Milesight Routers - Information Disclosure Vulnerability CVE-2023-43261 Scanner

CVE-2023-43261 vulnerability has not yet been published by the authorized CNA. This vulnerability, whose exploit code has been disclosed, is actively exploited by cyber attackers.

Milesight; It is a company based in Fujian, China, that develops products in the fields of Video Surveillance, Smart Restroom, Smart Office, Smart Agriculture, Intelligent Traffic Solution, Indoor Air Quality, People Counting, Space Occupancy, Smart Building, Energy Efficiency and Smart City.

Thanks to the vulnerability found in UR5X, UR32L, UR32, UR35, UR41 model router devices in the “5G & Cellular Products” product category developed by Milesight; Cyber attackers who do not have any authority over the router devices can access the log files on the router and obtain username and password information by decrypting the encrypted files. For this reason, it is possible to categorize the relevant cyber security vulnerability as "directory traversal".

A cyber attacker who can obtain the username and password of an authorized user can log in to the router from the web interface and have the opportunity to see and change the configuration and direct traffic. A cyber attacker with these opportunities can access the internal network and seize more devices.

To exploit the system, the cyber attacker only needs access to the router web interface. A cyber attacker who can access the web interface of the router can access log files kept locally on the router as a result of a misconfigured default setting on the firmware. These log files also contain records of usernames and passwords that log in to the system from the web interface. Although these log files are encrypted as a security measure, the cyber attacker can access the AES private key in the firmware by exploiting the same vulnerability and read the log files by decrypting them as clear text. Thus, the cyber attacker can obtain the user login information contained in the log files.

It has not been confirmed by the company whether Milesight has any products affected by the vulnerability, other than the UR5X, UR32L, UR32, UR35, UR41 model products. S4E recommends vulnerability testing for all products of the company.

If you own one of these devices, you can find out whether your device has ever been exploited by reviewing the records. To do this, review the login records made into the system and examine the login transactions that have not been made by you. If you see that the log files have been cleared, you can assume that there has been unauthorized access to your router.

The code to exploit the vulnerability has been disclosed on the internet, and cyber attackers are actively exploiting this vulnerability and taking over the management of router devices.

S4E offers you the ability to detect and take precautions when cyber security vulnerabilities are disclosed, even before they are announced.

• https://medium.com/@win3zz/inside-the-router-how-i-accessed-industrial-routers-and-reported-the-flaws-29c34213dfdf
• https://github.com/win3zz/CVE-2023-43261
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-43261