CVE-2020-11965 – CVE-2020-11965 allows attackers to gain full re... (How to Fix)

Q: What is the severity of CVE-2020-11965?

CVE-2020-11965 has a CVSS score of 9.8 (CRITICAL). CVE-2020-11965 allows attackers to gain full remote root access via SSH on IQrouter devices that have not completed initial configuration. This affects IQrouter systems through version 3.3.1 that remain in their factory default state. The vendor claims this only impacts brand-new networks before secure password configuration.

📋 TL;DR

CVE-2020-11965 allows attackers to gain full remote root access via SSH on IQrouter devices that have not completed initial configuration. This affects IQrouter systems through version 3.3.1 that remain in their factory default state. The vendor claims this only impacts brand-new networks before secure password configuration.

💻 Affected Systems

Products:

IQrouter

Versions: through 3.3.1

Operating Systems: OpenWRT-based

Default Config Vulnerable: ⚠️ Yes

Notes: Only vulnerable in factory default/unconfigured state before initial setup with secure password. Based on OpenWRT default behavior.

📦 What is this software?

Iqrouter Firmware by Evenroute

View all CVEs affecting Iqrouter Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with root access, allowing attackers to install malware, steal data, pivot to other network devices, or disrupt network operations.

🟠

Likely Case

Unauthorized root access on newly deployed IQrouter devices before initial configuration, potentially leading to network reconnaissance and lateral movement.

🟢

If Mitigated

No impact on properly configured systems with secure passwords set during initial setup.

🌐 Internet-Facing: HIGH if SSH is exposed to internet and device is unconfigured, as attackers can gain root access without authentication.

🏢 Internal Only: MEDIUM for unconfigured devices on internal networks, as attackers with network access could exploit this vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple SSH connection attempt with root user and no password. Exploit trivial for unconfigured devices.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: N/A

Vendor Advisory: https://evenroute.zendesk.com/hc/en-us/articles/216107838-How-do-I-configure-an-IQrouter-

Restart Required: No

Instructions:

Complete initial configuration wizard and set secure password for root user during setup as required by vendor.

🔧 Temporary Workarounds

Disable SSH or restrict access

linux

Disable SSH service or configure firewall to restrict SSH access to trusted IPs only

uci set firewall.ssh=rule
uci set firewall.ssh.name='SSH'
uci set firewall.ssh.src='wan'
uci set firewall.ssh.dest_port='22'
uci set firewall.ssh.target='DROP'
uci commit firewall
/etc/init.d/firewall restart

Set root password immediately

linux

Manually set root password via command line before completing full configuration

passwd root

🧯 If You Can't Patch

Complete initial configuration immediately with secure password
Disable SSH access until configuration is complete

🔍 How to Verify

Check if Vulnerable:

Attempt SSH connection: 'ssh root@[iqrouter-ip]' without password. If login succeeds, device is vulnerable.

Check Version:

cat /etc/iqrouter-version or check web interface

Verify Fix Applied:

Attempt SSH connection with same command. Should prompt for password or deny access.

📡 Detection & Monitoring

Log Indicators:

Failed SSH authentication attempts for root user
Successful SSH logins for root without password authentication

Network Indicators:

SSH connections to port 22 from unexpected sources
Multiple SSH connection attempts to root account

SIEM Query:

source="auth.log" AND "sshd" AND "root" AND "Accepted password for none" OR "Accepted publickey for none"

📊 Metadata

CVE ID: CVE-2020-11965

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-287

Published: April 21, 2020

Last Updated: November 21, 2024

🔗 References

https://evenroute.com/ Product
https://evenroute.zendesk.com/hc/en-us/articles/216107838-How-do-I-configure-an-IQrouter- Third Party Advisory
https://openwrt.org/docs/guide-quick-start/walkthrough_login Third Party Advisory
https://pastebin.com/grSCSBSu Third Party Advisory
https://evenroute.com/ Product
https://evenroute.zendesk.com/hc/en-us/articles/216107838-How-do-I-configure-an-IQrouter- Third Party Advisory
https://openwrt.org/docs/guide-quick-start/walkthrough_login Third Party Advisory
https://pastebin.com/grSCSBSu Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-11965, you might also want to check these: