CVE-2024-28077

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-28077
A denial-of-service issue was discovered on certain GL-iNet devices. Some websites can detect devices exposed to the external network through DDNS, and consequently obtain the IP addresses and ports of devices that are exposed. By using special usernames and special characters (such as half parentheses or square brackets), one can call the login interface and cause the session-management program to crash, resulting in customers being unable to log into their devices. This affects MT6000 4.5.6, XE3000 4.4.5, X3000 4.4.6, MT3000 4.5.0, MT2500 4.5.0, AXT1800 4.5.0, AX1800 4.5.0, A1300 4.5.0, S200 4.1.4-0300, X750 4.3.7, SFT1200 4.3.7, MT1300 4.3.10, AR750 4.3.10, AR750S 4.3.10, AR300M 4.3.10, AR300M16 4.3.10, B1300 4.3.10, MT300N-V2 4.3.10, and XE300 4.3.16.

7.5 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/gl-inet/CVE-issues/blob/main/4.0.0/Denial%20of%20service.md Third Party Advisory
https://gl-inet.com Product
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:gl-inet:mt6000_firmware:4.5.6:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:mt6000:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND
cpe:2.3:o:gl-inet:x3000_firmware:4.4.6:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:x3000:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND
cpe:2.3:o:gl-inet:xe3000_firmware:4.4.4:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:xe3000:-:*:*:*:*:*:*:*

Configuration 4 (hide)

AND
cpe:2.3:o:gl-inet:a1300_firmware:4.5.0:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:a1300:-:*:*:*:*:*:*:*

Configuration 5 (hide)

AND
cpe:2.3:o:gl-inet:ax1800_firmware:4.5.0:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:ax1800:-:*:*:*:*:*:*:*

Configuration 6 (hide)

AND
cpe:2.3:o:gl-inet:axt1800_firmware:4.5.0:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:axt1800:-:*:*:*:*:*:*:*

Configuration 7 (hide)

AND
cpe:2.3:o:gl-inet:mt2500_firmware:4.5.0:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:mt2500:-:*:*:*:*:*:*:*

Configuration 8 (hide)

AND
cpe:2.3:o:gl-inet:mt3000_firmware:4.5.0:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:mt3000:-:*:*:*:*:*:*:*

Configuration 9 (hide)

AND
cpe:2.3:o:gl-inet:xe300_firmware:4.3.16:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:xe300:-:*:*:*:*:*:*:*

Configuration 10 (hide)

AND
cpe:2.3:o:gl-inet:x750_firmware:4.3.7:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:x750:-:*:*:*:*:*:*:*

Configuration 11 (hide)

AND
cpe:2.3:o:gl-inet:sft1200_firmware:4.3.7:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:sft1200:-:*:*:*:*:*:*:*

Configuration 12 (hide)

AND
cpe:2.3:o:gl-inet:ar300m_firmware:4.3.10:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:ar300m:-:*:*:*:*:*:*:*

Configuration 13 (hide)

AND
cpe:2.3:o:gl-inet:ar300m16_firmware:4.3.10:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:ar300m16:-:*:*:*:*:*:*:*

Configuration 14 (hide)

AND
cpe:2.3:o:gl-inet:ar750_firmware:4.3.10:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:ar750:-:*:*:*:*:*:*:*

Configuration 15 (hide)

AND
cpe:2.3:o:gl-inet:ar750s_firmware:4.3.10:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:ar750s:-:*:*:*:*:*:*:*

Configuration 16 (hide)

AND
cpe:2.3:o:gl-inet:b1300_firmware:4.3.10:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:b1300:-:*:*:*:*:*:*:*

Configuration 17 (hide)

AND
cpe:2.3:o:gl-inet:mt1300_firmware:4.3.10:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:mt1300:-:*:*:*:*:*:*:*

Configuration 18 (hide)

AND
cpe:2.3:o:gl-inet:mt300n-v2_firmware:4.3.10:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:mt300n-v2:-:*:*:*:*:*:*:*
History

05 Sep 2024, 18:29

Type Values Removed Values Added
References () https://github.com/gl-inet/CVE-issues/blob/main/4.0.0/Denial%20of%20service.md - () https://github.com/gl-inet/CVE-issues/blob/main/4.0.0/Denial%20of%20service.md - Third Party Advisory
References () https://gl-inet.com - () https://gl-inet.com - Product
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 7.5
CWE NVD-CWE-noinfo
First Time Gl-inet ar300m Firmware
Gl-inet mt1300
Gl-inet mt2500
Gl-inet ax1800
Gl-inet mt6000
Gl-inet ar750s Firmware
Gl-inet ar750s
Gl-inet mt2500 Firmware
Gl-inet a1300 Firmware
Gl-inet b1300 Firmware
Gl-inet mt3000 Firmware
Gl-inet x3000
Gl-inet x750
Gl-inet ar750 Firmware
Gl-inet x3000 Firmware
Gl-inet ax1800 Firmware
Gl-inet sft1200
Gl-inet ar300m16
Gl-inet b1300
Gl-inet xe3000
Gl-inet x750 Firmware
Gl-inet xe300
Gl-inet mt300n-v2
Gl-inet
Gl-inet axt1800
Gl-inet axt1800 Firmware
Gl-inet ar300m
Gl-inet xe3000 Firmware
Gl-inet mt300n-v2 Firmware
Gl-inet sft1200 Firmware
Gl-inet xe300 Firmware
Gl-inet mt1300 Firmware
Gl-inet mt6000 Firmware
Gl-inet a1300
Gl-inet ar300m16 Firmware
Gl-inet ar750
Gl-inet mt3000
CPE cpe:2.3:o:gl-inet:xe300_firmware:4.3.16:*:*:*:*:*:*:*
cpe:2.3:o:gl-inet:ar300m16_firmware:4.3.10:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:ar300m16:-:*:*:*:*:*:*:*
cpe:2.3:o:gl-inet:mt6000_firmware:4.5.6:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:mt1300:-:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:x3000:-:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:xe300:-:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:mt6000:-:*:*:*:*:*:*:*
cpe:2.3:o:gl-inet:b1300_firmware:4.3.10:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:b1300:-:*:*:*:*:*:*:*
cpe:2.3:o:gl-inet:a1300_firmware:4.5.0:*:*:*:*:*:*:*
cpe:2.3:o:gl-inet:ar300m_firmware:4.3.10:*:*:*:*:*:*:*
cpe:2.3:o:gl-inet:ar750_firmware:4.3.10:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:ar300m:-:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:ax1800:-:*:*:*:*:*:*:*
cpe:2.3:o:gl-inet:x750_firmware:4.3.7:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:a1300:-:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:xe3000:-:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:sft1200:-:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:ar750:-:*:*:*:*:*:*:*
cpe:2.3:o:gl-inet:ar750s_firmware:4.3.10:*:*:*:*:*:*:*
cpe:2.3:o:gl-inet:mt1300_firmware:4.3.10:*:*:*:*:*:*:*
cpe:2.3:o:gl-inet:ax1800_firmware:4.5.0:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:axt1800:-:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:mt3000:-:*:*:*:*:*:*:*
cpe:2.3:o:gl-inet:mt300n-v2_firmware:4.3.10:*:*:*:*:*:*:*
cpe:2.3:o:gl-inet:axt1800_firmware:4.5.0:*:*:*:*:*:*:*
cpe:2.3:o:gl-inet:sft1200_firmware:4.3.7:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:ar750s:-:*:*:*:*:*:*:*
cpe:2.3:o:gl-inet:mt3000_firmware:4.5.0:*:*:*:*:*:*:*
cpe:2.3:o:gl-inet:xe3000_firmware:4.4.4:*:*:*:*:*:*:*
cpe:2.3:o:gl-inet:mt2500_firmware:4.5.0:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:mt2500:-:*:*:*:*:*:*:*
cpe:2.3:o:gl-inet:x3000_firmware:4.4.6:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:x750:-:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:mt300n-v2:-:*:*:*:*:*:*:*

27 Aug 2024, 13:02

Type Values Removed Values Added
Summary
  • (es) Se descubrió un problema de denegación de servicio en ciertos dispositivos GL-iNet. Algunos sitios web pueden detectar dispositivos expuestos a la red externa a través de DDNS y, en consecuencia, obtener las direcciones IP y los puertos de los dispositivos que están expuestos. Al utilizar nombres de usuario especiales y caracteres especiales (como medio paréntesis o corchetes), se puede llamar a la interfaz de inicio de sesión y provocar que el programa de administración de sesiones falle, lo que provocará que los clientes no puedan iniciar sesión en sus dispositivos. Esto afecta a MT6000 4.5.6, XE3000 4.4.5, X3000 4.4.6, MT3000 4.5.0, MT2500 4.5.0, AXT1800 4.5.0, AX1800 4.5.0, A1300 4.5.0, S200 4.1.4-0300, X750 4.3.7, SFT1200 4.3.7, MT1300 4.3.10, AR750 4.3.10, AR750S 4.3.10, AR300M 4.3.10, AR300M16 4.3.10, B1300 4.3.10, MT300N-V2 4.3.10 y XE300 4 .3. 16.

26 Aug 2024, 20:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-08-26 20:15

Updated : 2024-09-05 18:29

NVD link : CVE-2024-28077

Mitre link : CVE-2024-28077

CVE.ORG link : CVE-2024-28077

JSON object : View

Products Affected

gl-inet

  • ar750s_firmware
  • ar300m_firmware
  • a1300
  • axt1800
  • x3000_firmware
  • mt300n-v2
  • xe3000_firmware
  • mt2500
  • axt1800_firmware
  • xe300
  • mt6000_firmware
  • ar300m
  • mt1300
  • ar300m16
  • x750_firmware
  • ar750s
  • mt2500_firmware
  • xe300_firmware
  • a1300_firmware
  • mt6000
  • mt3000
  • sft1200
  • ax1800_firmware
  • ax1800
  • x3000
  • b1300
  • ar750_firmware
  • mt3000_firmware
  • b1300_firmware
  • mt300n-v2_firmware
  • mt1300_firmware
  • xe3000
  • sft1200_firmware
  • ar300m16_firmware
  • ar750
  • x750
CWE
NVD-CWE-noinfo