CVE-2023-30306

Vulnerability

Overview

An issue in the Mercury x30g and YR1800XG routers allows an off-path attacker to hijack TCP sessions, potentially leading to a denial of service. The root cause is a combination of vulnerabilities: the NAT port preservation strategy leaks sequence number information through a side channel, and the router disables TCP window tracking, enabling an attacker to evict and replace NAT mappings [1].

Exploitation

Method

The attacker must be in the same Wi-Fi network as the victim client. By sending forged TCP packets, the attacker can evict the original NAT mapping and establish a new mapping. This allows interception of TCP packets from the remote server, revealing current sequence and acknowledgment numbers. With these numbers, the attacker can forcibly close the connection or poison plaintext traffic [1].

Impact

The attacker can terminate TCP connections, perform traffic injection, or reroute server packets to the attacker. In tests, terminating an SSH connection took about 17.5 seconds with an 87.4% success rate, and injecting fake HTTP responses took 54.5 seconds with a 76.1% success rate. The attack can disrupt services but requires specific network conditions [1].

Mitigation

The researchers disclosed the vulnerability to the vendor, and mitigation strategies include proper TCP window tracking and improved NAT mapping validation. Users should apply any firmware updates provided by Mercury to protect against this attack [1].