CVE-2020-11967 – CVE-2020-11967 allows remote attackers to execu... (How to Fix)

Q: What is the severity of CVE-2020-11967?

CVE-2020-11967 has a CVSS score of 9.8 (CRITICAL). CVE-2020-11967 allows remote attackers to execute administrative actions (restart network, reboot, upgrade, reset) on IQrouter devices due to incorrect access control. This affects IQrouter users who have not completed initial configuration with a secure password. The vendor claims this only impacts brand-new, unconfigured networks.

📋 TL;DR

CVE-2020-11967 allows remote attackers to execute administrative actions (restart network, reboot, upgrade, reset) on IQrouter devices due to incorrect access control. This affects IQrouter users who have not completed initial configuration with a secure password. The vendor claims this only impacts brand-new, unconfigured networks.

💻 Affected Systems

Products:

IQrouter

Versions: through 3.3.1

Operating Systems: OpenWRT-based

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists only on devices that have not completed initial configuration with secure password. Based on OpenWRT default configuration issues.

📦 What is this software?

Iqrouter Firmware by Evenroute

View all CVEs affecting Iqrouter Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device takeover allowing attackers to reboot, reset to factory defaults, or install malicious firmware updates, potentially creating persistent backdoors.

🟠

Likely Case

Network disruption through forced reboots or configuration resets, causing service downtime for connected users.

🟢

If Mitigated

No impact if device has been properly configured with secure credentials during initial setup.

🌐 Internet-Facing: HIGH for unconfigured devices exposed to internet, as exploit requires no authentication.

🏢 Internal Only: MEDIUM for unconfigured devices on internal networks, as attackers would need network access.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit details available in public pastebin. Simple HTTP requests can trigger administrative actions without authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 3.3.1

Vendor Advisory: https://evenroute.zendesk.com/hc/en-us/articles/216107838-How-do-I-configure-an-IQrouter-

Restart Required: No

Instructions:

1. Complete initial configuration wizard. 2. Set secure administrator password. 3. Update to latest IQrouter firmware if available. 4. Ensure device is not exposed to untrusted networks during setup.

🔧 Temporary Workarounds

Complete Initial Configuration

all

Force completion of initial setup wizard and set secure password

Follow configuration guide at https://evenroute.zendesk.com/hc/en-us/articles/216107838-How-do-I-configure-an-IQrouter-

Network Isolation During Setup

all

Configure device in isolated network environment before deployment

🧯 If You Can't Patch

Ensure device completes initial configuration with strong password before network deployment
Isolate device from untrusted networks during initial setup phase

🔍 How to Verify

Check if Vulnerable:

Check if device has completed initial configuration by attempting to access admin interface without credentials. If accessible, device is vulnerable.

Check Version:

Check web interface or use SSH: cat /etc/version or uci get system.@system[0].hostname

Verify Fix Applied:

Verify secure password is set and required for administrative actions. Test that unauthenticated requests to administrative endpoints are rejected.

📡 Detection & Monitoring

Log Indicators:

Unauthenticated administrative requests in web server logs
Unexpected device reboots or configuration changes

Network Indicators:

HTTP POST requests to administrative endpoints without authentication headers
Unusual traffic to device management interfaces

SIEM Query:

source="iqrouter" AND (url="*/cgi-bin/luci/admin/*" OR action="reboot" OR action="reset") AND NOT user!=""

📊 Metadata

CVE ID: CVE-2020-11967

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-862

Published: April 21, 2020

Last Updated: November 21, 2024

🔗 References

https://evenroute.com/ Product
https://evenroute.zendesk.com/hc/en-us/articles/216107838-How-do-I-configure-an-IQrouter-
https://openwrt.org/docs/guide-quick-start/walkthrough_login
https://pastebin.com/grSCSBSu Third Party Advisory
https://evenroute.com/ Product
https://evenroute.zendesk.com/hc/en-us/articles/216107838-How-do-I-configure-an-IQrouter-
https://openwrt.org/docs/guide-quick-start/walkthrough_login
https://pastebin.com/grSCSBSu Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-11967, you might also want to check these: