 580
- Peplink Balance 710
- Peplink Balance 1350
- Peplink Balance 2500
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the router including administrative access, credential theft, network traffic interception, and lateral movement into connected networks.
Likely Case
Unauthorized access to router administration, user account enumeration, session hijacking, and potential configuration changes.
If Mitigated
Limited impact due to network segmentation, proper access controls, and monitoring detecting SQL injection attempts.
🎯 Exploit Status
Exploit code is publicly available and requires no authentication. The vulnerability is in the bauth cookie parameter which can be manipulated to inject SQL commands.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093 or later
Vendor Advisory: https://www.peplink.com/support/security-vulnerabilities/
Restart Required: Yes
Instructions:
1. Log into Peplink router web interface. 2. Navigate to System > Firmware. 3. Check for updates and install firmware version 7.0.1-build2093 or later. 4. Reboot the device after installation.
🔧 Temporary Workarounds
Network Access Restriction
allRestrict access to the router's web administration interface to trusted IP addresses only.
Configure firewall rules to allow only specific source IPs to access port 80/443 on the router
Web Application Firewall
allDeploy a WAF in front of the router to detect and block SQL injection attempts.
Configure WAF rules to block SQL injection patterns in cookie parameters
🧯 If You Can't Patch
- Disable remote administration and only allow local network access to the web interface
- Implement network segmentation to isolate the router from critical systems
🔍 How to Verify
Check if Vulnerable:
Check current firmware version in router web interface under System > Firmware. If version is older than 7.0.1-build2093, device is vulnerable.Check Version:
curl -k https://[router-ip]/cgi-bin/MANGA/admin.cgi -H 'Cookie: bauth=test' 2>/dev/null | grep -i version || echo 'Check web interface at System > Firmware'Verify Fix Applied:
Confirm firmware version is 7.0.1-build2093 or newer in System > Firmware page.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL error messages in web server logs
- Multiple failed login attempts followed by successful access
- Requests to cgi-bin/MANGA/admin.cgi with malformed bauth cookie values
Network Indicators:
- SQL injection patterns in HTTP cookie headers
- Unusual traffic to router administration port from unexpected sources
- SQL keywords like UNION, SELECT, INSERT in cookie parameters
SIEM Query:
source="router_logs" AND (uri="*cgi-bin/MANGA/admin.cgi*" AND cookie="*bauth=*SELECT*" OR cookie="*bauth=*UNION*")