Talos Vulnerability Report

TALOS-2024-1986

LevelOne WBR-6012 Web Application information disclosure vulnerability

October 30, 2024
CVE Number

CVE-2024-33626

SUMMARY

The LevelOne WBR-6012 router contains a vulnerability within its web application that allows unauthenticated disclosure of sensitive information, such as the WiFi WPS PIN, through a hidden page accessible by an HTTP request. Disclosure of this information could enable attackers to connect to the device’s WiFi network.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

LevelOne WBR-6012 R0.40e6

PRODUCT URLS

WBR-6012 - https://us.level1.com/products/wbr-6012

CVSSv3 SCORE

5.3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE

CWE-200 - Information Exposure

DETAILS

The WBR-6012 is a wireless SOHO router. It is a low-cost device which functions as an internet gateway for homes and small offices while aiming to be easy to configure and operate. In addition to providing a WiFi access point, the device serves as a 4-port wired router and implements a variety of common SOHO router capabilities such as port forwarding, quality-of-service, web-based administration, a DHCP server, a basic DMZ, and UPnP capabilities.

The web page located at sysinfo.htm exposes sensitive information such as the WiFi WPS PIN, which is intended to be a “shared secret” and allows an attacker to connect to the WiFi network.

An example of the information included on sysinfo.htm is provided below:

Version	6A4D28C.6A4D281.6A81DD0..381
0000+0000@DDC6F0402001 (6F03) R0.40e6 [0]
U-Time	00:18:18 (S=00:00:00,P=0/0) / 00:18:18   (201205020002)
D-String	P=6EA31,S=0,H=0,D=0/0,E=0,B=621/0,R=FFFE
{X2XTXX2XXX2X2XXXXXXX2X22XXXXXXX:
XX22X2XXXX.22XXXX2XXXXX2X2XXXXXX
.2XXX22X22X:XX2XXX.2X2XXXEX2X.XX
XXX.22XXXXXX:XXX22XXXXXXXXX2.XX.
2XXX2XXX.22X2XX22XXX2XX22XXXXXX2
XXX2X2X2XX.XXXX2XXX22XX.XXXX22XX
--------------------------------
--------------------------------
--------------------------------
--------------------------------
--------------------------------
--------------------------------
--------------------------------
--------------------------------
--------------------------------
--------------------------------
--------------------------------
--------------------------------
--------------------------------
--------------------------------
--------------------------------
--------------------------------
--------------------------------
--------------------------------
--------------------------------}
R-Data	WAN MAC=00-11-6B-55-D2-4B/DDC6F0402001
LAN MAC=00-11-6B-55-D2-4C
F/W Checksum=F1BC
Section =P: OK|A: OK|D: OK|C: OK|
A-String	3352-2T2R;M=00-11-6B-55-D2-4C;
D=ETSI;A=2;C=1FFF;R=FFFF;St=2;MCQ:36;MDQ:36;MFQ:36;TCQ:0;TDQ:0;TFQ:0;RCQ:121;RDQ:122;RFQ:122
RSSI:0,0,0,0,0,0
AP PIN = 14974533
C-Data	5BC0D270D671765B3DD8B8BAE52C49A814
Device Time	Mon Jun 01 00:18:18 2009
TIMELINE

2024-06-03 - Vendor Disclosure
2024-08-05 - Status update request from TALOS - No reply
2024-09-03 - Status update request - Impending public release notification
2024-10-23 - Vendor notification of upcoming release date
2024-10-30 - Public Release

Credit

Discovered by Patrick DeSantis of Cisco Talos.