CVE-2023-3991 – This CVE describes a critical OS command inject... (How to Fix)

Q: What is the severity of CVE-2023-3991?

CVE-2023-3991 has a CVSS score of 10.0 (CRITICAL). This CVE describes a critical OS command injection vulnerability in FreshTomato router firmware's iperfrun.cgi component. Attackers can execute arbitrary commands on affected routers by sending specially crafted HTTP requests. All systems running vulnerable versions of FreshTomato are affected.

📋 TL;DR

This CVE describes a critical OS command injection vulnerability in FreshTomato router firmware's iperfrun.cgi component. Attackers can execute arbitrary commands on affected routers by sending specially crafted HTTP requests. All systems running vulnerable versions of FreshTomato are affected.

💻 Affected Systems

Products:

FreshTomato

Versions: 2023.3 and possibly earlier versions

Operating Systems: Linux-based router firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the iperfrun.cgi component of the HTTPd service. Any FreshTomato installation with web management enabled is vulnerable.

📦 What is this software?

Freshtomato by Freshtomato

View all CVEs affecting Freshtomato →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to install persistent backdoors, steal credentials, pivot to internal networks, or brick the router.

🟠

Likely Case

Remote code execution leading to router takeover, network traffic interception, DNS hijacking, or botnet recruitment.

🟢

If Mitigated

Limited impact if network segmentation isolates routers and strict firewall rules prevent external access to management interfaces.

🌐 Internet-Facing: HIGH - HTTPd service is typically exposed to manage routers remotely, making internet-facing instances immediately vulnerable.

🏢 Internal Only: HIGH - Even internally accessible routers can be exploited by attackers who gain initial network access.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending a crafted HTTP request to the vulnerable endpoint. No authentication is required.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2023.4 or later

Vendor Advisory: https://github.com/freshtomato-arm/freshtomato-arm/issues

Restart Required: Yes

Instructions:

1. Backup current configuration. 2. Download FreshTomato 2023.4 or later from official repository. 3. Flash firmware using web interface or recovery mode. 4. Restore configuration if compatible.

🔧 Temporary Workarounds

Disable HTTP management interface

linux

Temporarily disable the web management interface to prevent exploitation

uci set uhttpd.main.listen_http=''
uci commit uhttpd
/etc/init.d/uhttpd restart

Restrict access with firewall

linux

Block external access to router management ports (typically 80/443)

iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP

🧯 If You Can't Patch

Isolate affected routers in separate VLAN with strict firewall rules
Implement network monitoring for suspicious HTTP requests to iperfrun.cgi endpoint

🔍 How to Verify

Check if Vulnerable:

Check FreshTomato version via web interface (Status -> Overview) or SSH command: 'nvram get os_version'

Check Version:

nvram get os_version

Verify Fix Applied:

Verify version is 2023.4 or later and test iperfrun.cgi endpoint with safe test commands

📡 Detection & Monitoring

Log Indicators:

Unusual HTTP POST requests to /iperfrun.cgi
Suspicious command execution in system logs
Multiple failed login attempts followed by iperfrun access

Network Indicators:

HTTP requests containing shell metacharacters in parameters
Unexpected outbound connections from router
Traffic to known malicious IPs from router

SIEM Query:

source="router.log" AND (uri="/iperfrun.cgi" OR "iperfrun" IN uri) AND (method="POST" OR params CONTAINS "$" OR params CONTAINS "|" OR params CONTAINS ";")

📊 Metadata

CVE ID: CVE-2023-3991

CVSS v3 Score: 10.0 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-78

Published: October 16, 2023

Last Updated: November 21, 2024

🔗 References

https://govtech-csg.github.io/security-advisories/2023/10/16/CVE-2023-3991.html Third Party Advisory
https://govtech-csg.github.io/security-advisories/2023/10/16/CVE-2023-3991.html Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-3991, you might also want to check these: