Executive Summary

CVE-2023-46453 is a remote authentication bypass vulnerability affecting certain GL.iNet routers running firmware version 4.x, including version 4.3.7. The flaw exists in the router's authentication process, specifically in the /usr/sbin/gl-ngx-session file that handles login to the web interface.

The vulnerability arises from improper input sanitization of the username field. An attacker can craft a malicious username that is both a valid regular expression and a valid SQL injection payload. This crafted username manipulates the authentication mechanism by exploiting weak username validation, allowing the attacker to bypass authentication and gain administrative control without a valid password.

The attack involves first retrieving a nonce value from a challenge endpoint, then sending the malicious username to bypass authentication. For example, the username 'roo[^'union selecT char(114,111,111,116)--]:[^:]+:[^:]+' is used to manipulate regex matching and SQL queries simultaneously to log in as the root user.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an attacker to bypass authentication and gain administrative control over affected GL.iNet routers remotely.

With administrative access, the attacker can access sensitive information such as Wi-Fi credentials, modify router settings, intercept or redirect network traffic, and potentially compromise the entire network connected to the router.

This can lead to unauthorized access to private data, network disruption, and further exploitation of connected devices.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by attempting to authenticate to the affected GL.iNet router's web interface using a specially crafted username that exploits the authentication bypass flaw.

The detection involves two stages: first, retrieving a nonce value from the router's challenge endpoint, then sending an authentication request with a malicious username that combines a regex pattern and a SQL injection payload.

A known malicious username example is: roo[^'union selecT char(114,111,111,116)--]:[^:]+:[^:]+

To detect this on your system, you can use tools like curl or custom scripts to interact with the router's RPC endpoints, mimicking the exploit steps: first fetch the nonce, then send the crafted authentication request.

For example, a detection command sequence might be:

• 1. Use curl to get the nonce from the challenge endpoint: `curl http://<router-ip>/rpc/challenge`
• 2. Use curl or a script to send an authentication request with the malicious username and the retrieved nonce to the authentication endpoint, observing if access is granted without a valid password.

Automated proof-of-concept exploit scripts are available that perform these steps to verify vulnerability presence.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to update the affected GL.iNet router firmware to the patched version released on November 8, 2023, which fixes this authentication bypass vulnerability.

If updating firmware is not immediately possible, restrict access to the router's web interface by limiting network exposure, such as disabling remote management or firewalling access to trusted hosts only.

Additionally, monitor router logs and network traffic for suspicious authentication attempts using crafted usernames similar to the known exploit pattern.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows an attacker to bypass authentication and gain administrative control over affected GL.iNet devices, potentially exposing sensitive data such as Wi-Fi credentials.

Such unauthorized access could lead to violations of data protection regulations like GDPR or HIPAA, as it compromises the confidentiality and integrity of personal or sensitive information managed by the device.

Organizations using vulnerable devices may face compliance risks if this flaw is exploited, as it undermines security controls required by these standards.

Useful 0 Not Useful 0