If a user is logged in to the router with the root account, a specially crafted URL can be sent to the device, which will then execute the given command. For example, the following URL can be sent to the router to exploit the vulnerability and exfiltrate the device’s configuration: http://192.168.1.1/cgi-bin/admin/config_view.cgi?config_file=config.ini&config_section=system&config_value=junk&config_view=option&config_view_sort=option&config_view_dir=option&config_view_regex=&config_view_dir_regex=&config_view_dir_regex=&config_view_dir_regex=&config_view_dir_regex=&config_view_dir_regex=&config_view_dir_regex=&config_view_dir_regex=&config_view_dir_regex=&config_view_dir_regex=&config_view_dir_regex=&config_view_dir_regex=&config_view_dir_regex=&config_view_dir_regex=&config_view_dir_regex=&config_view_dir_regex=&config_view_dir_regex=&config_view_dir_

Solution

A router can be fixed by unplugging it, resetting the device to default settings, and then plugging it back in.
If you're a user of a router or any other device, this particular vulnerability is not for you. You should also know that there is no easy fix for this vulnerability. Instead, your device should be replaced.

User Management Vulnerability

CVE-2022-42221 is a router user management vulnerability. If a user with the root account is logged in, a specially crafted URL can be sent to the device and it will execute the given command. For example, the following URL can be sent to the router to trigger an unauthorized reboot: http://192.168.1.1/cgi-bin/admin/config_view.cgi?config_file=config.ini&config_section=system&config_value=junk&config_view=option&config_view_sort=option&config_view_dir=option&config_view_regex=&config_view_dir_regex=&config_view_dir_regex=&config_view_dir2

Timeline

Published on: 10/17/2022 16:15:00 UTC
Last modified on: 10/19/2022 04:27:00 UTC

References