External risk intelligence

GL.iNet devices allow attackers to take full control via a web browser.

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2023-46453

GL.iNet devices have a critical flaw that lets attackers take full control by bypassing login using a special username, potentially exposing your network.

4Halo Surface Signal

SQL Injection

External exposure likelihood

Halo Surface Signal score for CVE-2023-46453

GL.iNet devices act as network gateways. The administrative web interface is a management surface that is frequently exposed to the internet, either intentionally for remote management or due to common deployment patterns for this class of router and gateway hardware. This exposes the administrative login function to potential external access.

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability in GL.iNet devices allows an attacker to bypass authentication and gain administrative control by sending a specially crafted username. This could lead to unauthorized access and potential compromise of the device's network functions.

Device administrative access is compromised.
Network traffic could be monitored or rerouted.
The issue is reachable from the internet.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker can gain full administrative control of vulnerable GL.iNet devices by exploiting an authentication bypass flaw. This is achieved by submitting a specially crafted username that acts as both a valid SQL statement and a regular expression. Success grants the attacker complete command over the device.

Attacker targets the login page.
No prior access is required.
Username is a SQL injection.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability allows for authentication bypass on GL.iNet devices, granting administrative control. Attackers are likely to target this because these devices often serve as network gateways and their management interfaces can be internet-facing, presenting an accessible attack surface. The vulnerability's nature, involving SQL and regular expression injection, is a known technique that attackers favor for its potential to bypass security controls.

Exploitation observed publicly.
Exploit available.
Recent publication.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize reviewing logs and telemetry for any signs of authentication bypass attempts against GL.iNet devices. Actively block any traffic exhibiting SQL injection or regex pattern matching in username fields, and inventory all affected GL.iNet devices to understand potential exposure. Given the critical severity and available exploit, consider taking affected services offline or isolating them until mitigations can be applied.

Block SQL injection and regex patterns in usernames.
Isolate or take affected services offline.
Monitor network traffic for exploitation attempts.

Frequently asked questions

What are GL.iNet devices and how can they be used?

GL.iNet devices are routers and gateways. They are utilized for various networking purposes, such as improving Wi-Fi, establishing VPN connections, and managing network storage. Versions 4.x of their firmware, which are impacted by this vulnerability, were developed to enhance performance and include features like advanced repeater functionality and VPN configurations.

What specific security weakness does CVE-2023-46453 represent?

CVE-2023-46453 is identified as a critical SQL injection vulnerability (CWE-89). This flaw allows an attacker to bypass authentication mechanisms. They can achieve this by submitting a username that is simultaneously a valid SQL statement and a valid regular expression, thereby gaining unauthorized administrative control over the affected GL.iNet devices.

How can an attacker exploit this vulnerability to gain control?

An unauthenticated attacker can exploit this vulnerability by targeting the device's login page. They achieve authentication bypass by submitting a specially crafted username that functions as both a valid SQL statement and a regular expression. This grants the attacker complete administrative command over the device without requiring any prior access.

Why is this vulnerability particularly relevant for potential exploitation?

This vulnerability is highly relevant because GL.iNet devices often function as network gateways, and their administrative interfaces can be exposed to the internet. This creates an accessible attack surface. The exploitation method, involving SQL and regular expression injection, is a known technique favored by attackers for bypassing security controls, making these devices a likely target.

What steps should be taken to respond to this vulnerability?

To mitigate this vulnerability, it is recommended to monitor logs and telemetry for any signs of authentication bypass attempts on GL.iNet devices. Blocking traffic that includes SQL injection or regex patterns in username fields is crucial. Additionally, inventory all affected GL.iNet devices to understand exposure and consider isolating vulnerable services or taking them offline until mitigations are applied.

References

www.exploit-db.com/exploits/51865

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.