{"document":{"acknowledgments":[{"urls":["https://kb.cert.org/vuls/id/495801#acknowledgements"]}],"category":"CERT/CC Vulnerability Note","csaf_version":"2.0","notes":[{"category":"summary","text":"### Overview\r\n\r\nVersions 1.1.5 and earlier of the mu HTTP deamon (muhttpd) are vulnerable to path traversal via crafted HTTP request from an unauthenticated user. This vulnerability can allow unauthenticated users to download arbitrary files and collect private information on the target device.\r\n\r\n### Description\r\n\r\nThe muhttpd, hosted at [SourceForge](https://sourceforge.net/projects/muhttpd/ ) as an opensource project, is a lightweight webserver.  This software is commonly used in customer premise equipment (CPE), such as home routers and small office routers, to provide device management capability through a web interface. The muhttpd supports the use of [CGI](https://en.wikipedia.org/wiki/Common_Gateway_Interface) scripts that enable remote management of CPE devices.\r\n\r\nA path traversal vulnerability in muhttpd (version 1.1.5 and earlier) could allow an unauthenticated attacker to read arbitrary content on the target device, including usernames and passwords, Wireless SSID configurations, ISP connection information, and private keys.  If remote management is enabled on a device running vulnerable version of muhttpd, this attack is possible from a remote network. Even in cases with restricted Local Area Network access, a vulnerable version of muhttpd can be accessed using other attack methods such as [DNS Rebinding](https://en.wikipedia.org/wiki/DNS_rebinding/). \r\n\r\n\r\n### Impact\r\n\r\nAn unauthenticated attacker can use crafted HTTP request to download arbitrary files or gather sensitive information from a vulnerable target device. In cases where remote management is enabled on a vulnerable device, a remote unauthenticated attacker can perform these attacks.\r\n\r\n### Solution\r\n\r\n#### Apply Updates\r\nUpdate to the latest version of firmware/software provided by your vendor; see [Vendor Information](#vendor-information) section for details.  Downstream developers of embedded systems should update muhttpd software (to version 1.1.7 or later) from [SourceForget git repository](https://sourceforge.net/p/muhttpd/code/ci/main/tree/).\r\n\r\n#### Disable remote management\r\n\r\nDisabling remote management access, which thereby limits access strictly to local area network, can minimize the exposure introduced by the vulnerable software.  Use access control to limit remote management if remote management is desired from specific IP network locations. Additional mitigations are described in the [security researcher's advisory](https://derekabdine.com/blog/2022-arris-advisory). \r\n\r\n\r\n### Acknowledgements\r\n\r\nThanks to Derek Abdine for reporting this vulnerability. \r\n\r\nThis document was written by Brad Runyon, Vijay Sarvepalli, and Eric Hatleback.","title":"Summary"},{"category":"legal_disclaimer","text":"THIS DOCUMENT IS PROVIDED ON AN 'AS IS' BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. ","title":"Legal Disclaimer"},{"category":"other","text":"CERT/CC Vulnerability Note is a limited advisory. It primarily identifies vendors impacted by the advisory and not specific products. We only support \"known_affected\" and \"known_not_affected\" status. Please consult the vendor's statements and advisory URL if provided by the vendor for more details ","title":"Limitations of Advisory"}],"publisher":{"category":"coordinator","contact_details":"Email: cert@cert.org, Phone: +1412 268 5800","issuing_authority":"CERT/CC under DHS/CISA https://www.cisa.gov/cybersecurity also see https://kb.cert.org/ ","name":"CERT/CC","namespace":"https://kb.cert.org/"},"references":[{"url":"https://certcc.github.io/certcc_disclosure_policy","summary":"CERT/CC vulnerability disclosure policy"},{"summary":"CERT/CC document released","category":"self","url":"https://kb.cert.org/vuls/id/495801"},{"url":"https://derekabdine.com/blog/2022-arris-advisory","summary":"https://derekabdine.com/blog/2022-arris-advisory"},{"url":"https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/08/millions-of-arris-routers-are-vulnerable-to-path-traversal-attacks","summary":"https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/08/millions-of-arris-routers-are-vulnerable-to-path-traversal-attacks"},{"url":"https://www.cisa.gov/uscert/ncas/tips/ST15-002","summary":"https://www.cisa.gov/uscert/ncas/tips/ST15-002"}],"title":"muhttpd versions 1.1.5 and earlier are vulnerable to path traversal","tracking":{"current_release_date":"2022-08-05T20:02:52+00:00","generator":{"engine":{"name":"VINCE","version":"3.0.35"}},"id":"VU#495801","initial_release_date":"2022-08-04 18:22:24.069865+00:00","revision_history":[{"date":"2022-08-05T20:02:52+00:00","number":"1.20220805200252.2","summary":"Released on 2022-08-05T20:02:52+00:00"}],"status":"final","version":"1.20220805200252.2"}},"vulnerabilities":[{"title":"The base firmware for this modem contains an MIT-licensed web server from an individual developer called \"muhttpd.","notes":[{"category":"summary","text":"The base firmware for this modem contains an MIT-licensed web server from an individual developer called \"muhttpd.\" This server has been unmaintained since 2010. The server has a path traversal vulnerability that allows any file on the modem to be read as root"}],"cve":"CVE-2022-31793","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#495801"}],"product_status":{"known_affected":["CSAFPID-bf550ebe-39d8-11f1-8422-122e2785dc9f"],"known_not_affected":["CSAFPID-bf54caee-39d8-11f1-8422-122e2785dc9f"]}}],"product_tree":{"branches":[{"category":"vendor","name":"AT&T","product":{"name":"AT&T Products","product_id":"CSAFPID-bf54caee-39d8-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"SaskTel","product":{"name":"SaskTel Products","product_id":"CSAFPID-bf550ebe-39d8-11f1-8422-122e2785dc9f"}}]}}