CVE-2018-4031
Description
An exploitable vulnerability exists in the safe browsing function of the CUJO Smart Firewall, version 7003. The flaw lies in the way the safe browsing function parses HTTP requests. The server hostname is extracted from captured HTTP/HTTPS requests and inserted as part of a Lua statement without prior sanitization, which results in arbitrary Lua script execution in the kernel. An attacker could send an HTTP request to exploit this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The CUJO Smart Firewall 7003 allows arbitrary Lua code execution when an HTTP request with a crafted hostname triggers code injection in the safe browsing function.
Vulnerability
The safe browsing function (safebro) of the CUJO Smart Firewall firmware version 7003 [1] contains a code injection vulnerability (CWE-94). When parsing captured HTTP/HTTPS requests, the server hostname is extracted and inserted into a Lua statement without prior sanitization, allowing arbitrary Lua script execution in the kernel context [1].
Exploitation
An attacker with network-level access can send a specially crafted HTTP request containing malicious Lua code in the hostname field [1]. No authentication is required, and the attack is triggered when the device's safe browsing feature processes the malicious request. The complexity is high due to the need to craft the request to bypass potential filters [1].
Impact
Successful exploitation results in arbitrary Lua code execution within the kernel, leading to full compromise of the device [1]. The CVSSv3 score of 9.0 (Critical) with vector AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H indicates a high impact on confidentiality, integrity, and availability, with a scope change allowing the attacker to affect resources beyond the vulnerable component [1].
Mitigation
Cisco Talos reported this vulnerability on 2018-08-14 [1], but no official patch or firmware update has been confirmed in the available references. Users are advised to monitor the vendor's advisory channels and restrict network access to the device as a workaround [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- CUJO/Smart Firewalldescription
- Range: =7003
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The server hostname extracted from the HTTP Host header is inserted unsanitized into a Lua statement that is executed in the kernel, enabling arbitrary Lua code injection."
Attack vector
An attacker on the same network as the CUJO device sends a crafted HTTP request with a malicious Host header. The CUJO firewall, acting as a gateway, captures the packet via iptables rule `[2]` and passes it to the kernel's Lunatik Lua engine. The Host header is extracted at `[4]` using a regex that allows any printable character except space, then inserted unsanitized into a Lua statement at `[11]` that is written to `/proc/nf_lua` and executed in kernel context. Because the `load()` function is available in Lunatik, the attacker can inject arbitrary Lua bytecode, achieving remote code execution in the kernel without authentication [CWE-94] [ref_id=1].
Affected code
The vulnerability resides in the `nf_http.lua` script, specifically in the `nf_http` function that extracts the Host header from HTTP requests at line `[4]` using a regex that accepts any printable character except space (`%g`). The unsanitized hostname is then passed through `safebro.filter` and `threat.lookup` to the `threatd` process, where at `[11]` it is inserted directly into a Lua statement string without sanitization before being written to `/proc/nf_lua` for kernel execution.
What the fix does
The advisory does not provide a patch diff or specific fix details. The remediation guidance is implicit in the description of the flaw: the hostname extracted from the Host header at `[4]` must be sanitized before being inserted into the Lua statement at `[11]`. The advisory notes that the regex at `[4]` accepts any printable character except space (`%g`), which allows injection of Lua metacharacters such as quotes and parentheses. A proper fix would validate or escape the hostname to prevent breaking out of the string context in the Lua statement, and would restrict or remove the `load()` function from Lunatik to prevent arbitrary bytecode execution [ref_id=1].
Preconditions
- networkAttacker must be on the same network as the CUJO device (the monitored network)
- configCUJO Smart Firewall must be running firmware version 7003
- networkThe target HTTP server must respond on TCP port 80
- authNo authentication required
Reproduction
From any device on CUJO's monitored network, run: `$ curl "http://${IP}" -H 'Host: ");x=string.dump(load"a()");load(x:sub(1,54)..string.char(184)..x:sub(56))();--'` where `${IP}` is any remote server answering on TCP port 80. This crashes the Lunatik engine via a kernel out-of-bounds read [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- talosintelligence.com/vulnerability_reports/TALOS-2018-0703mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.