CVE-2018-3953

Name of the Vulnerable Software and Affected Versions Linksys E1200 versions 2.0.09 Linksys E2500 versions 3.0.04

Description The issue exists due to improper filtering of data passed to and retrieved from NVRAM, allowing for OS command injection. This can be exploited by a remote attacker to execute arbitrary commands. The vulnerability is triggered when data entered into the 'Router Name' input field through the web portal is submitted to apply.cgi as the value to the machine name POST parameter. The preinit binary, upon receiving the SIGHUP signal, enters a code path that leads to the start lltd function, where a nvram get call retrieves the user-controlled machine name NVRAM entry. This value is then directly executed in a command intended to write the host name to a file.

Recommendations For Linksys E1200 version 2.0.09, consider disabling the start lltd function until a patch is available. For Linksys E2500 version 3.0.04, restrict access to the apply.cgi endpoint to minimize the risk of exploitation. Avoid using the machine name parameter in the affected API endpoint until the issue is resolved.