CVE-2024-28077

A denial-of-service issue was discovered on certain GL-iNet devices. Some websites can detect devices exposed to the external network through DDNS, and consequently obtain the IP addresses and ports of devices that are exposed. By using special usernames and special characters (such as half parentheses or square brackets), one can call the login interface and cause the session-management program to crash, resulting in customers being unable to log into their devices. This affects MT6000 4.5.6, XE3000 4.4.5, X3000 4.4.6, MT3000 4.5.0, MT2500 4.5.0, AXT1800 4.5.0, AX1800 4.5.0, A1300 4.5.0, S200 4.1.4-0300, X750 4.3.7, SFT1200 4.3.7, MT1300 4.3.10, AR750 4.3.10, AR750S 4.3.10, AR300M 4.3.10, AR300M16 4.3.10, B1300 4.3.10, MT300N-V2 4.3.10, and XE300 4.3.16.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/gl-inet/CVE-issues/blob/main/4.0.0/Denial%20of%20service.md	Third Party Advisory
https://gl-inet.com	Product

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:gl-inet:mt6000_firmware:4.5.6:*:*:*:*:*:*:*

cpe:2.3:h:gl-inet:mt6000:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND

cpe:2.3:o:gl-inet:x3000_firmware:4.4.6:*:*:*:*:*:*:*

cpe:2.3:h:gl-inet:x3000:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND

cpe:2.3:o:gl-inet:xe3000_firmware:4.4.4:*:*:*:*:*:*:*

cpe:2.3:h:gl-inet:xe3000:-:*:*:*:*:*:*:*

Configuration 4 (hide)

AND

cpe:2.3:o:gl-inet:a1300_firmware:4.5.0:*:*:*:*:*:*:*

cpe:2.3:h:gl-inet:a1300:-:*:*:*:*:*:*:*

Configuration 5 (hide)

AND

cpe:2.3:o:gl-inet:ax1800_firmware:4.5.0:*:*:*:*:*:*:*

cpe:2.3:h:gl-inet:ax1800:-:*:*:*:*:*:*:*

Configuration 6 (hide)

AND

cpe:2.3:o:gl-inet:axt1800_firmware:4.5.0:*:*:*:*:*:*:*

cpe:2.3:h:gl-inet:axt1800:-:*:*:*:*:*:*:*

Configuration 7 (hide)

AND

cpe:2.3:o:gl-inet:mt2500_firmware:4.5.0:*:*:*:*:*:*:*

cpe:2.3:h:gl-inet:mt2500:-:*:*:*:*:*:*:*

Configuration 8 (hide)

AND

cpe:2.3:o:gl-inet:mt3000_firmware:4.5.0:*:*:*:*:*:*:*

cpe:2.3:h:gl-inet:mt3000:-:*:*:*:*:*:*:*

Configuration 9 (hide)

AND

cpe:2.3:o:gl-inet:xe300_firmware:4.3.16:*:*:*:*:*:*:*

cpe:2.3:h:gl-inet:xe300:-:*:*:*:*:*:*:*

Configuration 10 (hide)

AND

cpe:2.3:o:gl-inet:x750_firmware:4.3.7:*:*:*:*:*:*:*

cpe:2.3:h:gl-inet:x750:-:*:*:*:*:*:*:*

Configuration 11 (hide)

AND

cpe:2.3:o:gl-inet:sft1200_firmware:4.3.7:*:*:*:*:*:*:*

cpe:2.3:h:gl-inet:sft1200:-:*:*:*:*:*:*:*

Configuration 12 (hide)

AND

cpe:2.3:o:gl-inet:ar300m_firmware:4.3.10:*:*:*:*:*:*:*

cpe:2.3:h:gl-inet:ar300m:-:*:*:*:*:*:*:*

Configuration 13 (hide)

AND

cpe:2.3:o:gl-inet:ar300m16_firmware:4.3.10:*:*:*:*:*:*:*

cpe:2.3:h:gl-inet:ar300m16:-:*:*:*:*:*:*:*

Configuration 14 (hide)

AND

cpe:2.3:o:gl-inet:ar750_firmware:4.3.10:*:*:*:*:*:*:*

cpe:2.3:h:gl-inet:ar750:-:*:*:*:*:*:*:*

Configuration 15 (hide)

AND

cpe:2.3:o:gl-inet:ar750s_firmware:4.3.10:*:*:*:*:*:*:*

cpe:2.3:h:gl-inet:ar750s:-:*:*:*:*:*:*:*

Configuration 16 (hide)

AND

cpe:2.3:o:gl-inet:b1300_firmware:4.3.10:*:*:*:*:*:*:*

cpe:2.3:h:gl-inet:b1300:-:*:*:*:*:*:*:*

Configuration 17 (hide)

AND

cpe:2.3:o:gl-inet:mt1300_firmware:4.3.10:*:*:*:*:*:*:*

cpe:2.3:h:gl-inet:mt1300:-:*:*:*:*:*:*:*

Configuration 18 (hide)

AND

cpe:2.3:o:gl-inet:mt300n-v2_firmware:4.3.10:*:*:*:*:*:*:*

cpe:2.3:h:gl-inet:mt300n-v2:-:*:*:*:*:*:*:*

History

05 Sep 2024, 18:29

Type	Values Removed	Values Added
References	~~() https://github.com/gl-inet/CVE-issues/blob/main/4.0.0/Denial%20of%20service.md -~~	() https://github.com/gl-inet/CVE-issues/blob/main/4.0.0/Denial%20of%20service.md - Third Party Advisory
References	~~() https://gl-inet.com -~~	() https://gl-inet.com - Product
CPE		cpe:2.3:h:gl-inet:ar750:-:::::::* cpe:2.3:o:gl-inet:mt2500_firmware:4.5.0:::::::* cpe:2.3:o:gl-inet:axt1800_firmware:4.5.0:::::::* cpe:2.3:h:gl-inet:xe300:-:::::::* cpe:2.3:h:gl-inet:mt3000:-:::::::* cpe:2.3:h:gl-inet:x750:-:::::::* cpe:2.3:h:gl-inet:axt1800:-:::::::* cpe:2.3:h:gl-inet:a1300:-:::::::* cpe:2.3:h:gl-inet:mt2500:-:::::::* cpe:2.3:h:gl-inet:mt6000:-:::::::* cpe:2.3:o:gl-inet:ar300m16_firmware:4.3.10:::::::* cpe:2.3:o:gl-inet:mt1300_firmware:4.3.10:::::::* cpe:2.3:h:gl-inet:b1300:-:::::::* cpe:2.3:o:gl-inet:mt6000_firmware:4.5.6:::::::* cpe:2.3:h:gl-inet:sft1200:-:::::::* cpe:2.3:o:gl-inet:x750_firmware:4.3.7:::::::* cpe:2.3:o:gl-inet:ar300m_firmware:4.3.10:::::::* cpe:2.3:o:gl-inet:xe300_firmware:4.3.16:::::::* cpe:2.3:o:gl-inet:sft1200_firmware:4.3.7:::::::* cpe:2.3:h:gl-inet:xe3000:-:::::::* cpe:2.3:h:gl-inet:mt300n-v2:-:::::::* cpe:2.3:h:gl-inet:ax1800:-:::::::* cpe:2.3:h:gl-inet:ar300m:-:::::::* cpe:2.3:o:gl-inet:x3000_firmware:4.4.6:::::::* cpe:2.3:h:gl-inet:ar750s:-:::::::* cpe:2.3:o:gl-inet:mt3000_firmware:4.5.0:::::::* cpe:2.3:h:gl-inet:mt1300:-:::::::* cpe:2.3:o:gl-inet:b1300_firmware:4.3.10:::::::* cpe:2.3:o:gl-inet:ar750_firmware:4.3.10:::::::* cpe:2.3:o:gl-inet:xe3000_firmware:4.4.4:::::::* cpe:2.3:o:gl-inet:ar750s_firmware:4.3.10:::::::* cpe:2.3:o:gl-inet:a1300_firmware:4.5.0:::::::* cpe:2.3:o:gl-inet:ax1800_firmware:4.5.0:::::::* cpe:2.3:h:gl-inet:ar300m16:-:::::::* cpe:2.3:h:gl-inet:x3000:-:::::::* cpe:2.3:o:gl-inet:mt300n-v2_firmware:4.3.10:::::::*
First Time		Gl-inet mt300n-v2 Firmware Gl-inet x3000 Gl-inet mt1300 Firmware Gl-inet ar300m Firmware Gl-inet sft1200 Firmware Gl-inet x750 Gl-inet mt3000 Gl-inet sft1200 Gl-inet a1300 Firmware Gl-inet x3000 Firmware Gl-inet mt2500 Firmware Gl-inet mt6000 Firmware Gl-inet ar750 Gl-inet mt1300 Gl-inet mt2500 Gl-inet ar300m Gl-inet ar750s Gl-inet a1300 Gl-inet Gl-inet mt6000 Gl-inet b1300 Firmware Gl-inet ar300m16 Gl-inet xe3000 Firmware Gl-inet ax1800 Gl-inet xe300 Firmware Gl-inet ar300m16 Firmware Gl-inet axt1800 Firmware Gl-inet b1300 Gl-inet ar750 Firmware Gl-inet ax1800 Firmware Gl-inet axt1800 Gl-inet x750 Firmware Gl-inet ar750s Firmware Gl-inet mt300n-v2 Gl-inet mt3000 Firmware Gl-inet xe3000 Gl-inet xe300
CWE		NVD-CWE-noinfo
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5

27 Aug 2024, 13:02

Type	Values Removed	Values Added
Summary		(es) Se descubrió un problema de denegación de servicio en ciertos dispositivos GL-iNet. Algunos sitios web pueden detectar dispositivos expuestos a la red externa a través de DDNS y, en consecuencia, obtener las direcciones IP y los puertos de los dispositivos que están expuestos. Al utilizar nombres de usuario especiales y caracteres especiales (como medio paréntesis o corchetes), se puede llamar a la interfaz de inicio de sesión y provocar que el programa de administración de sesiones falle, lo que provocará que los clientes no puedan iniciar sesión en sus dispositivos. Esto afecta a MT6000 4.5.6, XE3000 4.4.5, X3000 4.4.6, MT3000 4.5.0, MT2500 4.5.0, AXT1800 4.5.0, AX1800 4.5.0, A1300 4.5.0, S200 4.1.4-0300, X750 4.3.7, SFT1200 4.3.7, MT1300 4.3.10, AR750 4.3.10, AR750S 4.3.10, AR300M 4.3.10, AR300M16 4.3.10, B1300 4.3.10, MT300N-V2 4.3.10 y XE300 4 .3. 16.

26 Aug 2024, 20:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-08-26 20:15

Updated : 2024-09-05 18:29

NVD link : CVE-2024-28077

Mitre link : CVE-2024-28077

CVE.ORG link : CVE-2024-28077

JSON object : View

Products Affected

gl-inet

mt6000_firmware
ar750s_firmware
mt2500_firmware
xe300
mt300n-v2
sft1200_firmware
ar300m16_firmware
mt300n-v2_firmware
mt3000_firmware
x750_firmware
x750
xe3000_firmware
x3000
axt1800
xe300_firmware
ar750_firmware
b1300_firmware
b1300
ar300m16
mt3000
mt2500
ar300m_firmware
a1300_firmware
ax1800
a1300
sft1200
ar750
axt1800_firmware
ar300m
mt1300
ar750s
mt1300_firmware
ax1800_firmware
xe3000
mt6000
x3000_firmware

CWE

NVD-CWE-noinfo

7.5 /10