CVE-2024-8891
📋 TL;DR
This vulnerability allows attackers to enumerate valid user accounts in CIRCUTOR Q-SMT devices by analyzing server responses to authentication attempts. Attackers can build user dictionaries without prior knowledge of existing accounts. This affects all users of CIRCUTOR Q-SMT firmware version 1.0.4.
💻 Affected Systems
- CIRCUTOR Q-SMT
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could identify all valid user accounts, enabling targeted brute-force attacks, credential stuffing, or social engineering campaigns against specific users.
Likely Case
Attackers will enumerate valid usernames to facilitate credential attacks, potentially leading to unauthorized access to the web application.
If Mitigated
With proper monitoring and strong authentication controls, impact is limited to information disclosure about user existence.
🎯 Exploit Status
Exploitation requires sending authentication requests and analyzing response differences. No special tools needed beyond basic HTTP clients.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check with CIRCUTOR for updated firmware
Vendor Advisory: https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-circutor-products
Restart Required: Yes
Instructions:
1. Contact CIRCUTOR for updated firmware. 2. Backup current configuration. 3. Apply firmware update following vendor instructions. 4. Verify update completed successfully. 5. Restart device if required.
🔧 Temporary Workarounds
Network Access Control
allRestrict access to the web interface to trusted networks only
Web Application Firewall
allConfigure WAF to detect and block user enumeration patterns
🧯 If You Can't Patch
- Implement rate limiting on authentication endpoints to slow enumeration attempts
- Monitor authentication logs for unusual patterns of failed login attempts
🔍 How to Verify
Check if Vulnerable:
Test authentication endpoint responses for different usernames - if responses differ between valid and invalid users, the system is vulnerable.Check Version:
Check firmware version in web interface or via device management interfaceVerify Fix Applied:
After patching, test that authentication responses are identical for both valid and invalid usernames (same error messages, response times, etc.).📡 Detection & Monitoring
Log Indicators:
- Multiple failed authentication attempts with different usernames from same source
- Pattern of authentication requests with systematic username variations
Network Indicators:
- Unusual volume of POST requests to login endpoints
- Requests with username dictionaries in authentication attempts
SIEM Query:
source_ip: * AND (url_path: "/login" OR url_path: "/auth") AND status_code: 401 | stats count by source_ip, username | where count > threshold