CVE-2023-37172 – This CVE describes a command injection vulnerab... (How to Fix)

Q: What is the severity of CVE-2023-37172?

CVE-2023-37172 has a CVSS score of 9.8 (CRITICAL). This CVE describes a command injection vulnerability in TOTOLINK A3300R routers that allows attackers to execute arbitrary commands on the device. Attackers can exploit this by sending specially crafted requests to the vulnerable setDiagnosisCfg function. This affects users of TOTOLINK A3300R routers with the vulnerable firmware version.

📋 TL;DR

This CVE describes a command injection vulnerability in TOTOLINK A3300R routers that allows attackers to execute arbitrary commands on the device. Attackers can exploit this by sending specially crafted requests to the vulnerable setDiagnosisCfg function. This affects users of TOTOLINK A3300R routers with the vulnerable firmware version.

💻 Affected Systems

Products:

TOTOLINK A3300R

Versions: V17.0.0cu.557_B20221024

Operating Systems: Embedded Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Only this specific firmware version is confirmed vulnerable. Other versions may also be affected but not confirmed.

📦 What is this software?

A3300r Firmware by Totolink

View all CVEs affecting A3300r Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise allowing complete router takeover, credential theft, network pivoting to internal systems, and persistent backdoor installation.

🟠

Likely Case

Router compromise leading to network traffic interception, DNS hijacking, credential harvesting, and use as attack platform against internal network.

🟢

If Mitigated

Limited impact with proper network segmentation, firewall rules blocking WAN access to management interfaces, and regular credential rotation.

🌐 Internet-Facing: HIGH - Routers are typically internet-facing devices, and the vulnerability can be exploited remotely without authentication.

🏢 Internal Only: MEDIUM - Internal attackers could exploit this if they gain network access, but external exploitation is more likely.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public GitHub repository contains proof-of-concept exploit code. Exploitation requires sending HTTP request to vulnerable endpoint with malicious payload in ip parameter.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: Yes

Instructions:

1. Check TOTOLINK website for firmware updates. 2. Download latest firmware. 3. Access router admin interface. 4. Navigate to firmware upgrade section. 5. Upload and apply new firmware. 6. Reboot router.

🔧 Temporary Workarounds

Disable Remote Management

all

Prevent external access to router management interface

Network Segmentation

all

Isolate router management interface to separate VLAN

🧯 If You Can't Patch

Implement strict firewall rules to block all WAN access to router management interface (typically port 80/443)
Change default credentials and implement strong password policies for router admin access

🔍 How to Verify

Check if Vulnerable:

Check router firmware version via admin interface. If version is V17.0.0cu.557_B20221024, device is vulnerable.

Check Version:

Login to router admin interface and check System Status or Firmware Information page

Verify Fix Applied:

After firmware update, verify version has changed from vulnerable version. Test if command injection payloads are rejected.

📡 Detection & Monitoring

Log Indicators:

Unusual HTTP POST requests to setDiagnosisCfg endpoint
Commands with shell metacharacters in ip parameter
Multiple failed login attempts followed by successful command execution

Network Indicators:

HTTP requests containing shell commands in parameters
Unusual outbound connections from router to external IPs
DNS queries to suspicious domains from router

SIEM Query:

source="router_logs" AND (uri="/cgi-bin/setDiagnosisCfg" OR param="ip" AND value MATCHES "[;&|`$()]+")

📊 Metadata

CVE ID: CVE-2023-37172

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

Published: July 7, 2023

Last Updated: November 21, 2024

🔗 References

https://github.com/kafroc/Vuls/tree/main/TOTOLINK/A3300R/cmdi_3 Exploit,Third Party Advisory
https://github.com/kafroc/Vuls/tree/main/TOTOLINK/A3300R/cmdi_3 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-37172, you might also want to check these: