CVE-2023-47462 – This vulnerability allows remote attackers to e... (How to Fix)

Q: What is the severity of CVE-2023-47462?

CVE-2023-47462 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows remote attackers to execute arbitrary code on GL.iNet AX1800 routers by exploiting insecure permissions in the file sharing function. Attackers can read arbitrary files and potentially gain full system control. All users running firmware version 3.215 or earlier are affected.

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code on GL.iNet AX1800 routers by exploiting insecure permissions in the file sharing function. Attackers can read arbitrary files and potentially gain full system control. All users running firmware version 3.215 or earlier are affected.

💻 Affected Systems

Products:

GL.iNet AX1800

Versions: v3.215 and all earlier versions

Operating Systems: GL.iNet custom firmware

Default Config Vulnerable: ⚠️ Yes

Notes: File sharing function must be enabled, but this is a common configuration for these routers.

📦 What is this software?

Gl Ax1800 Firmware by Gl Inet

View all CVEs affecting Gl Ax1800 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to install persistent malware, intercept network traffic, pivot to internal networks, and brick devices.

🟠

Likely Case

Unauthorized file access leading to credential theft, configuration tampering, and potential lateral movement within the network.

🟢

If Mitigated

Limited impact with proper network segmentation and access controls preventing external exploitation.

🌐 Internet-Facing: HIGH - Routers are typically internet-facing devices, making them prime targets for remote exploitation.

🏢 Internal Only: MEDIUM - Internal attackers could exploit this if they gain network access, though external exposure is more concerning.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public GitHub repository contains proof-of-concept demonstrating arbitrary file read, which can be extended to code execution.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v3.216 or later

Vendor Advisory: https://github.com/gl-inet/CVE-issues/blob/main/3.215/Arbitrary%20File%20Read%20through%20file%20share.md

Restart Required: Yes

Instructions:

1. Log into router admin interface. 2. Navigate to System > Firmware Upgrade. 3. Check for updates and install v3.216 or later. 4. Reboot router after installation.

🔧 Temporary Workarounds

Disable File Sharing

all

Turn off the vulnerable file sharing function to prevent exploitation.

Navigate to Applications > File Sharing and disable the feature

Restrict Web Interface Access

all

Limit admin interface access to trusted IP addresses only.

Configure firewall rules to restrict access to router management IP on ports 80/443

🧯 If You Can't Patch

Isolate router on separate VLAN with strict firewall rules
Implement network monitoring for unusual file access patterns

🔍 How to Verify

Check if Vulnerable:

Check firmware version in router admin interface under System > Status. If version is 3.215 or earlier, device is vulnerable.

Check Version:

ssh admin@router-ip 'cat /etc/glversion' or check web interface

Verify Fix Applied:

Confirm firmware version is 3.216 or later in System > Status after update.

📡 Detection & Monitoring

Log Indicators:

Unusual file access patterns in /var/log/messages
Multiple failed then successful authentication attempts to file sharing service

Network Indicators:

Unexpected HTTP requests to file sharing endpoints
Traffic spikes to router management interface

SIEM Query:

source="router_logs" AND ("file_share" OR "samba") AND (status="200" OR status="success") AND user="unknown"

📊 Metadata

CVE ID: CVE-2023-47462

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-276

Published: November 29, 2023

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-47462, you might also want to check these: