Login Sign Up

CVE-2024-0571

8.8 HIGH
Remote Code Execution Buffer Overflow

📋 TL;DR

A critical stack-based buffer overflow vulnerability in Totolink LR1200GB routers allows remote attackers to execute arbitrary code by manipulating the 'text' parameter in the setSmsCfg function. This affects users of Totolink LR1200GB routers running firmware version 9.1.0u.6619_B20230130. The vulnerability is remotely exploitable without authentication.

💻 Affected Systems

Products:
  • Totolink LR1200GB
Versions: 9.1.0u.6619_B20230130
Operating Systems: Embedded Linux
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the web management interface accessible via HTTP/HTTPS. No special configuration required for exploitation.

📦 What is this software?

Lr1200gb Firmware by Totolink

View all CVEs affecting Lr1200gb Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete device compromise, persistence, lateral movement, and data exfiltration.

🟠

Likely Case

Remote code execution allowing attackers to take control of the router, modify configurations, intercept traffic, or use as a botnet node.

🟢

If Mitigated

Limited impact if device is isolated behind firewalls with strict network segmentation and access controls.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit code is publicly available in GitHub repositories. The vulnerability requires no authentication and has straightforward exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

No official patch available. Contact Totolink support for firmware updates. Consider replacing affected devices if no patch is forthcoming.

🔧 Temporary Workarounds

Network Isolation

linux

Isolate affected routers from internet and restrict access to management interface

iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP

Disable Remote Management

all

Disable web management interface or restrict to local network only

🧯 If You Can't Patch

  • Replace affected Totolink LR1200GB routers with patched or alternative devices
  • Implement strict network segmentation to isolate vulnerable routers from critical assets

🔍 How to Verify

Check if Vulnerable:

Check firmware version via web interface at http://[router-ip]/ or using command: cat /proc/version

Check Version:

curl -s http://[router-ip]/cgi-bin/cstecgi.cgi | grep -i version

Verify Fix Applied:

Verify firmware version has been updated beyond 9.1.0u.6619_B20230130

📡 Detection & Monitoring

Log Indicators:

  • Unusual POST requests to /cgi-bin/cstecgi.cgi with long text parameters
  • Multiple failed exploitation attempts
  • Unexpected process execution or system reboots

Network Indicators:

  • Unusual outbound connections from router
  • Traffic interception patterns
  • Port scanning originating from router

SIEM Query:

source="router_logs" AND uri="/cgi-bin/cstecgi.cgi" AND method="POST" AND text_length>1000

📊 Metadata

CVE ID: CVE-2024-0571
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-121
Published: January 16, 2024
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-0571, you might also want to check these:

CVE-2024-39791 10.0

CVE-2024-39791 is a critical stack-based buffer overflow vulnerability in Vonets industrial WiFi bri...

Same vulnerability type (CWE-121)
CVE-2022-20699 10.0

This critical vulnerability in Cisco Small Business routers allows unauthenticated remote attackers ...

Same vulnerability type (CWE-121)
CVE-2022-20701 10.0

This CVE describes multiple critical vulnerabilities in Cisco Small Business RV series routers that ...

Same vulnerability type (CWE-121)