Exploit
CVE-2024-9793

Improper Neutralization of Special Elements used in a Command ('Command Injection') (CWE-77)

Published: Oct 10, 2024 / Updated: 40d ago

010
CVSS 5.3EPSS 0.04%Medium
CVE info copied to clipboard

Summary

A critical vulnerability has been discovered in Tenda AC1206 router firmware versions up to 15.03.06.23. The vulnerability affects the ate_iwpriv_set/ate_ifconfig_set function of the /goform/ate file. This flaw allows for command injection, which can be exploited remotely without requiring user interaction or special privileges.

Impact

The impact of this vulnerability is severe. An attacker can remotely execute arbitrary commands on the affected Tenda AC1206 routers. This could lead to complete compromise of the device, potentially allowing attackers to: 1. Gain unauthorized access to the router and connected network 2. Modify router configurations 3. Intercept or manipulate network traffic 4. Use the router as a pivot point for further attacks on the internal network 5. Cause denial of service by disrupting router operations The vulnerability has a CVSS v3.1 base score of 9.8 (Critical), indicating maximum impact on confidentiality, integrity, and availability of the system.

Exploitation

Multiple proof-of-concept exploits are available on github.com, github.com. There is no evidence of proof of exploitation at the moment.

Patch

As of the latest information provided, no patch is available for this vulnerability. The vendor (Tenda) was contacted about this disclosure but did not respond, suggesting that a fix may not be immediately forthcoming.

Mitigation

Given the severity of the vulnerability and the lack of a vendor-provided patch, the following mitigation steps are recommended: 1. Immediately disconnect or isolate affected Tenda AC1206 routers from the network, especially from internet-facing connections. 2. If possible, replace the vulnerable routers with alternative, secure devices from other manufacturers. 3. If replacement is not immediately feasible, implement strict network segmentation to isolate the vulnerable routers from critical network assets. 4. Monitor for any suspicious activities or unauthorized access attempts targeting these devices. 5. Regularly check for firmware updates from Tenda and apply them as soon as they become available. 6. Consider implementing additional network security measures such as firewalls or intrusion detection systems to help mitigate the risk of exploitation. 7. Disable remote administration features on the router if they are not absolutely necessary. It's crucial to prioritize addressing this vulnerability due to its critical nature and the availability of public exploits.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Timeline

First Article

Feedly found the first article mentioning CVE-2024-9793. See article

Oct 10, 2024 at 3:33 PM / CVE | THREATINT - NEW.RSS
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Oct 10, 2024 at 3:33 PM
CVE Assignment

NVD published the first details for CVE-2024-9793

Oct 10, 2024 at 4:15 PM
CVSS

A CVSS base score of 6.3 has been assigned.

Oct 10, 2024 at 4:20 PM / nvd
EPSS

EPSS Score was set to: 0.04% (Percentile: 11%)

Oct 11, 2024 at 10:19 AM
CVSS

A CVSS base score of 9.8 has been assigned.

Nov 1, 2024 at 2:40 PM / nvd
Proof of Concept (PoC) Released

A proof of concept exploit has been released

Nov 1, 2024 at 5:11 PM
Static CVE Timeline Graph

Affected Systems

Tenda/ac1206_firmware
+null more

Exploits

https://github.com/ixout/iotVuls/blob/main/Tenda/ac1206_003/report.md
+null more

Attack Patterns

CAPEC-136: LDAP Injection
+null more

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI