Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-23546: TALOS-2023-1705 || Cisco Talos Intelligence Group

A misconfiguration vulnerability exists in the urvpn_client functionality of Milesight UR32L v32.3.0.5. A specially-crafted man-in-the-middle attack can lead to increased privileges. An attacker can perform a man-in-the-middle attack to trigger this vulnerability.

CVE
#vulnerability#cisco#intel#ssl

SUMMARY

A misconfiguration vulnerability exists in the urvpn_client functionality of Milesight UR32L v32.3.0.5. A specially-crafted man-in-the-middle attack can lead to increased privileges. An attacker can perform a man-in-the-middle attack to trigger this vulnerability.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Milesight UR32L v32.3.0.5

PRODUCT URLS

UR32L - https://www.milesight-iot.com/cellular/router/ur32l/

CVSSv3 SCORE

4.2 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

CWE

CWE-295 - Improper Certificate Validation

DETAILS

The Milesight UR32L is an industrial radio router. The router features include support for multiple VPNs, a router console shell, firewall and many others.

The router offers a service called Milesight VPN that is a VPN service that will connect to the Milesight VPN software. The binary client used for this service is urvpn_client. The binary uses openSSL to ensure an encrypted communications with the VPN server:

void init_SSL_context(void)

{
  SSL_METHOD *methods;
  ulong e;
  char *pcVar1;

  SSL_init();
  if (SSL_CTX == (SSL_CTX *)0x0) {
    methods = SSLv23_client_method();
    SSL_CTX = SSL_CTX_new(methods);
    if (SSL_CTX == (SSL_CTX *)0x0) {
      e = ERR_get_error();
      pcVar1 = ERR_reason_error_string(e);
      log_message("crypto.c",0x65,"crypto_connection_create_TLS_context",3,
                  "SSL context initialization failed: %s",pcVar1);
    }
  }
  return;
}

The init_SSL_context shows that no SSL_CTX_set_verify function was used. No other options, to verify peer certificates, are used. Furthermore, it seems impossible to upload any type of certificate to validate the server, indeed, the client does not verify the certificate provided by the server and so the device is vulnerable to a man-in-the-middle-attack.

VENDOR RESPONSE

Since the maintainer of this software did not release a patch during the 90 day window specified in our policy, we have now decided to release the information regarding this vulnerability, to make users of the software aware of this problem. See Cisco’s Coordinated Vulnerability Disclosure Policy for more information: https://tools.cisco.com/security/center/resources/vendor_vulnerability_policy.html

TIMELINE

2023-02-14 - Initial Vendor Contact
2023-02-21 - Vendor Disclosure
2023-07-06 - Public Release

Discovered by Francesco Benvenuto of Cisco Talos.

Related news

The many vulnerabilities Talos discovered in SOHO and industrial wireless routers post-VPNFilter

Given the privileged position these devices occupy on the networks they serve, they are prime targets for attackers, so their security posture is of paramount importance.

Taking over Milesight UR32L routers behind a VPN: 22 vulnerabilities and a full chain

In all, Cisco Talos is releasing 22 security advisories today, nine of which have a CVSS score greater than 8, associated with 69 CVEs.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907