Security researchers from CoreSecurity's OT/ICS Research Team have unearthed two critical zero-day vulnerabilities in the Linksys E5600 router, both potentially enabling command injection attacks.
The vulnerabilities, identified as CVE-2024-33789 and CVE-2024-33788, allow attackers to execute arbitrary commands on the router due to insufficient input validation in different functions.
- Affected Component: Ping test feature in the Troubleshooting -> Diagnostics menu.
- Issue: The vulnerability arises from improper verification of input values used in the ping command. The specific flaw is found in the runtime.pingTest function within the router’s firmware, where the ipurl parameter isn’t properly sanitized, leading to command injection.
- Impact: An attacker can inject malicious commands through the web interface, potentially gaining unauthorized access to the router’s underlying operating system.
- Affected Component: Device PIN registration under the Configure -> Wi-Fi -> Wi-Fi Protect Config setting.
- Issue: This vulnerability stems from the lack of input validation when a device PIN number is entered during Wi-Fi Protected Setup (WPS). The flaw is in the runtime.wpsProcess function, where the PinCode parameter is not properly filtered, allowing for command execution.
- Impact: Similar to the first, this flaw could allow an attacker to perform unauthorized actions, directly compromising the network’s security.
The vulnerabilities were discovered by the CoreSecurity OT/ICS Research Team, a group based in Korea known for their expertise in industrial and operational technology security. The analysts have published proof-of-concept exploits on GitHub, making them widely available to anyone, including malicious actors.
Both vulnerabilities affect the router's latest firmware version, 1.1.0.26. As per the latest information available on Linksys's firmware download page for the particular router model, no updates have been released to address these vulnerabilities, leaving users severely exposed to attacks leveraging the two flaws. Also, the last firmware release came out in December 2021, so it's possible this device is EoL and won't be getting a patch.
Since no security update is available, users of the Linksys E5600 router are recommended to limit remote access to the router’s management interface, change the default admin user credentials to something strong, and monitor the device’s settings for unusual changes.
China Suspected for Massive Data Breach at UK Ministry of Defense
Leave a Reply