CVE-2022-41396 An AC 1200 W15Ev2 router was found to have multiple command injection vulnerabilities in the function setIPsecTunnelList.

A hacker can inject malicious code into the router to facilitate a DoS attack, obtain sensitive information, inject malicious code into the device to facilitate a DPI attack, or install a backdoor.

A remote attacker can send a request to setIPsecTunnelList with the IPsecLocalNet parameter set to “0.0.0.0/0” to trigger the command injection.

setIPsecLocalNet(IPsecLocalNet)

Alternatively, an attacker can send a request to setIPsecRemoteNet with the IPsecRemoteNet parameter set to “0.0.0.0/0” to trigger the command injection.

setIPsecRemoteNet(IPsecRemoteNet)

The router also fails to sufficiently sanitize user-supplied data when parsing the parameters of setIPsecTunnelList, which could lead to information disclosure.

An attacker can send a request to setIPsecTunnelList with the IPsecRemoteNet parameter set to “1.2.3.4/0” to trigger the command injection.

setIPsecRemoteNet(IPsecRemoteNet) = 1.2.3.4/0

The vulnerability can be exploited by remote attackers to inject malicious code into the device and facilitate a DoS attack, obtain sensitive information, or install a backdoor.

A remote attacker can send a request to set

Vulnerability Disclosure Timeline

March 22, 2018 - DISCLOSURE
November 14, 2017 - Public Disclosure

This is a vulnerability that has been disclosed.

Products Affected

RouterOS 6.6 and later versions are vulnerable to a command injection. An attacker can send a request to setIPsecTunnelList with the IPsecLocalNet parameter set to “0.0.0.0/0” or “1.2.3.4/0” to trigger the command injection, which could lead to information disclosure or other impactful results. The vulnerability has been fixed in RouterOS 7.x releases, but it was not fixed in previous versions of RouterOS: 6.6 and earlier versions are vulnerable until they are upgraded to a version that is not vulnerable (e.g., version 6.6-beta5).

Vulnerable versions:

CVE-2022-41396 was patched for CVE-2022-4149.

Products Affected By CVE-2022-41396

Xiaomi Mi Router 3.0
ZTE ZMAX Pro B3U400

Timeline

Published on: 11/15/2022 03:15:00 UTC
Last modified on: 11/18/2022 21:34:00 UTC

References

• https://boschko.ca/tenda_ac1200_router
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-41396