CVE-2020-23586

Vulnerability

The OPTILINK OP-XT71000N with Hardware Version V2.2 and Firmware Version OP_V3.3.1-191028 contains a cross-site request forgery (CSRF) vulnerability in the endpoint /net_qos_cls_edit.asp. This endpoint allows adding network traffic control type rules but lacks sufficient CSRF protections, meaning it does not validate the origin of requests or require a unique token [1].

Exploitation

An attacker can craft a malicious webpage or email that, when visited by an authenticated user of the router's web interface, submits a forged HTTP request to /net_qos_cls_edit.asp. The attacker does not need any special network position or authentication; they only need to trick a logged-in user into triggering the request. The CSRF attack can be performed without user interaction beyond the initial visit to the attacker-controlled resource [1].

Impact

Successful exploitation allows the attacker to add arbitrary network traffic control type rules on the device. This could lead to unauthorized modification of traffic management policies, potentially enabling traffic interception, denial of service, or bypass of security controls. The attacker gains the ability to manipulate network traffic control without any authentication or authorization, compromising the integrity and availability of network management [1].

Mitigation

As of the publication date (2022-11-23), no fixed firmware version or official patch has been released by OPTILINK to address this vulnerability. Users are advised to limit access to the router's web interface to trusted networks only, disable remote management, and ensure that users log out after each session. The device may also be at end-of-life status, but this is not confirmed in the available references [1].