CVE-2024-5785 – This CVE describes a command injection vulnerab... (How to Fix)

Q: What is the severity of CVE-2024-5785?

CVE-2024-5785 has a CVSS score of 8.0 (HIGH). This CVE describes a command injection vulnerability in Comtrend routers that allows authenticated users to execute arbitrary commands on the device by sending specially crafted POST requests to the '/boaform/admin/formUserTracert' endpoint. This affects Comtrend WLD71-T1_v2.0.201820 routers, specifically the GRG-4280us version. Attackers with valid credentials can gain command execution on the router.

📋 TL;DR

This CVE describes a command injection vulnerability in Comtrend routers that allows authenticated users to execute arbitrary commands on the device by sending specially crafted POST requests to the '/boaform/admin/formUserTracert' endpoint. This affects Comtrend WLD71-T1_v2.0.201820 routers, specifically the GRG-4280us version. Attackers with valid credentials can gain command execution on the router.

💻 Affected Systems

Products:

Comtrend router WLD71-T1
Comtrend GRG-4280us

Versions: WLD71-T1_v2.0.201820

Operating Systems: Embedded router OS

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated access to exploit. Affects specific firmware version of these Comtrend router models.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete router compromise allowing attacker to reconfigure network settings, intercept traffic, pivot to internal networks, install persistent backdoors, or brick the device.

🟠

Likely Case

Authenticated attacker gains shell access to router, enabling network reconnaissance, traffic manipulation, and potential lateral movement to connected devices.

🟢

If Mitigated

Limited impact if strong authentication controls, network segmentation, and proper monitoring are in place to detect exploitation attempts.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access to the router's web interface. The vulnerability is in a specific form handler that doesn't properly sanitize user input before passing to system commands.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-comtrend-router

Restart Required: Yes

Instructions:

1. Check Comtrend vendor website for firmware updates. 2. Download appropriate firmware for your model. 3. Access router admin interface. 4. Navigate to firmware update section. 5. Upload and apply new firmware. 6. Reboot router after update completes.

🔧 Temporary Workarounds

Disable vulnerable endpoint via firewall

linux

Block access to the vulnerable '/boaform/admin/formUserTracert' endpoint using router firewall rules

iptables -A INPUT -p tcp --dport 80 -m string --string "/boaform/admin/formUserTracert" --algo bm -j DROP
iptables -A INPUT -p tcp --dport 443 -m string --string "/boaform/admin/formUserTracert" --algo bm -j DROP

Restrict admin interface access

linux

Limit access to router admin interface to specific trusted IP addresses only

iptables -A INPUT -p tcp --dport 80 -s ! TRUSTED_IP -j DROP
iptables -A INPUT -p tcp --dport 443 -s ! TRUSTED_IP -j DROP

🧯 If You Can't Patch

Replace affected routers with supported models from different vendors
Implement network segmentation to isolate affected routers from critical systems

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in admin interface. If version is WLD71-T1_v2.0.201820, the device is vulnerable.

Check Version:

curl -s http://router-ip/ | grep -i firmware || ssh admin@router-ip 'cat /proc/version'

Verify Fix Applied:

Verify firmware version has been updated to a newer version than WLD71-T1_v2.0.201820 in router admin interface.

📡 Detection & Monitoring

Log Indicators:

POST requests to '/boaform/admin/formUserTracert' with unusual parameters
Multiple failed authentication attempts followed by successful login and POST to vulnerable endpoint
Unusual command execution in router logs

Network Indicators:

Unusual outbound connections from router to external IPs
Traffic patterns suggesting router is being used as pivot point
DNS queries for command and control domains from router

SIEM Query:

source="router_logs" AND (url="/boaform/admin/formUserTracert" OR cmd="tracert" OR cmd="ping") AND (user!="admin" OR param contains "|" OR param contains ";" OR param contains "&")

📊 Metadata

CVE ID: CVE-2024-5785

CVSS v3 Score: 8.0 (HIGH)

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

Published: June 10, 2024

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-5785, you might also want to check these: