CVE-2023-31476
📋 TL;DR
This vulnerability allows attackers to create empty files in arbitrary locations on GL.iNet device filesystems, limited to paths/filenames of 6 characters or less from the /www directory. It affects GL.iNet devices running firmware versions before 3.216. The issue could enable further attacks by creating files in sensitive locations.
💻 Affected Systems
- GL.iNet routers and networking devices (specifically GL-MV1000 mentioned in references)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could create files in critical system directories, potentially enabling privilege escalation, service disruption, or persistence mechanisms that lead to full device compromise.
Likely Case
Attackers create files in web-accessible directories to host malicious content, modify configuration files, or disrupt normal device operation through file system manipulation.
If Mitigated
With proper access controls and monitoring, impact is limited to nuisance-level file creation without ability to execute code or access sensitive data.
🎯 Exploit Status
The vulnerability is simple to exploit with basic HTTP requests to create files. Public GitHub repository contains details and likely proof-of-concept.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.216 or later
Vendor Advisory: https://www.gl-inet.com
Restart Required: Yes
Instructions:
1. Log into GL.iNet device web interface. 2. Navigate to System > Firmware Upgrade. 3. Check for updates and upgrade to version 3.216 or later. 4. Reboot device after upgrade completes.
🔧 Temporary Workarounds
Restrict web interface access
allLimit access to device web interface to trusted networks only
Configure firewall rules to restrict access to device management interface
Disable unnecessary services
linuxDisable web interface if not required for operation
ssh into device and disable web server: /etc/init.d/uhttpd stop
Prevent auto-start: /etc/init.d/uhttpd disable
🧯 If You Can't Patch
- Implement network segmentation to isolate GL.iNet devices from untrusted networks
- Enable logging and monitoring for file creation events in /www directory and unusual web requests
🔍 How to Verify
Check if Vulnerable:
Check firmware version via web interface (System > Status) or SSH command: cat /etc/glversionCheck Version:
cat /etc/glversionVerify Fix Applied:
Confirm firmware version is 3.216 or higher using same methods📡 Detection & Monitoring
Log Indicators:
- Unusual file creation events in /www directory
- HTTP requests attempting to create files with 6-character names
- Web server logs showing POST requests to file creation endpoints
Network Indicators:
- HTTP traffic to device management interface from unexpected sources
- Requests with file creation parameters
SIEM Query:
source="device_logs" AND (event_type="file_create" AND path="/www/*") OR (http_method="POST" AND uri CONTAINS "file_creation")