Talos Vulnerability Report

TALOS-2023-1852

Milesight UR32L luci2-io file-import firmware update vulnerability

May 1, 2024
CVE Number

CVE-2023-47166

SUMMARY

A firmware update vulnerability exists in the luci2-io file-import functionality of Milesight UR32L v32.3.0.7-r2. A specially crafted network request can lead to arbitrary firmware update. An attacker can send a network request to trigger this vulnerability.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Milesight UR32L v32.3.0.7-r2

PRODUCT URLS

UR32L - https://www.milesight-iot.com/cellular/router/ur32l/

CVSSv3 SCORE

8.8 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-285 - Improper Authorization

DETAILS

The Milesight UR32L is an industrial cellular router. The router features include support for multiple VPNs, a router console shell, firewall and many others.

The UR32L router offers the functionality to upgrade the firmware with a newer one. The UR32L, throughout the whole firmware upgrade process, never checks the validity of the uploaded firmware. This allows an attacker to upgrade the router with an arbitrary firmware.

VENDOR RESPONSE

No current patch available.

TIMELINE

2023-12-06 - Vendor Disclosure
2023-12-06 - Vendor acknowledged receipt
2023-12-12 - Vendor reply
2023-12-12 - Reply to issues brought up by vendor
2023-12-14 - Request to confirm receipt
2023-12-17 - Receipt confirmed by vendor
2023-12-18 - Further clarification
2024-01-03 - Patch provided by vendor
2024-01-15 - Feedback to vendor
2024-01-17 - Vendor replies
2024-01-17 - Feedback provided to vendor
2024-02-01 - Request for a status update
2024-02-01 - New firmware provided by vendor
2024-02-07 - New firmware appears to close the vulnerability
2024-02-13 - Request for an update on the patch release status
2024-02-21 - Request for an update on the patch release status
2024-02-27 - Request for an update on the patch release status
2024-02-27 - Vendor replies with firmware release date “around April”
2024-02-28 - Release date extended to April 1st
2024-04-02 - Request for an update on the firmware release
2024-04-02 - Vendor informed of upcoming publication date
2024-05-01 - Public Release

Credit

Discovered by Francesco Benvenuto of Cisco Talos.

TALOS-2023-1889

TALOS-2023-1848