CVE-2024-7214
📋 TL;DR
This CVE describes a critical command injection vulnerability in TOTOLINK LR350 routers. Attackers can remotely execute arbitrary commands by manipulating the hostName parameter in the setWanCfg function. This affects users of TOTOLINK LR350 routers running vulnerable firmware versions.
💻 Affected Systems
- TOTOLINK LR350
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete device compromise allowing attackers to install persistent backdoors, pivot to internal networks, intercept traffic, or use the device for botnet activities.
Likely Case
Remote code execution leading to device takeover, credential theft, network reconnaissance, and potential lateral movement within the network.
If Mitigated
Limited impact if devices are behind firewalls with strict inbound filtering and network segmentation prevents lateral movement.
🎯 Exploit Status
Public exploit code is available on GitHub. The attack requires no authentication and can be performed remotely via HTTP requests.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: None available
Restart Required: No
Instructions:
No official patch is available. The vendor did not respond to disclosure attempts. Consider replacing affected devices or implementing workarounds.
🔧 Temporary Workarounds
Network Access Control
linuxBlock external access to router web interface and restrict internal access to trusted IPs only
iptables -A INPUT -p tcp --dport 80 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
Disable WAN Management
allDisable remote management features if not required
🧯 If You Can't Patch
- Replace affected TOTOLINK LR350 routers with devices from vendors that provide security updates
- Segment affected routers on isolated VLANs with strict firewall rules preventing outbound connections
🔍 How to Verify
Check if Vulnerable:
Check firmware version via web interface at http://router-ip/ or using command: curl -s http://router-ip/cgi-bin/cstecgi.cgiCheck Version:
curl -s http://router-ip/ | grep -i 'firmware version' || ssh admin@router-ip 'cat /etc/version'Verify Fix Applied:
No official fix available to verify. Monitor for firmware updates from vendor.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /cgi-bin/cstecgi.cgi with shell metacharacters in parameters
- Unexpected command execution in system logs
- Multiple failed authentication attempts followed by successful command execution
Network Indicators:
- HTTP requests containing shell commands (semicolons, pipes, backticks) in URL parameters
- Outbound connections from router to suspicious IPs
- Unusual traffic patterns from router management interface
SIEM Query:
source="router-logs" AND (url="/cgi-bin/cstecgi.cgi" AND (param="hostName" AND value MATCHES "[;|&`$()]"))🔗 References
- https://github.com/abcdefg-png/IoT-vulnerable/blob/main/TOTOLINK/LR350/setWanCfg.md
- https://vuldb.com/?ctiid.272785
- https://vuldb.com/?id.272785
- https://vuldb.com/?submit.378319
- https://github.com/abcdefg-png/IoT-vulnerable/blob/main/TOTOLINK/LR350/setWanCfg.md
- https://vuldb.com/?ctiid.272785
- https://vuldb.com/?id.272785
- https://vuldb.com/?submit.378319
