CVE-2018-13861 – This vulnerability allows unauthenticated remot... (How to Fix)

Q: What is the severity of CVE-2018-13861?

CVE-2018-13861 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows unauthenticated remote attackers to execute system commands including rebooting devices via a simple HTTP GET request to a specific URL. It affects Touchpad/Trivum WebTouch Setup V9 systems running firmware version V2.53 build 13163 from April 6, 2018. Organizations using these specific home automation/control systems are at risk.

📋 TL;DR

This vulnerability allows unauthenticated remote attackers to execute system commands including rebooting devices via a simple HTTP GET request to a specific URL. It affects Touchpad/Trivum WebTouch Setup V9 systems running firmware version V2.53 build 13163 from April 6, 2018. Organizations using these specific home automation/control systems are at risk.

💻 Affected Systems

Products:

Touchpad / Trivum WebTouch Setup V9

Versions: V2.53 build 13163 (Apr 6 2018 09:10:14) with FW 303

Operating Systems: Embedded system firmware

Default Config Vulnerable: ⚠️ Yes

Notes: This appears to be a specific firmware build for embedded control systems. The vulnerability is in the web interface component.

📦 What is this software?

Webtouch Setup V9 Firmware by Trivum

View all CVEs affecting Webtouch Setup V9 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system disruption through repeated reboots causing denial of service, potential for other undocumented command execution leading to system compromise or data loss.

🟠

Likely Case

Service disruption through device reboots, potentially affecting connected home automation or control systems.

🟢

If Mitigated

No impact if proper network segmentation and access controls prevent external access to vulnerable endpoints.

🌐 Internet-Facing: HIGH - The vulnerability requires no authentication and can be exploited with a simple HTTP request, making internet-exposed devices extremely vulnerable.

🏢 Internal Only: MEDIUM - Internal attackers or malware could exploit this to disrupt operations, but requires network access to the vulnerable device.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only a web browser or curl command to send HTTP GET request to vulnerable endpoint. The advisory shows specific exploit path: /xml/system/control.xml?action=reboot

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: No vendor advisory found in provided references

Restart Required: No

Instructions:

No official patch information available. Check with Trivum/Touchpad vendor for updated firmware versions beyond V2.53 build 13163.

🔧 Temporary Workarounds

Network Access Control

linux

Restrict network access to the WebTouch Setup interface using firewall rules

iptables -A INPUT -p tcp --dport 80 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP

Web Server Configuration

all

Block access to the vulnerable /xml/system/control.xml endpoint

LocationMatch "^/xml/system/control\.xml$"
    Order deny,allow
    Deny from all

🧯 If You Can't Patch

Isolate the device on a separate VLAN with strict firewall rules preventing external and unnecessary internal access
Implement network monitoring for requests to /xml/system/control.xml and alert on any access attempts

🔍 How to Verify

Check if Vulnerable:

Send HTTP GET request to http://device_ip/xml/system/control.xml?action=reboot and check if device reboots. Use curl: curl -v 'http://device_ip/xml/system/control.xml?action=reboot'

Check Version:

Check web interface or device administration panel for firmware version information. Typically accessible via http://device_ip/

Verify Fix Applied:

Attempt the same exploit request after implementing workarounds - should receive access denied or connection refused

📡 Detection & Monitoring

Log Indicators:

HTTP GET requests to /xml/system/control.xml with action parameters
Unexpected system reboots or service restarts

Network Indicators:

HTTP requests to /xml/system/control.xml?action=* from unauthorized sources
Multiple reboot requests in short timeframes

SIEM Query:

source="web_logs" AND uri_path="/xml/system/control.xml" AND query_string="*action=*"

📊 Metadata

CVE ID: CVE-2018-13861

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Published: July 17, 2018

Last Updated: November 21, 2024

🔗 References

https://vulncode.com/advisory/CVE-2018-13861 Third Party Advisory
https://vulncode.com/advisory/CVE-2018-13861 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON