CVE-2020-35755
📋 TL;DR
CVE-2020-35755 is an information disclosure vulnerability in Libre Wireless LS9 devices where the luci_service daemon on port 7777 allows unauthenticated reading of NVRAM configuration data. This exposes sensitive information including Wi-Fi passwords in cleartext and service account tokens. All users of affected Libre Wireless LS9 devices with vulnerable firmware versions are impacted.
💻 Affected Systems
- Libre Wireless LS9 LS1.5/p7040
📦 What is this software?
Ls9 Firmware by Librewireless
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain full access to Wi-Fi networks, compromise connected accounts (Spotify, etc.), and potentially pivot to other network devices.
Likely Case
Local network attackers extract Wi-Fi credentials and service tokens, enabling unauthorized network access and account compromise.
If Mitigated
With proper network segmentation and access controls, impact limited to isolated device compromise without lateral movement.
🎯 Exploit Status
Simple HTTP requests to port 7777 with specific commands can extract NVRAM data without authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check with Libre Wireless for specific patched firmware version
Vendor Advisory: https://www.iot-inspector.com/blog/advisory-multiple-issues-libre-wireless-ls9/
Restart Required: Yes
Instructions:
1. Contact Libre Wireless for updated firmware. 2. Backup device configuration. 3. Apply firmware update via management interface. 4. Reboot device. 5. Verify luci_service no longer exposes NVRAM read commands.
🔧 Temporary Workarounds
Block Port 7777 Access
linuxRestrict network access to luci_service daemon on port 7777
iptables -A INPUT -p tcp --dport 7777 -j DROP
iptables -A INPUT -p udp --dport 7777 -j DROP
Disable luci_service
linuxStop and disable the vulnerable service if not required
systemctl stop luci_service
systemctl disable luci_service
🧯 If You Can't Patch
- Isolate device on separate VLAN with strict access controls
- Monitor network traffic to port 7777 for exploitation attempts
🔍 How to Verify
Check if Vulnerable:
Send HTTP request to device IP on port 7777 with command containing 'Read_' prefix and check for NVRAM data in responseCheck Version:
Check device web interface or use vendor-specific CLI commands for firmware versionVerify Fix Applied:
Attempt same request after patching - should receive error or no sensitive data📡 Detection & Monitoring
Log Indicators:
- Unusual access to port 7777
- luci_service process receiving Read_ commands
Network Indicators:
- TCP/UDP traffic to port 7777 from unauthorized sources
- HTTP requests containing 'Read_' patterns
SIEM Query:
source_port=7777 OR dest_port=7777 AND (http_uri CONTAINS 'Read_' OR http_body CONTAINS 'NVRAM')