CVE-2023-30312
📋 TL;DR
This vulnerability allows off-path attackers to hijack TCP sessions on OpenWrt routers with NAT enabled, enabling them to impersonate clients or servers. It affects OpenWrt versions 18.06 through 22.03 and beyond when using default configurations. Attackers can cause denial of service, intercept sensitive data, or deliver malicious content.
💻 Affected Systems
- OpenWrt
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could intercept financial transactions, steal credentials, manipulate critical data transfers, or completely disrupt network communications for affected devices.
Likely Case
Session hijacking leading to data interception, credential theft, or service disruption for vulnerable OpenWrt routers exposed to malicious network traffic.
If Mitigated
Limited impact with proper network segmentation, firewall rules, and monitoring; attackers would need specific network positioning and timing.
🎯 Exploit Status
Exploitation requires off-path network positioning and timing, but detailed research papers and proof-of-concept code are publicly available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check OpenWrt security advisories for specific patched versions
Vendor Advisory: https://openwrt.org/docs/guide-developer/security
Restart Required: Yes
Instructions:
1. Update OpenWrt to latest patched version via opkg update && opkg upgrade. 2. Reboot router after update. 3. Verify nf_conntrack_tcp_no_window_check is set to false.
🔧 Temporary Workarounds
Disable vulnerable conntrack setting
linuxSet nf_conntrack_tcp_no_window_check to false to prevent TCP sequence number leakage
echo 0 > /proc/sys/net/netfilter/nf_conntrack_tcp_no_window_check
sysctl -w net.netfilter.nf_conntrack_tcp_no_window_check=0
Restrict network access
linuxImplement firewall rules to limit exposure to untrusted networks
iptables -A INPUT -p tcp --dport 21 -j DROP
iptables -A INPUT -p tcp --dport 20 -j DROP
🧯 If You Can't Patch
- Implement strict network segmentation to isolate vulnerable OpenWrt devices from untrusted networks
- Deploy intrusion detection systems to monitor for TCP session anomalies and hijacking attempts
🔍 How to Verify
Check if Vulnerable:
Check if nf_conntrack_tcp_no_window_check is set to 1: cat /proc/sys/net/netfilter/nf_conntrack_tcp_no_window_checkCheck Version:
cat /etc/openwrt_release | grep VERSIONVerify Fix Applied:
Verify nf_conntrack_tcp_no_window_check is set to 0 and OpenWrt version is patched📡 Detection & Monitoring
Log Indicators:
- Unexpected TCP RST packets
- TCP sequence number anomalies
- Multiple TCP sessions from same source with different sequence patterns
Network Indicators:
- TCP session hijacking patterns
- Unexpected TCP flag combinations
- Abnormal TCP window size changes
SIEM Query:
source="firewall.log" AND ("TCP RST" OR "sequence anomaly" OR "window violation")🔗 References
- https://blog.apnic.net/2024/06/18/off-path-tcp-hijacking-in-nat-enabled-wi-fi-networks/
- https://news.ycombinator.com/item?id=40723150
- https://openwrt.org/docs/guide-developer/security
- https://www.ndss-symposium.org/ndss-paper/exploiting-sequence-number-leakage-tcp-hijacking-in-nat-enabled-wi-fi-networks/
- https://blog.apnic.net/2024/06/18/off-path-tcp-hijacking-in-nat-enabled-wi-fi-networks/
- https://news.ycombinator.com/item?id=40723150
- https://openwrt.org/docs/guide-developer/security
- https://www.ndss-symposium.org/ndss-paper/exploiting-sequence-number-leakage-tcp-hijacking-in-nat-enabled-wi-fi-networks/
