WARNING: 2 CRITICAL, 1 HIGH, 1 MEDIUM VULNERABILITIES IN CISCO LEVELONE WBR-6012 ROUTER'S WEB APPLICATION CAN LEAD TO PRIVILEGE ESCALATION AND UNVERIFIED PASSWORD CHANGE. PATCH IMMEDIATELY!
CVE-2024-33699: CVSS 9.9(CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
CVE-2024-23309: CVSS:9.0(CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)
CVE-2024-33700: CVSS:7.5(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVE-2024-28052: CVSS:5.3(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
Sources
NIST:
Risques
Multiple (4) vulnerabilities in CISCO LevelOne WBR-6012 router’s web application firmware version R0.40e6 have a high impact on the confidentiality, integrity and availability.
There is no information as to active exploitation at this time (cut-off date: 31 October 2024).
Description
The vulnerability CVE-2024-33699 can lead to privilege escalation, as attackers are able to change the administrator password without knowing the current password.
The authentication bypass vulnerability CVE-2024-23309 allows attackers to spoof an IP address. That way they need no session token to gain unauthorized access. This vulnerability stemps from relying on the client IP addresses for authentication.
The input validation vulnerability CVE-2024-33700 in the FTP functionality allows attackers to use malformed FTP commands to cause service disruption by denial of service and reboots.
The vulnerability CVE-2024-28052 causes incorrect calculation of the buffer size, which can crash and reboot the device. That way an attacker can access a backdoor account by sending an HTTP POST request with a URI containing 1454 characters or more that does not start with “upn” or “upg”.
Actions recommandées
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://ccb.belgium.be/en/cert/report-incident.
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
Références
Talos Intelligence: