CVE-2024-0576 – A critical stack-based buffer overflow vulnerab... (How to Fix)

📋 TL;DR

A critical stack-based buffer overflow vulnerability in Totolink LR1200GB routers allows remote attackers to execute arbitrary code by manipulating the sPort parameter in the setIpPortFilterRules function. This affects devices running firmware version 9.1.0u.6619_B20230130. Attackers can exploit this without authentication to potentially take full control of affected routers.

💻 Affected Systems

Products:

Totolink LR1200GB

Versions: 9.1.0u.6619_B20230130

Operating Systems: Embedded Linux

Default Config Vulnerable: ⚠️ Yes

Notes: All devices running this firmware version are vulnerable by default. The vulnerable CGI endpoint is typically accessible via web interface.

📦 What is this software?

Lr1200gb Firmware by Totolink

View all CVEs affecting Lr1200gb Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete device compromise, creation of persistent backdoors, network traffic interception, and lateral movement to connected devices.

🟠

Likely Case

Router takeover enabling DNS hijacking, credential theft, botnet recruitment, and denial of service to connected devices.

🟢

If Mitigated

Limited impact if devices are behind firewalls with strict ingress filtering and network segmentation.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit code is publicly available on GitHub. The vulnerability requires no authentication and has straightforward exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: Yes

Instructions:

1. Check Totolink website for firmware updates
2. If update available, download and upload via admin interface
3. Factory reset after update
4. Reconfigure with secure settings

🔧 Temporary Workarounds

Disable Remote Administration

all

Prevent external access to router web interface

Access router admin panel → Advanced Settings → Remote Management → Disable

Network Segmentation

all

Isolate router management interface from user networks

🧯 If You Can't Patch

Replace affected devices with supported models
Implement strict network ACLs blocking all external access to router management interfaces

🔍 How to Verify

Check if Vulnerable:

Check firmware version in router admin panel under System Status or Maintenance section. If version matches 9.1.0u.6619_B20230130, device is vulnerable.

Check Version:

curl -s http://router-ip/cgi-bin/cstecgi.cgi -X POST -d '{"topicurl":"setting/getMainDiagStatus"}' | grep -i version

Verify Fix Applied:

Verify firmware version has changed from vulnerable version. Test if /cgi-bin/cstecgi.cgi endpoint still accepts sPort parameter with overflow payloads.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /cgi-bin/cstecgi.cgi with large sPort values
Multiple failed buffer overflow attempts
Unexpected process crashes or restarts

Network Indicators:

External IPs accessing router management interface
Unusual outbound connections from router
DNS queries to suspicious domains

SIEM Query:

source="router_logs" AND uri="/cgi-bin/cstecgi.cgi" AND (data="sPort" OR data~"\x90\x90\x90")

📊 Metadata

CVE ID: CVE-2024-0576

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-121

Published: January 16, 2024

Last Updated: November 21, 2024

🔗 References

https://github.com/jylsec/vuldb/blob/main/TOTOLINK/LR1200GB/6/README.md Broken Link
https://vuldb.com/?ctiid.250792 Permissions Required,Third Party Advisory
https://vuldb.com/?id.250792 Third Party Advisory
https://github.com/jylsec/vuldb/blob/main/TOTOLINK/LR1200GB/6/README.md Broken Link
https://vuldb.com/?ctiid.250792 Permissions Required,Third Party Advisory
https://vuldb.com/?id.250792 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-0576, you might also want to check these: