CVE-2020-11966
published 2020-04-21CVE-2020-11966: In IQrouter through 3.3.1, the Lua function reset_password in the web-panel allows remote attackers to change the root password arbitrarily. Note: The vendor…
PriorityP264critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
2.99%
85.6th percentile
In IQrouter through 3.3.1, the Lua function reset_password in the web-panel allows remote attackers to change the root password arbitrarily. Note: The vendor claims that this vulnerability can only occur on a brand-new network that, after initiating the forced initial configuration (which has a required step for setting a secure password on the system), makes this CVE invalid. This vulnerability is “true for any unconfigured release of OpenWRT, and true of many other new Linux distros prior to being configured for the first time”
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| evenroute | iqrouter_firmware | <= 3.3.1 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →All exploit endpoints are unauthenticated (no-auth RCE). Monitor HTTP GET requests to any /cgi-bin/luci/er/* path containing backtick shell metacharacters (e.g., '`...`') in query parameters or URL path segments. ↗
- →The reset_password endpoint changes root password to the static value 'changeme' without authentication. Alert on any GET to /cgi-bin/luci/er/reset_password/. ↗
- →The diag_set_password endpoint allows unauthenticated root password change to an arbitrary value supplied in the URL path. Alert on GET requests matching /cgi-bin/luci/er/diag_set_password/*/*. ↗
- →Use ${IFS} or TAB characters as space substitutes in injected commands; detection rules should account for these evasion techniques in URL-decoded query strings. ↗
- →The /cgi-bin/luci/er/get_syslog endpoint leaks router setup information and is used by attackers to retrieve RCE command output (e.g., from the /register email injection). Monitor for unauthenticated access to this path. ↗
- ·The vendor states this vulnerability only affects devices in their initial unconfigured state (before the forced setup wizard is completed). Devices that have completed initial configuration with a secure password set are not considered vulnerable by the vendor. ↗
- ·The RCE endpoints under rce_setup require the router to be in setup/initial-configuration mode to be exploitable, whereas rce_any endpoints work regardless of setup state. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
https://evenroute.com/https://evenroute.zendesk.com/hc/en-us/articles/216107838-How-do-I-configure-an-IQrouter-https://openwrt.org/docs/guide-quick-start/walkthrough_loginhttps://pastebin.com/grSCSBSuhttps://evenroute.com/https://evenroute.zendesk.com/hc/en-us/articles/216107838-How-do-I-configure-an-IQrouter-https://openwrt.org/docs/guide-quick-start/walkthrough_loginhttps://pastebin.com/grSCSBSu
2020-04-21
Published