1. What is this vulnerability and why does it matter?

This is a critical buffer overflow vulnerability, identified as CVE-2024-8573, affecting TOTOLINK AC1200 T8 and AC1200 T10 router firmware. Specifically, it occurs in the setParentalRules function within the /cgi-bin/cstecgi.cgi file. This vulnerability is significant because it allows for remote exploitation, potentially leading to arbitrary code execution or denial of service. The exploit has been publicly disclosed, increasing the immediate risk of exploitation by malicious actors.

2. What are the CVSS score, severity level, and disclosure details?

The CVSS score for this vulnerability is 8.8, classifying it as a critical severity vulnerability. The vulnerability was published on 2024-09-08 10:00:06. The exploit has been publicly disclosed, indicating that information on how to compromise affected systems is readily available. The vendor, TOTOLINK, was reportedly contacted early regarding this disclosure but did not respond.

3. Which products, vendors, systems, and versions are affected?

• Vendor: TOTOLINK
• Products:
  • TOTOLINK AC1200 T8
  • TOTOLINK AC1200 T10
• Affected Firmware Versions:
  • 4.1.5cu.861_B20230220
  • 4.1.8cu.5207

4. What is the technical root cause and attack vector?

The technical root cause is a buffer overflow (CWE-120, CWE-119) within the setParentalRules function of the /cgi-bin/cstecgi.cgi component. This occurs due to improper handling of input when manipulating specific arguments. The attack vector is remote, meaning an attacker does not need local access to the device to exploit it. The vulnerability can be triggered by manipulating the arguments such as desc, week, sTime, and eTime, with the possibility of other parameters also being affected.

5. How can this vulnerability be exploited?

This vulnerability can be exploited by an attacker sending specially crafted requests to the affected TOTOLINK routers. By manipulating the input for parameters like desc, week, sTime, or eTime within the setParentalRules function, an attacker can trigger a buffer overflow. This overflow can lead to various consequences, including denial of service, memory corruption, or potentially arbitrary code execution, allowing the attacker to gain control over the device. The exploit details have been publicly disclosed, making it easier for attackers to craft functional exploits.

6. What mitigation steps and patches are available?

As of the current information, there are no official patches or vendor-provided mitigation steps available. The CVE description explicitly states that "The vendor was contacted early about this disclosure but did not respond in any way." Users of affected TOTOLINK AC1200 T8 and AC1200 T10 devices are currently without a direct vendor fix.

7. How can vulnerable systems be detected?

Vulnerable systems can be detected by identifying the specific models and firmware versions of TOTOLINK routers in use. Administrators should:

• Check the device model to confirm it is an AC1200 T8 or AC1200 T10.
• Verify the firmware version to see if it matches 4.1.5cu.861_B20230220 or 4.1.8cu.5207.

This information is typically available through the router's web interface or device information pages.

8. What are the indicators of compromise (IOCs)?

Specific indicators of compromise (IOCs) are not detailed in the provided CVE information. However, given it's a buffer overflow leading to remote code execution, potential IOCs could include:

• Unusual network traffic originating from or destined for the router.
• Unexpected process execution or changes in system configuration on the router.
• Abnormal device reboots or instability.
• Log entries indicating failed or successful attempts to access or modify parental control settings from suspicious IP addresses.
• Presence of unauthorized files or modified firmware.

9. Which threat actors are known to exploit this vulnerability?

The provided CVE data does not specify any particular threat actors known to be actively exploiting CVE-2024-8573. However, since the exploit has been publicly disclosed, it is plausible that various opportunistic attackers, including script kiddies and more sophisticated groups, may attempt to leverage this vulnerability.

10. What public intelligence references and advisories exist?

The primary public intelligence reference is the CVE entry itself: CVE-2024-8573. The description notes that the exploit details have been publicly disclosed, which would typically be found in security research blogs, exploit databases, or vulnerability disclosure platforms. No other specific advisories or intelligence reports are directly cited in the provided CVE data.

11. What is the risk assessment and urgency level?

Risk Assessment: The risk associated with CVE-2024-8573 is assessed as High/Critical. This is based on:

• A high CVSS score of 8.8.
• The classification as a critical vulnerability.
• Remote exploitability, allowing attacks without physical access.
• Public disclosure of the exploit, significantly lowering the bar for attackers.
• The lack of an official patch or response from the vendor, leaving affected systems exposed indefinitely.

Urgency Level: The urgency level for addressing this vulnerability is Immediate. Due to the critical severity, remote attack vector, and public availability of exploit code without any vendor mitigation, organizations and individuals using affected TOTOLINK devices should consider immediate actions to isolate or replace vulnerable systems if direct mitigation is not possible.