A recently discovered vulnerability (CVE-2020-23587) in the OPTILINK OP-XT71000N Hardware Version: V2.2, Firmware Version: OP_V3.3.1-191028 has gained significant attention due to its potential to allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack leading to man-in-the-middle attacks by adding new routes in RoutingConfiguration on "/routing.asp". In this long-read post, we will delve into the details of this vulnerability, provide code snippets, and discuss the original references and exploits in detail.

The Vulnerability

First, to understand the vulnerability better, we must understand what a CSRF attack is. A CSRF attack, also known as a One-Click Attack or Session Riding, occurs when an attacker exploits a victim's active session to perform a request without the user's consent. This type of attack can lead to unauthorized actions on a web application like updating account details, changing user privileges, or even compromising the entire system.

In the case of CVE-2020-23587, the OPTILINK OP-XT71000N network device's "/routing.asp" page has insufficient security configurations, enabling potential attackers to craft malicious requests and embed them in legitimate web pages they control. Once a victim inadvertently visits the compromised site, the malicious request is executed, and the attacker can modify routing configurations in the OPTILINK device.

Code Snippet

Here's a simple proof-of-concept (PoC) code snippet demonstrating the CSRF vulnerability in the OPTILINK OP-XT71000N Hardware Version: V2.2, Firmware Version: OP_V3.3.1-191028:

<html>
  <body>
    <form action="http://OPTILINK_IP_ADDRESS/routing.asp"; method="POST">
      <input type="hidden" name="new-route-config" value="ATTACKER_CONTROLLED_ROUTE" />
      <input type="hidden" name="submit" value="Submit" />
      <input type="submit" value="Trigger CSRF" />
    </form>
  </body>
</html>

Replace OPTILINK_IP_ADDRESS with the actual IP address of the OPTILINK device and ATTACKER_CONTROLLED_ROUTE with the desired route from the attacker's perspective.

This vulnerability has been acknowledged and registered in various official sources like

1. The MITRE Corporation's Common Vulnerabilities and Exposures (CVE) database: CVE-2020-23587
2. The National Vulnerability Database (NVD): NVD - CVE-2020-23587

Exploit Details

Exploiting this vulnerability requires the attacker to entice the victim into visiting a malicious web page or clicking a specially crafted link. The attacker may accomplish this by sending phishing emails, embedding the link in social media messages, or compromising a legitimate website. Once the victim performs the action, the malicious request is sent to the OPTILINK device without the ISP or administrator's knowledge.

Mitigations

While there isn't an official patch available for this vulnerability yet, network administrators can take certain steps to reduce the risks associated with it:

1. Implement a strict Content Security Policy (CSP) to control which sources can send requests to the OPTILINK device.

Conclusion

The CVE-2020-23587 vulnerability in OPTILINK OP-XT71000N can lead to severe consequences if exploited by a malicious actor. With the information provided in this article, network administrators can better understand the vulnerability, take precautionary measures, and monitor for any signs of exploitation. Users should remain vigilant about the websites they visit and the links they click on to protect themselves from potential attacks.

Timeline

Published on: 11/23/2022 02:15:00 UTC
Last modified on: 11/23/2022 20:42:00 UTC