Privilege Escalation Vulnerability in Peplink Smart Reader v1.2.0
CVE-2023-40146

6.8MEDIUM

Key Information:

Vendor: Peplink
Status: Smart Reader
Vendor: CVE Published:; 17 April 2024

What is CVE-2023-40146?

A privilege escalation vulnerability has been identified in the /bin/login functionality of Peplink Smart Reader version 1.2.0, specifically within a QEMU environment. This vulnerability allows an attacker to exploit a specially crafted command line argument to gain a limited shell escape, subsequently leading to the execution of unblocked default busybox functionality. By leveraging hard-coded credentials, an attacker can authenticate and trigger this vulnerability, effectively escalating their privileges within the system. Organizations utilizing this version of the product are advised to implement security measures immediately.

Affected Version(s)

Smart Reader v1.2.0 (in QEMU)

References

https://talosintelligence.com/vulnerability_reports/TALOS...

https://forum.peplink.com/t/peplink-security-advisory-sma...

CVSS V3.1

Score:

6.8

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Physical

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 17, 2024
Vulnerability Reserved
Nov 22, 2023

Credit

Discovered by Matt Wiseman of Cisco Talos.

CVE-2023-40146 Data

JSON