CVE-2023-25108
📋 TL;DR
This vulnerability allows authenticated attackers to execute arbitrary code on Milesight UR32L routers by sending specially crafted HTTP requests that trigger buffer overflows in the vtysh_ubus binary. The vulnerability affects systems running vulnerable firmware versions and requires attacker access to the administrative interface.
💻 Affected Systems
- Milesight UR32L
📦 What is this software?
Ur32l Firmware by Milesight
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise leading to persistent backdoor installation, network traffic interception, lateral movement to other devices, and potential data exfiltration.
Likely Case
Router takeover allowing network reconnaissance, traffic manipulation, credential harvesting, and potential use as a pivot point for attacks on internal networks.
If Mitigated
Limited impact due to network segmentation, strong access controls, and monitoring that detects exploitation attempts before successful compromise.
🎯 Exploit Status
Exploitation requires authenticated access to the router's administrative interface. The vulnerability is in the set_gre function handling remote_ip parameter.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check with vendor for latest firmware
Vendor Advisory: https://www.milesight-iot.com/support/security-advisory/
Restart Required: Yes
Instructions:
1. Check Milesight security advisory for latest firmware version. 2. Download firmware from official Milesight portal. 3. Log into router web interface. 4. Navigate to System > Firmware Upgrade. 5. Upload new firmware file. 6. Wait for automatic reboot and verification.
🔧 Temporary Workarounds
Network Segmentation
allIsolate UR32L routers from critical network segments and restrict administrative access
Access Control Restrictions
linuxLimit administrative access to specific IP addresses and implement strong authentication
iptables -A INPUT -p tcp --dport 80 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
🧯 If You Can't Patch
- Implement strict network segmentation to isolate UR32L devices from critical assets
- Enable detailed logging and monitoring for HTTP requests to administrative interface
🔍 How to Verify
Check if Vulnerable:
Check firmware version in web interface under System > Status > Firmware VersionCheck Version:
ssh admin@router_ip 'cat /etc/version' or check web interfaceVerify Fix Applied:
Verify firmware version is updated beyond v32.3.0.5 and test GRE configuration functionality📡 Detection & Monitoring
Log Indicators:
- Unusual HTTP POST requests to configuration endpoints
- Multiple failed authentication attempts followed by successful login
- GRE configuration changes from unexpected sources
Network Indicators:
- HTTP traffic to router administrative interface from unexpected sources
- Unusual outbound connections from router after configuration changes
SIEM Query:
source="router_logs" AND (uri="/cgi-bin/luci" OR uri="/ubus") AND (method="POST" AND size>1024)