CVE-2020-11963
published 2020-04-21CVE-2020-11963: IQrouter through 3.3.1, when unconfigured, has multiple remote code execution vulnerabilities in the web-panel because of Bash Shell Metacharacter Injection…
PriorityP181critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
3.15%
86.3th percentile
IQrouter through 3.3.1, when unconfigured, has multiple remote code execution vulnerabilities in the web-panel because of Bash Shell Metacharacter Injection. Note: The vendor claims that this vulnerability can only occur on a brand-new network that, after initiating the forced initial configuration (which has a required step for setting a secure password on the system), makes this CVE invalid. This vulnerability is “true for any unconfigured release of OpenWRT, and true of many other new Linux distros prior to being configured for the first time”
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| evenroute | iqrouter_firmware | <= 3.3.1 | — |
Detection & IOCsextracted from sources · hover to see the quote
url/cgi-bin/luci/er/wifi?enable_guestwifi=1&guest_key=2&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=3&guestwifi_5g_ssid=4&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1=1&s2='`{}`'&p1=1&p2=1↗
- →Detect unauthenticated GET requests to /cgi-bin/luci/er/* endpoints containing backtick characters (`) in query parameters or URL path segments — the primary injection vector for Bash shell metacharacter RCE. ↗
- →Alert on HTTP GET requests to /cgi-bin/luci/er/reset_password/ or /cgi-bin/luci/er/diag_set_password/ — these endpoints allow unauthenticated root password changes. ↗
- →Monitor for HTTP GET requests to /cgi-bin/luci/er/get_syslog — attackers use this endpoint to retrieve command output after blind RCE via the /register email parameter. ↗
- →Detect use of ${IFS} in HTTP query parameters targeting /cgi-bin/luci/er/* — used as a space substitute to bypass simple input filters in shell injection payloads. ↗
- →Flag unauthenticated GET requests to /cgi-bin/luci/er/index?reset_config=1 — this resets the router to factory defaults, re-exposing all RCE endpoints. ↗
- ·All RCE endpoints are only exploitable when the IQrouter is in its unconfigured/initial-setup state. Once the mandatory setup wizard (including password configuration) is completed, these endpoints are no longer accessible without authentication. ↗
- ·The setup-mode RCE endpoints (vlanTag, verify_wifi, screen1–screen10, register) require the router to be actively in setup/wizard mode; the /wifi and diag_* endpoints are exploitable without any setup-mode requirement. ↗
- ·The verify_wifi RCE endpoint has an additional precondition: the hide_wifi_config parameter must not be set to true. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-9w3v-8h48-46jq: IQrouter through 3
ghsa_unreviewed·2022-05-24
CVE-2020-11963 [HIGH] CWE-78 GHSA-9w3v-8h48-46jq: IQrouter through 3
IQrouter through 3.3.1, when unconfigured, has multiple remote code execution vulnerabilities in the web-panel because of Bash Shell Metacharacter Injection.
VulnCheck
evenroute iqrouter_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2020·CVSS 9.8
CVE-2020-11963 [CRITICAL] evenroute iqrouter_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
evenroute iqrouter_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
IQrouter through 3.3.1, when unconfigured, has multiple remote code execution vulnerabilities in the web-panel because of Bash Shell Metacharacter Injection. Note: The vendor claims that this vulnerability can only occur on a brand-new network that, after initiating the forced initial configuration (which has a required step for setting a secure password on the system), makes this CVE invalid. This vulnerability is “true for any unconfigured release of OpenWRT, and true of many other new Linux distros prior to being configured for the first time”
Affected: evenroute iqrouter_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontin
No detection rules found.
No writeups or analysis indexed.
https://evenroute.com/https://evenroute.zendesk.com/hc/en-us/articles/216107838-How-do-I-configure-an-IQrouter-https://openwrt.org/docs/guide-quick-start/walkthrough_loginhttps://pastebin.com/grSCSBSuhttps://evenroute.com/https://evenroute.zendesk.com/hc/en-us/articles/216107838-How-do-I-configure-an-IQrouter-https://openwrt.org/docs/guide-quick-start/walkthrough_loginhttps://pastebin.com/grSCSBSu
2020-04-21
Published
Exploited in the wild