Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-34845: TALOS-2022-1580 || Cisco Talos Intelligence Group

A firmware update vulnerability exists in the sysupgrade functionality of Robustel R1510 3.1.16 and 3.3.0. A specially-crafted network packet can lead to arbitrary firmware update. An attacker can send a sequence of requests to trigger this vulnerability.

CVE
#vulnerability#cisco#intel#auth

SUMMARY

A firmware update vulnerability exists in the sysupgrade functionality of Robustel R1510 3.1.16 and 3.3.0. A specially-crafted network packet can lead to arbitrary firmware update. An attacker can send a sequence of requests to trigger this vulnerability.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Robustel R1510 3.1.16
Robustel R1510 3.3.0

PRODUCT URLS

R1510 - https://www.robustel.com/en/product/r1510-industrial-cellular-vpn-router/

CVSSv3 SCORE

6.7 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H

CWE

CWE-345 - Insufficient Verification of Data Authenticity

DETAILS

The R1510 is an industrial cellular router. It offers several advanced software features like an innovative use of Open VPN, Cloud management, data over-use guard, smart reboot and others.

The R1510 offers to the admin user the possibility of upgrading the firmware. The API /action/import_firmware is used to upload the firmware file. Then the /ajax/system_upgrade_start/ API can be called. This function, eventually, will call the sysupgrade binary that will perform the actual firmware upgrade.

Here is the relevant portion of the /ajax/system_upgrade_start/ API:

[...]
{
    command[0] = "sysupgrade";
    command[1] = "-q";
    command[2] = FILENAME;
    command[3] = 0;
    void var_18;
    _eval(command, 0, 0, &pid);
}
[...]

The /ajax/system_upgrade_start/ API is a wrapper for executing sysupgrade -q <FILENAME>. The FILENAME variable is set in the /action/import_firmware and has as value the pathname to the firmware file. The sysupgrade will perform the firmware upgrade, but with the current settings the binary does not check for any signature verification. This can lead to arbitrary firmware update.

TIMELINE

2022-07-13 - Vendor Disclosure
2022-10-14 - Public Release

Discovered by Francesco Benvenuto of Cisco Talos.

Related news

The many vulnerabilities Talos discovered in SOHO and industrial wireless routers post-VPNFilter

Given the privileged position these devices occupy on the networks they serve, they are prime targets for attackers, so their security posture is of paramount importance.

Vulnerability Spotlight: Multiple issues in Robustel R1510 cellular router could lead to code execution, denial of service

Francesco Benvenuto of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.  Cisco Talos recently discovered nine vulnerabilities in the Robustel R1510 industrial cellular router, several of which could allow an adversary to inject operating system code remotely.  The Robustel R1510 router is a dual-ethernet port wireless router that shares 3G and 4G wireless signals for use in industrial and internet-of-things environments. The router includes the use of open VPN tunneling, a cloud management platform to manage other devices and routers and different safeguards to manage data caps. Talos discovered five operating system command injection vulnerabilities in the router that an adversary could trigger by sending the targeted device a specially crafted network request. All these vulnerabilities have a CVSS severity score of 9.1 out of 10:  TALOS-2022-1578 (CVE-2022-34850)  TALOS-2022-1577 (CVE-2022-33150)  TALOS-2022-1576 (CVE-2022-32765)  TALOS-2022-1573 (CVE-2022-33325 ...

Vulnerability Spotlight: Multiple issues in Robustel R1510 cellular router could lead to code execution, denial of service

Cisco Talos recently discovered nine vulnerabilities in the Robustel R1510 industrial cellular router, several of which could allow an adversary to inject operating system code remotely.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907