CVE-2018-13023
published 2018-11-27CVE-2018-13023: System command injection vulnerability in wifi_access in Xiaomi Mi Router 3 version 2.22.15 allows attackers to execute system commands via the "timeout" URL…
PriorityP180high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
23.96%
97.6th percentile
System command injection vulnerability in wifi_access in Xiaomi Mi Router 3 version 2.22.15 allows attackers to execute system commands via the "timeout" URL parameter.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mi | miwifi_os | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/cgi-bin/luci/;stok=
url&sns=sns&grant=1&guest_user_id=guid&timeout=
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Mi Router 3 Remote Code Execution CVE-2018-13023"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi-bin/luci/|3b|stok="; fast_pattern; content:"&sns=sns&grant=1&guest_user_id=guid&timeout="; distance:0; reference:url,blog.securityevaluators.com/show-mi-the-vulns-exploiting-command-injection-in-mi-router-3-55c6bcb48f09; reference:cve,2018-13023; classtype:attempted-admin; sid:2030311; rev:3; metadata:affected_product Linux, attack_target IoT, created_at 2020_06_11, cve CVE_2018_13023, deployment Perimeter, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_07, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
- →Exploit traffic is an HTTP GET request targeting the wifi_access CGI endpoint. Look for the URI pattern '/cgi-bin/luci/;stok=' (semicolon encoded as |3b|) combined with the query string '&sns=sns&grant=1&guest_user_id=guid&timeout=' — the injected command payload appears in the 'timeout' parameter.
- →The vulnerability is a system command injection via the 'timeout' URL parameter in the wifi_access handler on Xiaomi Mi Router 3 version 2.22.15. Any value supplied to 'timeout' is passed unsanitised to a system call. ↗
- →ET SID 2030311 (rev:3) can be used directly in Suricata/Snort deployments at the network perimeter to detect exploitation attempts inbound to IoT devices.
- ·The Snort/Suricata rule targets inbound traffic to $HOME_NET. Ensure the Mi Router 3 management interface is included in $HOME_NET and is not directly internet-exposed; if it is, the rule will fire on live exploitation attempts.
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vulncheck8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-3vg5-wppq-5c8w: System command injection vulnerability in wifi_access in Xiaomi Mi Router 3 version 2
ghsa_unreviewed·2022-05-13
CVE-2018-13023 [HIGH] CWE-78 GHSA-3vg5-wppq-5c8w: System command injection vulnerability in wifi_access in Xiaomi Mi Router 3 version 2
System command injection vulnerability in wifi_access in Xiaomi Mi Router 3 version 2.22.15 allows attackers to execute system commands via the "timeout" URL parameter.
VulnCheck
mi miwifi_os Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2018·CVSS 8.8
CVE-2018-13023 [HIGH] mi miwifi_os Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
mi miwifi_os Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
System command injection vulnerability in wifi_access in Xiaomi Mi Router 3 version 2.22.15 allows attackers to execute system commands via the "timeout" URL parameter.
Affected: mi miwifi_os
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://unit42.paloaltonetworks.com/iot-vulnerabilities-mirai-payloads/
Suricata
ET EXPLOIT Mi Router 3 Remote Code Execution CVE-2018-13023
suricata·2020-06-11·CVSS 8.8
CVE-2018-13023 [HIGH] ET EXPLOIT Mi Router 3 Remote Code Execution CVE-2018-13023
ET EXPLOIT Mi Router 3 Remote Code Execution CVE-2018-13023
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Mi Router 3 Remote Code Execution CVE-2018-13023"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi-bin/luci/|3b|stok="; fast_pattern; content:"&sns=sns&grant=1&guest_user_id=guid&timeout="; distance:0; reference:url,blog.securityevaluators.com/show-mi-the-vulns-exploiting-command-injection-in-mi-router-3-55c6bcb48f09; reference:cve,2018-13023; classtype:attempted-admin; sid:2030311; rev:3; metadata:affected_product Linux, attack_target IoT, created_at 2020_06_11, cve CVE_2018_13023, deployment Perimeter, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_07, mitre_tactic_id
No public exploits indexed.
No writeups or analysis indexed.
2018-11-27
Published
Exploited in the wild