Headline
CVE-2022-28127: TALOS-2022-1571 || Cisco Talos Intelligence Group
A data removal vulnerability exists in the web_server /action/remove/ API functionality of Robustel R1510 3.3.0. A specially-crafted network request can lead to arbitrary file deletion. An attacker can send a sequence of requests to trigger this vulnerability.
Summary
A data removal vulnerability exists in the web_server /action/remove/ API functionality of Robustel R1510 3.3.0. A specially-crafted network request can lead to arbitrary file deletion. An attacker can send a sequence of requests to trigger this vulnerability.
Tested Versions
Robustel R1510 3.3.0
Product URLs
R1510 - https://www.robustel.com/en/product/r1510-industrial-cellular-vpn-router/
CVSSv3 Score
8.7 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H
CWE
CWE-20 - Improper Input Validation
Details
The R1510 is an industrial cellular router. It offers several advanced software like an innovative use of Open VPN, Cloud management, data over-use guard, smart reboot and others.
The R1510 has a web server that manages several APIs. One of these API is /ajax/remove/. This function allows to remove files, checking for possible path traversal in the provided input.
Here it is the function that handles the /ajax/remove/ API:
undefined4 /ajax/remove/(Webs *webs)
{
[...]
[...]
file_name = (char *)websGetVar(webs,"file_name",0); [1]
if ((file_name != (char *)0x0) &&
(shell_command = strstr(file_name,".."), shell_command == (char *)0x0)) { [2]
shell_command = (char *)sfmt("rm %s -rf",file_name); [3]
iVar1 = system(shell_command);
[...]
}
At [1] the variable file_name is fetched and then used, at [3], to create the string rm <file_name> -rf. The function checks, at [2], if the provided filen_name contains … This check, allegedly, is used to prevent path traversal. But because file_name can be an absolute path, an attacker, able to control file_name would be able to delete arbitrary file and directory.
Timeline
2022-06-27 - Initial vendor contact
2022-06-28 - Vendor Disclosure
2022-06-30 - Public Release
Discovered by Francesco Benvenuto of Cisco Talos.
Related news
Given the privileged position these devices occupy on the networks they serve, they are prime targets for attackers, so their security posture is of paramount importance.
Francesco Benvenuto of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw. Cisco Talos recently discovered nine vulnerabilities in the Robustel R1510 industrial cellular router, several of which could allow an adversary to inject operating system code remotely. The Robustel R1510 router is a dual-ethernet port wireless router that shares 3G and 4G wireless signals for use in industrial and internet-of-things environments. The router includes the use of open VPN tunneling, a cloud management platform to manage other devices and routers and different safeguards to manage data caps. Talos discovered five operating system command injection vulnerabilities in the router that an adversary could trigger by sending the targeted device a specially crafted network request. All these vulnerabilities have a CVSS severity score of 9.1 out of 10: TALOS-2022-1578 (CVE-2022-34850) TALOS-2022-1577 (CVE-2022-33150) TALOS-2022-1576 (CVE-2022-32765) TALOS-2022-1573 (CVE-2022-33325 ...
Cisco Talos recently discovered nine vulnerabilities in the Robustel R1510 industrial cellular router, several of which could allow an adversary to inject operating system code remotely.
Lilith >_> of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw. Cisco Talos recently discovered four vulnerabilities in the Robustel R1510 industrial cellular router. The R1510 is a portable router that shares 2G, 3G and 4G wireless internet access. It comes with... [[ This is only the beginning! Please visit the blog for the complete entry ]]