CVE-2024-1004 – A critical stack-based buffer overflow vulnerab... (How to Fix)

Q: What is the severity of CVE-2024-1004?

CVE-2024-1004 has a CVSS score of 7.2 (HIGH). A critical stack-based buffer overflow vulnerability exists in the Totolink N200RE router's loginAuth function via the http_host parameter. This allows remote attackers to execute arbitrary code or crash the device. All users of Totolink N200RE version 9.3.5u.6139_B20201216 are affected.

📋 TL;DR

A critical stack-based buffer overflow vulnerability exists in the Totolink N200RE router's loginAuth function via the http_host parameter. This allows remote attackers to execute arbitrary code or crash the device. All users of Totolink N200RE version 9.3.5u.6139_B20201216 are affected.

💻 Affected Systems

Products:

Totolink N200RE

Versions: 9.3.5u.6139_B20201216

Operating Systems: Embedded Linux (router firmware)

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the web management interface accessible via HTTP/HTTPS. No authentication required for exploitation.

📦 What is this software?

N200re Firmware by Totolink

View all CVEs affecting N200re Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete device compromise, credential theft, network pivoting, and persistent backdoor installation.

🟠

Likely Case

Remote denial of service (device crash) and potential code execution if exploit is weaponized.

🟢

If Mitigated

Limited to denial of service if exploit attempts are blocked at network perimeter.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable and affects internet-facing routers with disclosed exploit details.

🏢 Internal Only: MEDIUM - Internal attackers could exploit if they have network access to the device.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit details are publicly disclosed in security advisories. The vulnerability requires no authentication and has straightforward exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available - vendor did not respond to disclosure

Restart Required: Yes

Instructions:

1. Check Totolink website for firmware updates. 2. If update available, download and install via web interface. 3. Reboot router after installation. 4. Verify version is no longer 9.3.5u.6139_B20201216.

🔧 Temporary Workarounds

Network Segmentation

linux

Restrict access to router management interface to trusted internal networks only.

iptables -A INPUT -p tcp --dport 80 -s TRUSTED_NETWORK -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s TRUSTED_NETWORK -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP

Disable Remote Management

all

Turn off WAN access to router administration interface.

🧯 If You Can't Patch

Replace affected router with different model that receives security updates
Place router behind firewall that blocks all inbound traffic to management ports

🔍 How to Verify

Check if Vulnerable:

Access router web interface, navigate to System Status or About page, check firmware version matches 9.3.5u.6139_B20201216.

Check Version:

curl -s http://ROUTER_IP/cgi-bin/cstecgi.cgi | grep -i version || wget -qO- http://ROUTER_IP/status.asp | grep -i firmware

Verify Fix Applied:

Verify firmware version has changed from 9.3.5u.6139_B20201216 to a newer version.

📡 Detection & Monitoring

Log Indicators:

Multiple failed login attempts with malformed http_host headers
Router crash/reboot logs
Unusual POST requests to /cgi-bin/cstecgi.cgi with long http_host parameters

Network Indicators:

HTTP requests to router IP with unusually long Host headers
Traffic patterns suggesting buffer overflow exploitation

SIEM Query:

source="router_logs" AND (url="/cgi-bin/cstecgi.cgi" AND http_host LENGTH > 100) OR (event="crash" AND device="N200RE")

📊 Metadata

CVE ID: CVE-2024-1004

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-121

Published: January 29, 2024

Last Updated: November 21, 2024

🔗 References

https://jylsec.notion.site/TOTOLINK-N200RE-has-stack-buffer-overflow-vulnerability-in-loginAuth-cbde48da404049328cb698394b6c0641?pvs=4 Exploit,Third Party Advisory
https://vuldb.com/?ctiid.252273 Third Party Advisory
https://vuldb.com/?id.252273 Third Party Advisory
https://jylsec.notion.site/TOTOLINK-N200RE-has-stack-buffer-overflow-vulnerability-in-loginAuth-cbde48da404049328cb698394b6c0641?pvs=4 Exploit,Third Party Advisory
https://vuldb.com/?ctiid.252273 Third Party Advisory
https://vuldb.com/?id.252273 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-1004, you might also want to check these: