CVE-2023-37146 – This vulnerability allows remote attackers to e... (How to Fix)

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary commands on TOTOLINK LR350 routers by injecting malicious commands into the FileName parameter during firmware upload. Attackers can gain full control of affected devices. This affects all users running the vulnerable firmware version.

💻 Affected Systems

Products:

TOTOLINK LR350

Versions: V9.3.5u.6369_B20220309

Operating Systems: Embedded Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in default configuration. Firmware upload functionality must be accessible.

📦 What is this software?

Lr350 Firmware by Totolink

View all CVEs affecting Lr350 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise allowing persistent backdoor installation, network traffic interception, lateral movement to internal networks, and bricking of devices.

🟠

Likely Case

Remote code execution leading to device takeover, credential theft, and use as pivot point for internal network attacks.

🟢

If Mitigated

Limited impact if device is behind firewall with restricted WAN access and firmware uploads are disabled.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit code available. No authentication required for exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: Yes

Instructions:

1. Check TOTOLINK website for firmware updates
2. Download latest firmware
3. Access router admin interface
4. Navigate to firmware update section
5. Upload new firmware
6. Wait for reboot

🔧 Temporary Workarounds

Disable WAN access to admin interface

linux

Prevent external access to vulnerable firmware upload functionality

iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP

Block firmware upload functionality

linux

Use firewall rules to block access to firmware upload endpoints

iptables -A INPUT -m string --string "UploadFirmwareFile" --algo bm -j DROP

🧯 If You Can't Patch

Isolate affected devices in separate VLAN with strict firewall rules
Implement network segmentation to prevent lateral movement from compromised devices

🔍 How to Verify

Check if Vulnerable:

Check router web interface for firmware version. If version is V9.3.5u.6369_B20220309, device is vulnerable.

Check Version:

curl -s http://router-ip/cgi-bin/luci/ | grep -i version

Verify Fix Applied:

Verify firmware version has changed from vulnerable version. Test firmware upload functionality with safe test payload.

📡 Detection & Monitoring

Log Indicators:

Unusual firmware upload attempts
Command execution patterns in system logs
Unexpected process creation

Network Indicators:

HTTP POST requests to firmware upload endpoints with suspicious filenames
Outbound connections from router to unknown IPs

SIEM Query:

source="router.log" AND "UploadFirmwareFile" AND (FileName="*;*" OR FileName="*|*" OR FileName="*`*")

📊 Metadata

CVE ID: CVE-2023-37146

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-77

Published: July 7, 2023

Last Updated: November 21, 2024

🔗 References

https://github.com/DaDong-G/Vulnerability_info/tree/main/TOTOLINK/lr350/2 Exploit,Third Party Advisory
https://github.com/DaDong-G/Vulnerability_info/tree/main/TOTOLINK/lr350/2 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-37146, you might also want to check these: