CVE-2023-38946 – This vulnerability allows attackers to bypass a... (How to Fix)

Q: What is the severity of CVE-2023-38946?

CVE-2023-38946 has a CVSS score of 8.8 (HIGH). This vulnerability allows attackers to bypass authentication in Multilaser RE160 routers by supplying a specially crafted cookie, granting them complete administrative access to the web interface. It affects users of Multilaser RE160 routers running specific vulnerable firmware versions. Attackers can exploit this remotely without valid credentials.

📋 TL;DR

This vulnerability allows attackers to bypass authentication in Multilaser RE160 routers by supplying a specially crafted cookie, granting them complete administrative access to the web interface. It affects users of Multilaser RE160 routers running specific vulnerable firmware versions. Attackers can exploit this remotely without valid credentials.

💻 Affected Systems

Products:

Multilaser RE160 Router

Versions: Firmware v5.07.51_pt_MTL01 and v5.07.52_pt_MTL01

Operating Systems: Embedded router firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the Portuguese (pt) firmware versions specifically. Other language versions or models may have different behavior.

📦 What is this software?

Re160 Firmware by Multilaser

View all CVEs affecting Re160 Firmware →

Re160 Firmware by Multilaser

View all CVEs affecting Re160 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of router administration, allowing attackers to change network settings, intercept traffic, install malicious firmware, or use the router as a pivot point into the internal network.

🟠

Likely Case

Unauthorized access to router configuration, enabling attackers to change DNS settings, redirect traffic, or disable security features.

🟢

If Mitigated

Limited impact if router is behind additional firewalls, has restricted administrative access, or uses strong network segmentation.

🌐 Internet-Facing: HIGH - Routers are typically internet-facing devices, and the exploit requires no authentication, making remote exploitation straightforward.

🏢 Internal Only: MEDIUM - While less likely to be targeted from internal networks, the vulnerability still exists and could be exploited by compromised internal devices.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The exploit involves crafting a specific cookie value to bypass authentication checks. Details are publicly available in the referenced disclosures.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch is currently available. Monitor Multilaser's website for firmware updates addressing CVE-2023-38946.

🔧 Temporary Workarounds

Disable Remote Administration

all

Prevent external access to the router's web interface by disabling remote administration features.

Access router admin panel > Advanced Settings > Remote Management > Disable

Change Default Admin Credentials

all

While this doesn't fix the vulnerability, it adds an additional layer of security in case other authentication mechanisms are compromised.

Access router admin panel > System Tools > Change Password

🧯 If You Can't Patch

Segment the router on a dedicated network VLAN to limit lateral movement if compromised.
Implement network monitoring to detect unusual administrative access patterns or configuration changes.

🔍 How to Verify

Check if Vulnerable:

Check router firmware version via admin interface: Login > Status > Firmware Version. If version is v5.07.51_pt_MTL01 or v5.07.52_pt_MTL01, the device is vulnerable.

Check Version:

Not applicable - check via web interface at http://router_ip/status.asp

Verify Fix Applied:

Verify firmware has been updated to a version later than v5.07.52_pt_MTL01. Test authentication bypass by attempting to access admin pages without valid credentials.

📡 Detection & Monitoring

Log Indicators:

Successful admin logins from unusual IP addresses
Configuration changes without corresponding legitimate admin activity
Failed authentication attempts followed by successful access

Network Indicators:

HTTP requests to admin pages with crafted cookie values
Unusual outbound traffic from router suggesting compromise

SIEM Query:

http.url:"/admin/*" AND http.cookie:"*crafted_value*" OR event.action:"configuration_change" AND device.vendor:"Multilaser" AND device.model:"RE160"

📊 Metadata

CVE ID: CVE-2023-38946

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-284

Published: March 6, 2024

Last Updated: January 7, 2025

🔗 References

http://seclists.org/fulldisclosure/2024/Mar/2 Exploit,Third Party Advisory
http://seclists.org/fulldisclosure/2024/Mar/2 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-38946, you might also want to check these: