CVE-2023-24018 – A stack-based buffer overflow vulnerability in ... (How to Fix)

Q: What is the severity of CVE-2023-24018?

CVE-2023-24018 has a CVSS score of 8.8 (HIGH). A stack-based buffer overflow vulnerability in the libzebra.so library of Milesight UR32L routers allows authenticated attackers to execute arbitrary code via specially crafted HTTP requests. This affects Milesight UR32L routers running vulnerable firmware versions. Attackers with network access and valid credentials can potentially gain full control of affected devices.

📋 TL;DR

A stack-based buffer overflow vulnerability in the libzebra.so library of Milesight UR32L routers allows authenticated attackers to execute arbitrary code via specially crafted HTTP requests. This affects Milesight UR32L routers running vulnerable firmware versions. Attackers with network access and valid credentials can potentially gain full control of affected devices.

💻 Affected Systems

Products:

Milesight UR32L

Versions: v32.3.0.5 and earlier

Operating Systems: Embedded Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated access to the web interface. Default credentials increase risk.

📦 What is this software?

Ur32l Firmware by Milesight

View all CVEs affecting Ur32l Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete device compromise, lateral movement to internal networks, and persistent backdoor installation.

🟠

Likely Case

Device takeover enabling traffic interception, credential theft, and use as pivot point for further attacks.

🟢

If Mitigated

Limited impact due to network segmentation, strong authentication controls, and restricted administrative access.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires authentication but is straightforward once credentials are obtained. Public technical details available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check vendor for latest firmware

Vendor Advisory: https://www.milesight.com/support/

Restart Required: Yes

Instructions:

1. Download latest firmware from Milesight support portal. 2. Log into router web interface. 3. Navigate to System > Maintenance > Firmware Upgrade. 4. Upload firmware file. 5. Apply and reboot device.

🔧 Temporary Workarounds

Restrict Administrative Access

linux

Limit access to router web interface to trusted IP addresses only

iptables -A INPUT -p tcp --dport 80 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP

Change Default Credentials

all

Ensure strong, unique administrative passwords are set

🧯 If You Can't Patch

Segment affected routers in isolated network zones
Implement strict network monitoring for HTTP requests to administrative interfaces

🔍 How to Verify

Check if Vulnerable:

Check firmware version via web interface: System > Status > Firmware Version

Check Version:

curl -k https://ROUTER_IP/api/system/status | grep version

Verify Fix Applied:

Verify firmware version is newer than v32.3.0.5 and test HTTP requests to security_decrypt_password endpoint

📡 Detection & Monitoring

Log Indicators:

Multiple failed authentication attempts followed by successful login
Unusual HTTP POST requests to security_decrypt_password endpoint
Abnormal process creation in router logs

Network Indicators:

HTTP traffic to router administrative interface from unexpected sources
Unusual outbound connections from router

SIEM Query:

source="router_logs" AND ("security_decrypt_password" OR "POST /api/security/decrypt")

📊 Metadata

CVE ID: CVE-2023-24018

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-121

Published: July 6, 2023

Last Updated: November 21, 2024

🔗 References

https://talosintelligence.com/vulnerability_reports/TALOS-2023-1715 Exploit,Third Party Advisory
https://talosintelligence.com/vulnerability_reports/TALOS-2023-1715 Exploit,Third Party Advisory
https://www.talosintelligence.com/vulnerability_reports/TALOS-2023-1715

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-24018, you might also want to check these: