CVE-2023-37567 – A critical command injection vulnerability in E... (How to Fix)

Q: What is the severity of CVE-2023-37567?

CVE-2023-37567 has a CVSS score of 9.8 (CRITICAL). A critical command injection vulnerability in ELECOM and LOGITEC wireless LAN routers allows remote unauthenticated attackers to execute arbitrary commands by sending specially crafted requests to the web management interface. This affects multiple router models across various versions, enabling complete device compromise. All affected devices with exposed web management interfaces are vulnerable.

📋 TL;DR

A critical command injection vulnerability in ELECOM and LOGITEC wireless LAN routers allows remote unauthenticated attackers to execute arbitrary commands by sending specially crafted requests to the web management interface. This affects multiple router models across various versions, enabling complete device compromise. All affected devices with exposed web management interfaces are vulnerable.

💻 Affected Systems

Products:

WRC-1167GHBK3-A
WRC-F1167ACF2
WRC-600GHBK-A
WRC-733FEBK2-A
WRC-1467GHBK-A
WRC-1900GHBK-A
LAN-W301NR

Versions: WRC-1167GHBK3-A v1.24 and earlier, all versions for other models

Operating Systems: Router firmware

Default Config Vulnerable: ⚠️ Yes

Notes: All affected models in default configuration are vulnerable. Web management interface typically enabled by default.

📦 What is this software?

Wrc 1167ghbk3 A Firmware by Elecom

View all CVEs affecting Wrc 1167ghbk3 A Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete router takeover leading to network compromise, data interception, malware deployment, and use as attack platform

🟠

Likely Case

Router configuration modification, credential theft, network traffic monitoring, and persistent backdoor installation

🟢

If Mitigated

Limited impact if web interface is not internet-facing and network segmentation is in place

🌐 Internet-Facing: HIGH - Directly exploitable from internet if web interface is exposed

🏢 Internal Only: HIGH - Still exploitable from internal network without authentication

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Unauthenticated remote exploitation with simple HTTP requests. No authentication required.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: WRC-1167GHBK3-A v1.25, other models check vendor advisories

Vendor Advisory: https://www.elecom.co.jp/news/security/20230711-01/

Restart Required: Yes

Instructions:

1. Check router model and current firmware version. 2. Visit ELECOM/LOGITEC support site. 3. Download latest firmware for your model. 4. Access router web interface. 5. Navigate to firmware update section. 6. Upload and apply firmware update. 7. Reboot router.

🔧 Temporary Workarounds

Disable Web Management Interface

all

Disable remote access to router web management interface

Access router admin panel -> Security/Remote Management -> Disable remote administration

Network Segmentation

all

Isolate router management interface to separate VLAN

🧯 If You Can't Patch

Disable WAN access to router web interface immediately
Implement strict firewall rules blocking all external access to router management ports

🔍 How to Verify

Check if Vulnerable:

Check router model and firmware version against affected list. If model matches and firmware is vulnerable version, device is vulnerable.

Check Version:

Access router web interface -> Status/System Information -> Check firmware version

Verify Fix Applied:

Verify firmware version updated to patched version. Test that command injection attempts no longer succeed.

📡 Detection & Monitoring

Log Indicators:

Unusual HTTP requests to router management port
Multiple failed login attempts followed by command execution patterns
Router configuration changes from unknown sources

Network Indicators:

HTTP POST requests with shell metacharacters to router management port
Outbound connections from router to unusual destinations
Sudden changes in router network behavior

SIEM Query:

source="router_logs" AND (http_method="POST" AND (uri_contains="cgi-bin" OR uri_contains="admin") AND (http_content CONTAINS "$" OR http_content CONTAINS "|" OR http_content CONTAINS ";" OR http_content CONTAINS "`"))

📊 Metadata

CVE ID: CVE-2023-37567

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-77

Published: July 13, 2023

Last Updated: November 21, 2024

🔗 References

https://jvn.jp/en/vu/JVNVU91850798/ Third Party Advisory
https://www.elecom.co.jp/news/security/20230711-01/ Vendor Advisory
https://www.elecom.co.jp/news/security/20230810-01/
https://jvn.jp/en/vu/JVNVU91850798/ Third Party Advisory
https://www.elecom.co.jp/news/security/20230711-01/ Vendor Advisory
https://www.elecom.co.jp/news/security/20230810-01/

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-37567, you might also want to check these: