External risk intelligence

GL.iNET MT3000 OS Command Injection in logread

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2023-29778

The affected product is a wireless router/gateway device. Such devices are commonly deployed at the network edge, and management interfaces or services within these appliances are frequently exposed to network access, making them a common target for external reachability in real-world deployments.

OS Command Injection

Gl Inet Gl Mt3000 Firmware

4.1.0

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability involves a critical command injection flaw in certain GL.iNET routers, allowing unauthenticated attackers to execute arbitrary commands remotely. The issue stems from how the device handles requests to its logging service, potentially enabling broad system compromise if exploited. The main concern is confirming relevance and exposure of these devices within your environment.

  • Remote attackers can run commands on affected routers.
  • The vulnerability is critical and remotely exploitable.
  • Confirm if these devices are deployed and exposed.

Attack Path

How an attacker could exploit the issue

An attacker can remotely exploit this vulnerability by sending a specially crafted request to the device's web interface. This request targets a specific logging function, allowing the attacker to inject and execute arbitrary operating system commands. The vulnerability is triggered through the `logread` RPC endpoint, which, if exploited successfully, can lead to complete system compromise.

  • No authentication required.
  • Targets the `logread` RPC endpoint.
  • Allows arbitrary OS command execution.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an unauthenticated attacker to inject operating system commands remotely through the logread RPC, potentially leading to unauthorized access and control of the device.

  • Device firmware could be compromised.
  • Exploitation occurs over the network.
  • Unrestricted command execution is possible.

Operational Fix

Recommended remediation, mitigation, and detection steps

The vulnerability impacts GL.iNET MT3000 devices running firmware version 4.1.0 Release 2. Ownership likely resides with the network infrastructure team responsible for edge devices, or potentially the vendor management team if support contracts are in place. The first practical step is to identify all deployed MT3000 units, confirm network exposure and business criticality, and then coordinate with GL.iNET for remediation.

  • Network infrastructure or vendor management owns.
  • Verify device exposure and criticality first.
  • Plan remediation with vendor coordination.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is the GL.iNET MT3000 device?

The GL.iNET MT3000 is a compact, high-performance wireless router and gateway device often used to provide network connectivity in homes, offices, or while traveling. It runs on specialized firmware designed to manage network traffic, security settings, and device logs, serving as a critical bridge between internal local networks and the broader internet.

What does OS Command Injection mean for CVE-2023-29778?

This vulnerability is classified as CWE-78, or Improper Neutralization of Special Elements used in an OS Command. In plain terms, the router's software incorrectly processes input before passing it to the underlying system. Because of this, an attacker can insert their own commands into a request, which the router will then execute with system-level privileges, essentially giving them control over the device.

How is this vulnerability triggered?

The vulnerability is triggered when an attacker sends a specially crafted request to the router's logread RPC endpoint. This endpoint, which is part of the device's web management interface, fails to sanitize the input properly. It is important to note that this flaw does not require the attacker to have a password or be logged into the device; they can initiate the attack remotely without any prior authentication.

Is my device at risk if it is behind a firewall?

Halo Surface Signal notes that the MT3000 is a network edge device often exposed to the internet, which increases the likelihood of external reachability. If your device is accessible directly from the public internet, it is at higher risk. Devices kept strictly within a private, internal network are less reachable, though they may still be vulnerable to an attacker who has already gained a foothold inside your local network.

What should I do if I am running this router?

First, identify all MT3000 units in your environment to understand your footprint. Check your device's administrative settings to see if it is exposed to the internet and evaluate the business impact of these specific units. Once accounted for, prioritize verifying if a firmware update is available from GL.iNET to resolve this, and coordinate with your network infrastructure team to manage the deployment of any necessary patches or configuration changes.

References