CVE-2017-20224 Overview
CVE-2017-20224 is a critical arbitrary file upload vulnerability affecting the Telesquare SKT LTE Router SDT-CS3B1 version 1.2.0. The vulnerability stems from enabled WebDAV HTTP methods that allow unauthenticated remote attackers to upload malicious content to the device. Attackers can leverage PUT, DELETE, MKCOL, MOVE, COPY, and PROPPATCH methods to upload executable code, delete files, or manipulate server content, potentially leading to remote code execution or denial of service.
Critical Impact
Unauthenticated attackers can exploit enabled WebDAV methods to upload malicious files, enabling remote code execution or denial of service on vulnerable Telesquare LTE routers.
Affected Products
- Telesquare SKT LTE Router SDT-CS3B1 version 1.2.0
Discovery Timeline
- 2026-03-16 - CVE-2017-20224 published to NVD
- 2026-03-16 - Last updated in NVD database
Technical Details for CVE-2017-20224
Vulnerability Analysis
This vulnerability is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type). The Telesquare SKT LTE Router SDT-CS3B1 exposes WebDAV functionality without proper authentication controls. WebDAV (Web Distributed Authoring and Versioning) extends HTTP with methods designed for collaborative file management, but when improperly secured, these methods become a significant attack vector.
The vulnerability allows attackers to interact with the router's file system without any authentication. This means a remote attacker with network access can upload executable scripts, web shells, or other malicious payloads directly to the device. The attack surface includes the ability to create directories (MKCOL), upload files (PUT), move or copy content (MOVE, COPY), delete files (DELETE), and modify properties (PROPPATCH).
Root Cause
The root cause of this vulnerability is the improper configuration of WebDAV HTTP methods on the router's web server. The device enables these powerful file manipulation methods by default without requiring authentication, violating the principle of least privilege. This configuration oversight exposes the device's file system to unauthorized access and manipulation from any network-accessible attacker.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by sending specially crafted HTTP requests to the vulnerable router using WebDAV methods. The exploitation process involves:
- Identifying a vulnerable router accessible over the network
- Using the PUT method to upload malicious files such as web shells or executable scripts
- Alternatively, using DELETE to remove critical configuration files
- Leveraging MKCOL to create directories for staging additional payloads
- Using MOVE or COPY to reposition uploaded malicious content to web-accessible directories
Once malicious content is uploaded, the attacker can execute it to gain control of the device, intercept network traffic, pivot to other network segments, or cause denial of service by deleting critical system files.
For detailed technical information about this vulnerability, refer to the ZeroScience Advisory ZSL-2017-5446 and the CXSecurity Issue WLB-2017120301.
Detection Methods for CVE-2017-20224
Indicators of Compromise
- Unexpected HTTP PUT, DELETE, MKCOL, MOVE, COPY, or PROPPATCH requests in web server logs targeting the router
- Presence of unfamiliar files or directories on the router's file system, particularly executable scripts or web shells
- Unauthorized modifications to router configuration files
- Unusual outbound network connections originating from the router
Detection Strategies
- Monitor HTTP traffic for WebDAV-specific methods (PUT, DELETE, MKCOL, MOVE, COPY, PROPPATCH) targeting router interfaces
- Implement network intrusion detection rules to alert on WebDAV requests to known vulnerable devices
- Conduct periodic file integrity monitoring on critical router directories to detect unauthorized changes
- Review web server access logs for patterns indicating file upload attempts
Monitoring Recommendations
- Enable detailed logging on network perimeter devices to capture all HTTP method requests
- Configure SIEM alerts for WebDAV method usage targeting IoT and network infrastructure devices
- Establish baseline behavior for router management interfaces and alert on deviations
- Implement network segmentation to isolate vulnerable devices and monitor traffic crossing segment boundaries
How to Mitigate CVE-2017-20224
Immediate Actions Required
- Disable WebDAV functionality on all affected Telesquare SKT LTE Router SDT-CS3B1 devices if not required
- Restrict network access to the router's management interface using firewall rules
- Implement network segmentation to isolate vulnerable routers from untrusted networks
- Consider replacing end-of-life or unsupported devices with modern alternatives that receive security updates
Patch Information
No official vendor patch information is available in the CVE data. Organizations should contact Telesquare directly for firmware updates or consider device replacement if no patch is available. Additional context may be found in the VulnCheck Advisory for Telesquare Router.
Workarounds
- Disable WebDAV HTTP methods (PUT, DELETE, MKCOL, MOVE, COPY, PROPPATCH) on the router's web server configuration
- Place vulnerable devices behind a firewall that blocks unauthorized WebDAV requests
- Implement access control lists (ACLs) to restrict management interface access to trusted IP addresses only
- Use a VPN to access router management interfaces, ensuring they are not directly exposed to the internet
# Example firewall rule to block external access to router management interface
# Adjust interface and IP ranges according to your network configuration
iptables -A INPUT -p tcp --dport 80 -s ! 192.168.1.0/24 -j DROP
iptables -A INPUT -p tcp --dport 443 -s ! 192.168.1.0/24 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
