Full Report
Lilith >_> of Cisco Talos discovered these vulnerabilities. Forty-four vulnerabilities and sixty-three CVEs were discovered across ten .cgi and three .sh files, as well as the static login page, of the Wavlink AC3000 wireless router web application. The Wavlink AC3000 wireless router is one of the
Analysis Summary
# Vulnerability: Mass Vulnerability Disclosure on Wavlink AC3000 Router Web Application (44 Flaws)
## CVE Details
- CVE ID: Multiple (63 total across 10 .cgi, 3 .sh files, and the login page)
- CVSS Score: Not explicitly provided for all, but the severity implies critical/high risk due to RCE, Command Injection, and Root Access. One specific CVE mentioned is **CVE-2024-39754 (TALOS-2024-2034)** related to static login.
- CWE: Various (e.g., Command Injection, Buffer Overflow, Potential for Arbitrary Code Execution/Root Access)
## Affected Systems
- Products: Wavlink AC3000 wireless router web application
- Versions: Not specified, assumed to be affected versions prior to any potential vendor fix.
- Configurations: Web application interfaces accessed via HTTP requests targeting specific CGI scripts or the static login page.
## Vulnerability Description
Cisco Talos discovered 44 vulnerabilities affecting the Wavlink AC3000 wireless router's web application, cataloged under 63 unique CVEs. These flaws reside in various CGI files (`.cgi`), shell scripts (`.sh`), and HTML pages.
Key vulnerability types include:
1. **Static Login/wcrtrl service:** An attacker can gain **root access** via a specially crafted network packet over the WAN using static login credentials. (CVE-2024-39754)
2. **CGI Scripts:** Numerous vulnerabilities across `touchlist_sync.cgi`, `login.cgi`, `internet.cgi`, `firewall.cgi`, `adm.cgi`, `wireless.cgi`, `usbip.cgi`, `qos.cgi`, `openvpn.cgi`, and `nas.cgi` include **Arbitrary Code Execution (ACE)**, **Command Injection (OS Command Injection)**, **Buffer Overflows**, **Persistent XSS**, **Unauthenticated Firmware Upload**, and **Directory Traversal**. These are triggerable via unauthenticated HTTP requests.
3. **Shell Scripts:** Vulnerabilities in `testsave.sh`, `fw_check.sh`, and `update_filter_url.sh` relate to firmware update/upload issues, some triggerable via Man-in-the-Middle (MITM) attacks.
## Exploitation
- Status: **PoC available** for specific flaws (implied by the detailed technical nature of the disclosure, though not explicitly stated as 'PoC available' in the text, numerous critical flaws like RCE and root access gain suggest high exploitability).
- Complexity: **Low to Medium** for many command injection and buffer overflow issues allowing unauthenticated remote access. The static login issue requires network packets over WAN, potentially Medium complexity.
- Attack Vector: **Network** (Remote, unauthenticated access possible for many CGI flaws; WAN access for root credential flaw).
## Impact
- Confidentiality: **High** (Due to OS Command Injection and Remote Code Execution that could lead to information disclosure)
- Integrity: **High** (Due to Arbitrary Code Execution, Unauthenticated Firmware Upload, and Command Injection allowing configuration modification)
- Availability: **High** (Due to Buffer Overflows that could cause denial of service, and firmware manipulation)
## Remediation
### Patches
- **Wavlink has declined to release a patch for these vulnerabilities.**
### Workarounds
- No vendor-provided workarounds were mentioned.
- **General Mitigation (Recommended):** Restrict WAN access to the router's administrative interface. If possible, segment the device from external networks or apply strict firewall rules to block all incoming management traffic.
## Detection
- Detection coverage is available via Snort rule sets.
- **Detection methods and tools:** Download the latest rule sets from [Snort.org] to obtain detection signatures for the exploitation attempts related to these CVEs.
## References
- Vendor advisories: Wavlink has not released a patch.
- Relevant links - defanged:
- Cisco’s third-party vulnerability disclosure policy: hxxps://sec.cloudapps.cisco.com/security/center/resources/vendor\_vulnerability\_policy.html
- Snort Rule Sets: hxxps://snort.org/
- Talos Intelligence Vulnerability Reports: hxxps://talosintelligence.com/vulnerability\_reports (Specific report links were defanged in the source material)