SecuriTricks - CVE-2024-28077

Description

A denial-of-service issue was discovered on certain GL-iNet devices. Some websites can detect devices exposed to the external network through DDNS, and consequently obtain the IP addresses and ports of devices that are exposed. By using special usernames and special characters (such as half parentheses or square brackets), one can call the login interface and cause the session-management program to crash, resulting in customers being unable to log into their devices. This affects MT6000 4.5.6, XE3000 4.4.5, X3000 4.4.6, MT3000 4.5.0, MT2500 4.5.0, AXT1800 4.5.0, AX1800 4.5.0, A1300 4.5.0, S200 4.1.4-0300, X750 4.3.7, SFT1200 4.3.7, MT1300 4.3.10, AR750 4.3.10, AR750S 4.3.10, AR300M 4.3.10, AR300M16 4.3.10, B1300 4.3.10, MT300N-V2 4.3.10, and XE300 4.3.16.

Product(s) Impacted

Vendor	Product	Versions
Gl-inet	Mt6000 Firmware Mt6000 X3000 Firmware X3000 Xe3000 Firmware Xe3000 A1300 Firmware A1300 Ax1800 Firmware Ax1800 Axt1800 Firmware Axt1800 Mt2500 Firmware Mt2500 Mt3000 Firmware Mt3000 Xe300 Firmware Xe300 X750 Firmware X750 Sft1200 Firmware Sft1200 Ar300m Firmware Ar300m Ar300m16 Firmware Ar300m16 Ar750 Firmware Ar750 Ar750s Firmware Ar750s B1300 Firmware B1300 Mt1300 Firmware Mt1300 Mt300n-v2 Firmware Mt300n-v2	4.5.6 - 4.4.6 - 4.4.4 - 4.5.0 - 4.5.0 - 4.5.0 - 4.5.0 - 4.5.0 - 4.3.16 - 4.3.7 - 4.3.7 - 4.3.10 - 4.3.10 - 4.3.10 - 4.3.10 - 4.3.10 - 4.3.10 - 4.3.10 -

Weaknesses

Common security weaknesses mapped to this vulnerability.

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
o	gl-inet	mt6000_firmware	4.5.6	/	/	/	/	/	/	/
h	gl-inet	mt6000	-	/	/	/	/	/	/	/
o	gl-inet	x3000_firmware	4.4.6	/	/	/	/	/	/	/
h	gl-inet	x3000	-	/	/	/	/	/	/	/
o	gl-inet	xe3000_firmware	4.4.4	/	/	/	/	/	/	/
h	gl-inet	xe3000	-	/	/	/	/	/	/	/
o	gl-inet	a1300_firmware	4.5.0	/	/	/	/	/	/	/
h	gl-inet	a1300	-	/	/	/	/	/	/	/
o	gl-inet	ax1800_firmware	4.5.0	/	/	/	/	/	/	/
h	gl-inet	ax1800	-	/	/	/	/	/	/	/
o	gl-inet	axt1800_firmware	4.5.0	/	/	/	/	/	/	/
h	gl-inet	axt1800	-	/	/	/	/	/	/	/
o	gl-inet	mt2500_firmware	4.5.0	/	/	/	/	/	/	/
h	gl-inet	mt2500	-	/	/	/	/	/	/	/
o	gl-inet	mt3000_firmware	4.5.0	/	/	/	/	/	/	/
h	gl-inet	mt3000	-	/	/	/	/	/	/	/
o	gl-inet	xe300_firmware	4.3.16	/	/	/	/	/	/	/
h	gl-inet	xe300	-	/	/	/	/	/	/	/
o	gl-inet	x750_firmware	4.3.7	/	/	/	/	/	/	/
h	gl-inet	x750	-	/	/	/	/	/	/	/
o	gl-inet	sft1200_firmware	4.3.7	/	/	/	/	/	/	/
h	gl-inet	sft1200	-	/	/	/	/	/	/	/
o	gl-inet	ar300m_firmware	4.3.10	/	/	/	/	/	/	/
h	gl-inet	ar300m	-	/	/	/	/	/	/	/
o	gl-inet	ar300m16_firmware	4.3.10	/	/	/	/	/	/	/
h	gl-inet	ar300m16	-	/	/	/	/	/	/	/
o	gl-inet	ar750_firmware	4.3.10	/	/	/	/	/	/	/
h	gl-inet	ar750	-	/	/	/	/	/	/	/
o	gl-inet	ar750s_firmware	4.3.10	/	/	/	/	/	/	/
h	gl-inet	ar750s	-	/	/	/	/	/	/	/
o	gl-inet	b1300_firmware	4.3.10	/	/	/	/	/	/	/
h	gl-inet	b1300	-	/	/	/	/	/	/	/
o	gl-inet	mt1300_firmware	4.3.10	/	/	/	/	/	/	/
h	gl-inet	mt1300	-	/	/	/	/	/	/	/
o	gl-inet	mt300n-v2_firmware	4.3.10	/	/	/	/	/	/	/
h	gl-inet	mt300n-v2	-	/	/	/	/	/	/	/

References

https://github.com/gl-inet/CVE-issues/blob/main/4.0.0/Denial%20of%20service.md

https://gl-inet.com

CVSS Score

7.5 / 10

CVSS Data - 3.1

Attack Vector: NETWORK
Attack Complexity: LOW
Privileges Required: NONE
Scope: UNCHANGED
Confidentiality Impact: NONE
Integrity Impact: NONE
Availability Impact: HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

View Vector String

Timeline

Published: Aug. 26, 2024, 8:15 p.m.
Last Modified: Sept. 5, 2024, 6:29 p.m.

Status : Analyzed

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

cve@mitre.org

CVE-2024-28077