CVE-2024-33603
The LevelOne WBR-6012 router has an information disclosure vulnerability in its web application, which allows unauthenticated users to access a verbose system log page and obtain sensitive data, such as memory addresses and IP addresses for login attempts. This flaw could lead to session hijacking due to the device’s reliance on IP address for authentication.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
LevelOne WBR-6012 R0.40e6
WBR-6012 - https://us.level1.com/products/wbr-6012
5.3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE-200 - Information Exposure
The WBR-6012 is a wireless SOHO router. It is a low-cost device which functions as an internet gateway for homes and small offices while aiming to be easy to configure and operate. In addition to providing a WiFi access point, the device serves as a 4-port wired router and implements a variety of common SOHO router capabilities such as port forwarding, quality-of-service, web-based administration, a DHCP server, a basic DMZ, and UPnP capabilities.
The web page located at syslog2.htm (verbose system log) exposes sensitive information such as memory addresses, debug messages, settings, IP addresses for login attempts, and more, to unauthenticated users.
This allows an unauthenticated user to discover the IP address of administrator users, potentially exposing them to session hijacking via Web Application Reliance on IP Address for Authentication (TALOS-2024-1996).
Log
-00:00:00 unknow section_id = 0x0
-00:00:00 unknow section_id = 0x0
-00:00:00 unknow section_id = 0x0
-00:00:00 unknow section_id = 0x0
-00:00:00 NATBS =45461
-00:00:00 MAXBUF_S=1622,MESSH_SZ=108=108
-00:00:00 QoS flag ==0x0
-00:00:00 init_dma_alloc=dma_base=0x805eb140
-00:00:00 pAd->CurrentAddress==>00-11-6B-55-D2-4C
-00:00:00 pAd->MACVersion:Rev=0x33520200
-00:00:00 RF IC Type: 12
-00:00:00 CN: 33335452 CID = 104
-00:00:00 RT3352_Init
-00:00:00 ApCfg.BssidNum=1
-00:00:00 DtimPeriod=3
-00:00:00 BGProtection=0
-00:00:00 TxPreamble=0
-00:00:00 RtsThreshold=2347
-00:00:00 FragmentThreshold=2346
-00:00:00 TxBurst=1
-00:00:00 bAggregationCapable=0
-00:00:00 bEnableWmm=1
-00:00:00 ShortGI=1
-00:00:00 CommonCfg.bBssCoexEnable=1
-00:00:00 1. Phy Mode = 9
-00:00:00 2. Phy Mode = 9
-00:00:00 3. Phy Mode = 9
-00:00:00 DesiredHtPhy.GF=1==2
-00:00:00 pHTPhyMode->BW == BW_40
-00:00:00 MCS Set = ff ff 00 00 01
-00:00:00 wlan_enable_isr
-00:00:00 802.1x task starts
-00:00:02 Enable 20/40 BSSCoex Channel Scan(BssCoex=1)
-00:00:05 2040_COEXIST 22 > 0
-00:00:05 DesiredHtPhy.GF=1==2
-00:00:05 pHTPhyMode->BW == BW_40
-00:00:05 ==>AP is WSC_ENROLLEE_PROXY_REGISTRAR
-00:00:05 Public Key OK
-00:00:05 0x1300 = 00064300
-00:00:05 Wireless Open 305X OK
-00:00:05 auth_mesg is null
-00:00:05 DOD:192.168.1.100 query DNS for
-00:00:05 DOD:192.168.1.100 query DNS for
-00:00:05 DHCP:discover(WBR-6012)
-00:00:06 MAC : link down
-00:12:33 DHCP:discover(WBR-6012)
-00:12:55 Admin from 192.168.1.100 login successfully
-00:13:05 DOD:triggered internally
-00:13:05 DHCP:discover(WBR-6012)
-00:13:08 chdr.lpvs = 1, chdr.family_member= 28420, chdr.rom_id = DDC6F0402001
-00:13:09 DHCP:discover(WBR-6012)
-00:13:13 Admin from 192.168.1.100 logged out
2024-06-03 - Vendor Disclosure
2024-08-05 - Status update request from TALOS - No reply
2024-09-03 - Status update request - Impending public release notification
2024-10-23 - Vendor notification of upcoming release date
2024-10-30 - Public Release
Discovered by Patrick DeSantis of Cisco Talos.