CVE-2023-43477
published 2023-09-20CVE-2023-43477: The ping_from parameter of ping_tracerte.cgi in the web UI of Telstra Smart Modem Gen 2 (Arcadyan LH1000), firmware versions < 0.18.15r, was not properly…
PriorityP268high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
15.75%
96.5th percentile
The ping_from parameter of ping_tracerte.cgi in the web UI of Telstra Smart Modem Gen 2 (Arcadyan LH1000), firmware versions < 0.18.15r, was not properly sanitized before being used in a system call, which could allow an authenticated attacker to achieve command injection as root on the device.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| telstra | arcadyan_lh1000_firmware | < 0.18.15r | 0.18.15r |
| telstra | smart_modem_gen_2 | < 0.18.15r | 0.18.15r |
Detection & IOCsextracted from sources · hover to see the quote
commandopenssl enc -d -aes-256-cbc -md MD5 -salt -in LH1000V1-backup.cfg -out dec.tgz -k '2&15u69A'↗
- →Detect POST requests to /ping_tracerte.cgi where the ping_from parameter contains shell metacharacters (e.g., semicolons, ${IFS}) indicative of command injection attempts. ↗
- →Alert on HTTP POST requests to /fake_upload.cgi from unauthenticated sources, which may indicate exploitation of the unauthenticated firmware/config upload vulnerability (CVE-2023-43478). ↗
- →Monitor for access to /hninh987R47san82.htm, a hidden page that exposes firmware update and configuration restore functionality to unauthenticated users. ↗
- →Detect use of ${IFS} in HTTP POST body parameters targeting LH1000 devices, a common technique to bypass space filtering in command injection payloads. ↗
- →Monitor for unexpected telnet (port 23) activity on LH1000 devices after a reboot, which may indicate a malicious configuration backup was uploaded enabling a root telnet shell. ↗
- →Inspect POST bodies to ping_tracerte.cgi for the util_name=pingtest pattern combined with anomalous ping_from values containing semicolons or command chaining characters. ↗
- ·The vulnerability requires authentication (post-auth) for CVE-2023-43477; an attacker must have valid credentials or a valid session cookie (SID_63c6d632) to exploit the ping_from command injection. ↗
- ·The hardcoded encryption key '2&15u69A' used for LH1000 configuration backups (AES-256-CBC, MD5) allows any attacker to decrypt, modify, and re-encrypt configuration files for malicious upload. ↗
- ·Uploading a malicious configuration backup with incorrect settings could permanently disable the device, even beyond recovery using the hardware factory reset. ↗
- ·The httoken value used in requests can be obtained by executing ArcBase._t() in a JavaScript console on the main login page, or copied from recent traffic — it is not a strong CSRF protection. ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
2023-09-20
Published