In GL.iNET GL-AR300M routers with firmware 3.216 it is possible to inject arbitrary shell commands through the OpenVPN client file upload functionality.
An attacker uploads a specially crafted OpenVPN configuration file through the upload function interface in the router. The data contained in the file is not properly validated or filtered before being passed to the system command interpreter. As a result, malicious commands embedded in the file are executed directly by the device's operating system with the privileges of the process handling this functionality.
An attacker can gain full control over the device by remotely executing arbitrary system commands, which leads to breach of confidentiality, integrity and availability of the router and potentially the entire network behind it.
Patches available from the manufacturer should be applied in accordance with the references. It is recommended to check for newer firmware versions on the manufacturer's website (gl-inet.com) and implement it immediately. Until the update is applied, consider disabling the OpenVPN configuration file upload function or restricting access to the device management interface to trusted hosts only.
GL.iNET GL-AR300M routers with installed firmware version 3.216.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HGl Inet Gl Ar300m
HWGl-Inetwszystkie wersjeGl Inet Gl Ar300m Firmware
OSGl-Inet3.216
Related vulnerabilities
GL.iNet — Authentication Bypass w NGINX przez dopasowanie wzorców Lua
GL.iNet: privilege escalation przez interfejs add_user do uprawnień root
Command injection w routerach GL.iNET GL-AR300M przez nazwę pakietu
An issue was discovered on GL.iNet devices before 3.216. The function guci2_get() found in libglutil.so has a ...
An issue was discovered on GL.iNet devices before 3.216. Through the software installation feature, it is poss...