CVE-2024-33603 – The LevelOne WBR-6012 router has an information... (How to Fix)

📋 TL;DR

The LevelOne WBR-6012 router has an information disclosure vulnerability that allows unauthenticated users to access a verbose system log page containing sensitive data like memory addresses and IP addresses for login attempts. This could enable session hijacking since the device uses IP addresses for authentication. All users of the affected router model are potentially impacted.

💻 Affected Systems

Products:

LevelOne WBR-6012 router

Versions: All firmware versions prior to patching

Operating Systems: Embedded router firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the web management interface of the router. No special configuration required for exploitation.

📦 What is this software?

Wbr 6012 Firmware by Level1

View all CVEs affecting Wbr 6012 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could hijack active sessions, gain unauthorized access to the router's administrative interface, and potentially pivot to internal networks.

🟠

Likely Case

Attackers gather reconnaissance data including internal IP addresses, login patterns, and system information to plan further attacks.

🟢

If Mitigated

Limited exposure of non-critical system information with no direct access to credentials or administrative functions.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only web browser access to the vulnerable endpoint. No authentication or special tools needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: No

Instructions:

1. Check vendor website for firmware updates
2. If update available, download and install via web interface
3. Verify the /cgi-bin/log.cgi endpoint is no longer accessible without authentication

🔧 Temporary Workarounds

Block External Access to Web Interface

linux

Configure firewall rules to block external access to the router's web management interface (typically port 80/443)

iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP

Disable Remote Management

all

Disable remote management features in the router's web interface

🧯 If You Can't Patch

Replace the router with a supported model from a different vendor
Place router behind a firewall that blocks all inbound access to management interfaces

🔍 How to Verify

Check if Vulnerable:

Access http://[router-ip]/cgi-bin/log.cgi without authentication. If system logs are displayed, the device is vulnerable.

Check Version:

Check router web interface status page or use vendor-specific CLI commands if available

Verify Fix Applied:

Attempt to access the /cgi-bin/log.cgi endpoint without authentication. Should receive authentication prompt or error.

📡 Detection & Monitoring

Log Indicators:

Multiple unauthenticated access attempts to /cgi-bin/log.cgi
Unusual external IP addresses accessing router management interface

Network Indicators:

External traffic to router management ports (80/443) from unknown sources
HTTP GET requests to /cgi-bin/log.cgi

SIEM Query:

source="router_logs" AND (url="/cgi-bin/log.cgi" OR url="/cgi-bin/log.cgi") AND status="200" AND auth="none"

📊 Metadata

CVE ID: CVE-2024-33603

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-200

Published: October 30, 2024

Last Updated: November 21, 2024

🔗 References

https://talosintelligence.com/vulnerability_reports/TALOS-2024-1985 Exploit,Third Party Advisory
https://www.talosintelligence.com/vulnerability_reports/TALOS-2024-1985

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-33603, you might also want to check these: