CVEs: Access control vulnerabilities found within Multilaser routers’ web management interface

By Vinicius Moraes

As part of the research results of Tempest’s technical consulting team, we identified and reported vulnerabilities affecting the web management interfaces of at least three routers manufactured by Multilaser. MITRE registered these vulnerabilities under the following identifiers:

• CVE-2023-38944: vulnerability verified in router RE160V (firmware V12.03.01.09_pt) and RE163V (firmware V12.03.01.10_pt);
• CVE-2023-38945: vulnerability verified in router RE160 (firmware V5.07.52_pt_mtl01), RE160V (firmware V12.03.01.09_pt) and RE163V (firmware V12.03.01.08_pt);
• CVE-2023-38946: vulnerability verified in the RE160 router in firmwares V5.07.51_pt_mtl01 and V5.07.52_pt_mtl01, however the latter added an exploitation time window.

The three flaws exploit the same problem in different ways, which, in turn, consist of bypassing access control of the router’s web interfaces. These web interfaces are responsible for providing management features to routers. By exploiting the flaws described in these CVEs, a potential attacker may modify DNS settings, obtain the router’s saved passwords, change routing tables, and activate remote access, among other approaches. All the exploits addressed can be carried out in an unauthenticated and remote manner (by luring victims to download an application or access a malicious website) or locally (by connecting to a network that uses a router running vulnerable firmware).

The vulnerabilities addressed in this publication were reported to Multilaser, which resolved the two flaws affecting the RE160V and RE163V routers (after the release of firmware V12.03.01.12 [1][2]). In addition, Multilaser also sought corrections for the RE160, contacting the firmware supplier of this equipment; however, due to the age of the equipment, which is already about ten years old, and its technical limitations, the RE160 will not receive mitigation. Therefore, the recommendation for this equipment — exclusively — is to avoid its use and purchase a newer device that is still receiving updates (such as the RE160V or RE163V models).

Technical details on the identified flaws are available at:

• https://seclists.org/fulldisclosure/2024/Mar/0
• https://seclists.org/fulldisclosure/2024/Mar/1
• https://seclists.org/fulldisclosure/2024/Mar/2

References

[1] https://suporte.multilaser.com.br/produtos/rot-300mbps-ipv6-2-4-ghz-3-ant-re163v

[2] https://suporte.multilaser.com.br/produtos/rot-300mbps-ipv6-2-4-ghz-2-ant-re160v