Headline
CVE-2023-33620: CVE-2023-33620: GL.iNET Static HTTPS Certificate
GL.iNET GL-AR750S-Ext firmware v3.215 uses an insecure protocol in its communications which allows attackers to eavesdrop via a man-in-the-middle attack.
Justin Applegate
CVE-2023-33620: GL.iNET Static HTTPS Certificate
- CVSS Score - 6.8, Medium (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N)
- Overview - All GL.iNET IoT devices use the same default self-signed HTTPS cert, meaning the traffic can be decrypted or modified using a Man-in-the-Middle attack.
- Description - HTTPS is a protocol that uses HTTP for web requests and responses, but with SSL/TLS encryption on top of it. The communication is encrypted through the use of a certificate with the private key being kept secret - knowledge of this private key allows any intercepted traffic to be decrypted or modified. This would allow an attacker maliciously placed on the network to intercept sensitive information, such as authentication tokens, which would allow them to run arbitrary commands on the device. This certificate is self-signed and a warning will show up on most browsers, but this is not because the HTTPS connection doesn’t encrypt the data. The traffic is still encrypted, however the certificate is not authorized by a trusted authority (and for good reason). Dynamically generating different self-signed certificates for each GL.iNET device would allow the traffic to be encrypted and prevent Man-in-the-Middle attacks.
- Steps to reproduce - A list of publicly-available GL.iNET devices with the same SSL certificate can be found using this Shodan query. Note how the SHA 256 fingerprint is the same for each site, regardless of the model. The corresponding HTTPS private key can be extracted at the location /etc/lighttpd/server.pem from any GL.iNET device, and is also provided below.
- SHA 256 fingerprint - 97 B6 C5 3F 60 45 8B BE 47 27 9B 87 B1 67 87 6F 49 D3 2C DC B6 A5 84 D8 E4 FC CA 9E AF 53 AC 24
Fix
This was not fixed in 3.216. In a follow-up with the company, they said “The router is supposed to be accessed locally and http is fine… The user can replace the certificate manually. If the user [does] not have knowledge/skills to do this, they should just use http and [not] access the router from [the] WAN side.”
HTTPS Private Key and Certificate
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDSnEJL9ymbUrPj
iOwFAKIiJcobxQRPbr9qGCWJNP1wpep/dz6GOWWBAmSL/E2Dy0MNoyVfDD7sl+F8
jbK+frARzPwPavgDbA1LVwInV2sVTSd88JDrmI3gby2hnpQRRh3zVEmJUvTop60q
I977iid9yckoNFSdikI0adF/CEdrVQ9qZILaJFJ0XCvfF1N2YsxT/QHLZ6oM9QuV
EflIKQQb8YTr6XSwvX8uwsUNBu44+5PIoYvBlZYL38pYRXTY/d8vXdUNE9uG1Ewq
4IQxMiEQ7mPSpliaig3LVhMsBB74fjx73a4QCy1sQ0gA2CCl7HKIDzRfXljWUude
NL2AqOJbAgMBAAECggEAPYwMk8aXEh0JFOVek9erie8hMRxSNiRXK9oCniYuKk1S
Sg2+59q+HwVj/MSuomU0IzgaI7ygZuO7sXp3UdQUAB+3SYopEFbzS6ERsA2L7Z2u
fISQ1UivrXbQDvsYqjOjbQiktMzZZWQa5sW01C17fPcLIgSo9aEB1+9UmZsBxAt/
nvMqGh+9lZQoN38tck8XbDNAZPbQtuvOfW5g48C/jhAu9czFkxh4b8aSvZp8Md8Q
lL5ukNKdE2dXFwJe8V1gSGvSPBMhLfMeLiU7JzIixK5a4vGpXEEWsti/xyBrI1AA
6t1oNDYjLAr4ihAC1gWKl3Tcgrt6M920XaLI2WMBAQKBgQD0vfDE+Ma3Qx5mSPNP
IBZq3Io+QVGZuvVAGJLPjvimyAYDSU1lcz1MpJjIFWcCP3khomu914P4cuji1mmh
k7e7+/S838Xt5EAaFJLPXeueXRAC844ev9xqPpx1QkbVyatrCTv0fxf6be1dqU3o
gM2jBsSoIqA2hn8fdBW968jxqQKBgQDcTGNd48ztrJ6u+X2PwlkVLbwqg5LjArNf
JUfLKk2eyY0EOoNQC0SWhQtfE62xNat5zC9YFUEfVcA6S9ZmJeJz9ybd5jqAwweF
sU/vQk8lXXNzPyrhxLlctPCLvGWR2SCcDKOb0SHwBg9HF+gmGXWh/cUKiCGfpbJO
trJ7CNi+YwKBgA5TP9CHrzny18is5HDxM961YfIa6KfS5aAG0DEN8Ufx1UhD9h/G
CwR9bePoPMtI49IwK5ZFExhrwW3llvE6MDr0mHKltnQiNA5SvfUdTjlKwTErCFqM
aF5fo9DJPFQvJbVyKOw6tDCYVphw3HqLb33nW4Nr42zNmotAxDUFpBFhAoGBAJcj
CSEHAjclMJDWteAE89zlzaxVLFb2KV1jVEf8M9h2anq2MhSeRmYFzPFjrMxhB829
2dVSb6UxzXmxQdw+rYflzhJ6uzRPmT+NkEuTcH0wCd7NPXw63PjPYiBcFkrjbc3h
lfV2mxPy9FRQAILzAJMsaRx6nKbMpPH/wZ9LSHgFAoGAMjsJ0/zhk1Gj41UAQrUs
RM3rzjXcWGc4qh10cjpRpIVVxPXqjNfCBmsVzcchM2jEeN/SK+VK6uWGtobw4wti
1WUN5DG2eIi27B2Xg7pmvZ7ZsdvJKPgMZnHrp/puLL+CN6Krz2WXRku9YnuEqHeX
5ARXlMuR0kdg2AtByNL+FNI=
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIID6zCCAtOgAwIBAgIJAOauAItoZrcDMA0GCSqGSIb3DQEBCwUAMIGLMQswCQYD
VQQGEwJDTjESMBAGA1UECAwJR1VBTkdET05HMREwDwYDVQQHDAhTSEVOWkhFTjEQ
MA4GA1UECgwHZ2wtaW5ldDEQMA4GA1UECwwHZ2wtaW5ldDEPMA0GA1UEAwwGcm91
dGVyMSAwHgYJKoZIhvcNAQkBFhFhZG1pbkBnbC1pbmV0LmNvbTAeFw0xOTAzMDQx
MDQ3NTlaFw0zOTAyMjcxMDQ3NTlaMIGLMQswCQYDVQQGEwJDTjESMBAGA1UECAwJ
R1VBTkdET05HMREwDwYDVQQHDAhTSEVOWkhFTjEQMA4GA1UECgwHZ2wtaW5ldDEQ
MA4GA1UECwwHZ2wtaW5ldDEPMA0GA1UEAwwGcm91dGVyMSAwHgYJKoZIhvcNAQkB
FhFhZG1pbkBnbC1pbmV0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBANKcQkv3KZtSs+OI7AUAoiIlyhvFBE9uv2oYJYk0/XCl6n93PoY5ZYECZIv8
TYPLQw2jJV8MPuyX4XyNsr5+sBHM/A9q+ANsDUtXAidXaxVNJ3zwkOuYjeBvLaGe
lBFGHfNUSYlS9OinrSoj3vuKJ33JySg0VJ2KQjRp0X8IR2tVD2pkgtokUnRcK98X
U3ZizFP9Actnqgz1C5UR+UgpBBvxhOvpdLC9fy7CxQ0G7jj7k8ihi8GVlgvfylhF
dNj93y9d1Q0T24bUTCrghDEyIRDuY9KmWJqKDctWEywEHvh+PHvdrhALLWxDSADY
IKXscogPNF9eWNZS5140vYCo4lsCAwEAAaNQME4wHQYDVR0OBBYEFPjZu+Us1pxK
xLwgo9oqnA6X3tPEMB8GA1UdIwQYMBaAFPjZu+Us1pxKxLwgo9oqnA6X3tPEMAwG
A1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAEcuKqwUVA57PP52+Iofleur
kG7hvIFukf38MAFckRgP7Q2jMt6kzC+HXYtpdSUomjAv06tNU5cawyEVnWiu5IHa
r1PhaMCaz+rTmU1ld7g570pYPgfjW0kigSus+XM6RAnmRR/Nv3aXDS1x0BizswKx
0MxNmMXXKiJOGJKIs6Wk0uz8f1CDLpOhd5fYLkOlEHW4dkSc5Hu1mQTYvNtuReOI
4GNKjai/8nhrlJHGLd1Db36AqVc0kB0UAFMkWlFv6oIaxdVnI/etCThT+xik1VXC
of3/V6+7vxDMTpYEVfVUURUMXgAVSTK8e+I3z3yGzU7vYFK5tdCcloYkIviItYY=
-----END CERTIFICATE-----
Theme Pure | Powered by Hexo and Cookies I take no responsibility for anything on this site because that’s too much work