CVE-2024-0575 – CVE-2024-0575 is a critical stack-based buffer ... (How to Fix)

Q: What is the severity of CVE-2024-0575?

CVE-2024-0575 has a CVSS score of 8.8 (HIGH). CVE-2024-0575 is a critical stack-based buffer overflow vulnerability in Totolink LR1200GB routers that allows remote attackers to execute arbitrary code by sending specially crafted requests to the setTracerouteCfg function. This affects organizations and individuals using vulnerable Totolink LR1200GB routers with internet-facing administration interfaces. Successful exploitation could lead to complete device compromise.

📋 TL;DR

CVE-2024-0575 is a critical stack-based buffer overflow vulnerability in Totolink LR1200GB routers that allows remote attackers to execute arbitrary code by sending specially crafted requests to the setTracerouteCfg function. This affects organizations and individuals using vulnerable Totolink LR1200GB routers with internet-facing administration interfaces. Successful exploitation could lead to complete device compromise.

💻 Affected Systems

Products:

Totolink LR1200GB

Versions: 9.1.0u.6619_B20230130 (likely affects earlier versions too)

Operating Systems: Embedded Linux firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in the web administration interface via CGI endpoint. Default configuration likely exposes this interface.

📦 What is this software?

Lr1200gb Firmware by Totolink

View all CVEs affecting Lr1200gb Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote unauthenticated attacker gains full control of the router, enabling traffic interception, network pivoting, persistent backdoor installation, and complete network compromise.

🟠

Likely Case

Remote attacker executes arbitrary code with root privileges, potentially installing malware, creating botnet nodes, or disrupting network services.

🟢

If Mitigated

If properly segmented and firewalled, impact limited to isolated network segment with no critical systems accessible.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable and public exploit code exists, making internet-facing devices immediate targets.

🏢 Internal Only: MEDIUM - Internal devices still vulnerable to internal attackers or compromised hosts, but attack surface is reduced.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit code available on GitHub. Attack requires sending crafted HTTP POST request to /cgi-bin/cstecgi.cgi with manipulated command parameter.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available - vendor did not respond to disclosure

Restart Required: Yes

Instructions:

No official patch available. Consider replacing affected devices or implementing strict network controls.

🔧 Temporary Workarounds

Network Segmentation and Access Control

linux

Block external access to router administration interface and restrict internal access to management networks only.

iptables -A INPUT -p tcp --dport 80 -s ! 192.168.1.0/24 -j DROP
iptables -A INPUT -p tcp --dport 443 -s ! 192.168.1.0/24 -j DROP

Disable Vulnerable Functionality

linux

If possible, disable traceroute functionality or block access to the vulnerable CGI endpoint.

chmod 000 /www/cgi-bin/cstecgi.cgi
rm /www/cgi-bin/cstecgi.cgi

🧯 If You Can't Patch

Immediately isolate affected routers from internet by placing behind firewalls with strict inbound rules
Implement network monitoring for unusual traffic patterns to/from router administration interface

🔍 How to Verify

Check if Vulnerable:

Check router firmware version via web interface at System Status > Firmware Version. If version is 9.1.0u.6619_B20230130 or earlier, assume vulnerable.

Check Version:

curl -s http://router-ip/ | grep -i 'firmware\|version' or check web interface manually

Verify Fix Applied:

No official fix available. Verify workarounds by testing that external requests to /cgi-bin/cstecgi.cgi are blocked.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /cgi-bin/cstecgi.cgi
Large command parameter values in HTTP logs
Router crash/restart logs

Network Indicators:

Unusual outbound connections from router
Traffic spikes to router administration port
HTTP requests with oversized parameters

SIEM Query:

source="router_logs" AND (url="/cgi-bin/cstecgi.cgi" AND method="POST" AND size(command) > 1000)

📊 Metadata

CVE ID: CVE-2024-0575

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-121

Published: January 16, 2024

Last Updated: November 21, 2024

🔗 References

https://github.com/jylsec/vuldb/blob/main/TOTOLINK/LR1200GB/5/README.md Broken Link
https://vuldb.com/?ctiid.250791 Permissions Required,Third Party Advisory
https://vuldb.com/?id.250791 Third Party Advisory
https://github.com/jylsec/vuldb/blob/main/TOTOLINK/LR1200GB/5/README.md Broken Link
https://vuldb.com/?ctiid.250791 Permissions Required,Third Party Advisory
https://vuldb.com/?id.250791 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-0575, you might also want to check these: