CVE-2023-31472
📋 TL;DR
This CVE describes a command injection vulnerability in GL.iNet devices that allows attackers to create empty files anywhere on the filesystem. The vulnerability affects GL.iNet devices running firmware versions before 3.216. Attackers can exploit this to potentially gain unauthorized access or disrupt system operations.
💻 Affected Systems
- GL.iNet routers and networking devices
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise through privilege escalation, data destruction, or persistent backdoor installation by writing to critical system files.
Likely Case
Denial of service by filling disk space, creation of malicious files for future attacks, or disruption of system functionality.
If Mitigated
Limited impact with proper network segmentation and access controls, potentially only affecting non-critical files.
🎯 Exploit Status
Exploitation requires authenticated access but the vulnerability is well-documented with public proof-of-concept available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.216 and later
Vendor Advisory: https://github.com/gl-inet/CVE-issues/blob/main/3.215/Arbitrary_File_Creation.md
Restart Required: Yes
Instructions:
1. Log into GL.iNet web interface
2. Navigate to System > Firmware
3. Check for updates and install version 3.216 or later
4. Reboot the device after installation
🔧 Temporary Workarounds
Restrict administrative access
allLimit administrative interface access to trusted networks only
Configure firewall rules to restrict access to GL.iNet admin interface
Disable unnecessary services
allTurn off any unused services or features that might expose the vulnerable component
Disable remote administration if not needed
🧯 If You Can't Patch
- Isolate affected devices in a separate network segment with strict firewall rules
- Implement network monitoring for suspicious file creation activities
🔍 How to Verify
Check if Vulnerable:
Check firmware version in GL.iNet web interface under System > FirmwareCheck Version:
ssh admin@device-ip 'cat /etc/glversion'Verify Fix Applied:
Confirm firmware version is 3.216 or higher in System > Firmware📡 Detection & Monitoring
Log Indicators:
- Unexpected file creation events
- Suspicious command execution in system logs
- Authentication attempts from unusual sources
Network Indicators:
- Unusual traffic to administrative interfaces
- Multiple failed login attempts followed by successful access
SIEM Query:
source="gl-inet-logs" AND (event_type="file_creation" OR cmd_exec="*")