Login Sign Up

CVE-2018-20377

9.8 CRITICAL
Authentication Bypass

📋 TL;DR

This vulnerability allows remote attackers to retrieve Wi-Fi credentials from Orange Livebox 00.96.320S devices via an unauthenticated web endpoint. If the admin password matches the Wi-Fi password or uses the default value, attackers can gain full administrative control. This affects Orange Livebox users with specific firmware versions.

💻 Affected Systems

Products:
  • Orange Livebox 00.96.320S
Versions: Firmware 01.11.2017-11:43:44, Boot v0.70.03, Modem 5.4.1.10.1.1A, Hardware 02
Operating Systems: Embedded firmware
Default Config Vulnerable: ⚠️ Yes
Notes: Specifically affects Arcadyan ARV7519RW22-A-L T VR9 1.2 hardware. Risk increases if admin password equals Wi-Fi password or uses default value.

📦 What is this software?

Arv7519rw22 Livebox 2.1 Firmware by Orange

View all CVEs affecting Arv7519rw22 Livebox 2.1 Firmware →

Arv7519rw22 Livebox 2.1 Firmware by Orange

View all CVEs affecting Arv7519rw22 Livebox 2.1 Firmware →

Arv7519rw22 Livebox 2.1 Firmware by Orange

View all CVEs affecting Arv7519rw22 Livebox 2.1 Firmware →

Arv7519rw22 Livebox 2.1 Firmware by Orange

View all CVEs affecting Arv7519rw22 Livebox 2.1 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full compromise of the router including network traffic interception, device hijacking, and lateral movement into connected networks.

🟠

Likely Case

Wi-Fi credential theft leading to unauthorized network access and potential man-in-the-middle attacks.

🟢

If Mitigated

Limited to Wi-Fi credential exposure if admin password is strong and unique.

🌐 Internet-Facing: HIGH - The vulnerable endpoint is accessible remotely on port 8080 without authentication.
🏢 Internal Only: MEDIUM - Internal attackers could exploit this, but external threat is more significant.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Simple HTTP GET request to /get_getnetworkconf.cgi on port 8080 returns Wi-Fi credentials in plain text.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Later firmware versions from Orange

Vendor Advisory: https://badpackets.net/over-19000-orange-livebox-adsl-modems-are-leaking-their-wifi-credentials/

Restart Required: Yes

Instructions:

1. Log into Livebox admin interface. 2. Check for firmware updates in system settings. 3. Apply available updates. 4. Reboot device after update.

🔧 Temporary Workarounds

Block port 8080 externally

linux

Prevent external access to the vulnerable endpoint

iptables -A INPUT -p tcp --dport 8080 -j DROP

Change admin and Wi-Fi passwords

all

Use strong, unique passwords for admin interface and Wi-Fi

🧯 If You Can't Patch

  • Change admin password to a strong, unique value different from Wi-Fi password
  • Disable remote administration and restrict management interface to local network only

🔍 How to Verify

Check if Vulnerable:

curl -v http://[device_ip]:8080/get_getnetworkconf.cgi - check if Wi-Fi credentials are returned in plain text

Check Version:

Check firmware version in Livebox admin interface under System Information

Verify Fix Applied:

Attempt the same curl command after patching - should return error or no credentials

📡 Detection & Monitoring

Log Indicators:

  • HTTP GET requests to /get_getnetworkconf.cgi on port 8080 from external IPs

Network Indicators:

  • Unusual traffic to port 8080 from external sources
  • Multiple failed login attempts followed by credential retrieval

SIEM Query:

source_port=8080 AND uri_path="/get_getnetworkconf.cgi" AND src_ip NOT IN (internal_subnets)

📊 Metadata

CVE ID: CVE-2018-20377
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: December 23, 2018
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON