Headline
CVE-2022-34845: TALOS-2022-1580 || Cisco Talos Intelligence Group
A firmware update vulnerability exists in the sysupgrade functionality of Robustel R1510 3.1.16 and 3.3.0. A specially-crafted network packet can lead to arbitrary firmware update. An attacker can send a sequence of requests to trigger this vulnerability.
SUMMARY
A firmware update vulnerability exists in the sysupgrade functionality of Robustel R1510 3.1.16 and 3.3.0. A specially-crafted network packet can lead to arbitrary firmware update. An attacker can send a sequence of requests to trigger this vulnerability.
CONFIRMED VULNERABLE VERSIONS
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Robustel R1510 3.1.16
Robustel R1510 3.3.0
PRODUCT URLS
R1510 - https://www.robustel.com/en/product/r1510-industrial-cellular-vpn-router/
CVSSv3 SCORE
6.7 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H
CWE
CWE-345 - Insufficient Verification of Data Authenticity
DETAILS
The R1510 is an industrial cellular router. It offers several advanced software features like an innovative use of Open VPN, Cloud management, data over-use guard, smart reboot and others.
The R1510 offers to the admin user the possibility of upgrading the firmware. The API /action/import_firmware is used to upload the firmware file. Then the /ajax/system_upgrade_start/ API can be called. This function, eventually, will call the sysupgrade binary that will perform the actual firmware upgrade.
Here is the relevant portion of the /ajax/system_upgrade_start/ API:
[...]
{
command[0] = "sysupgrade";
command[1] = "-q";
command[2] = FILENAME;
command[3] = 0;
void var_18;
_eval(command, 0, 0, &pid);
}
[...]
The /ajax/system_upgrade_start/ API is a wrapper for executing sysupgrade -q <FILENAME>. The FILENAME variable is set in the /action/import_firmware and has as value the pathname to the firmware file. The sysupgrade will perform the firmware upgrade, but with the current settings the binary does not check for any signature verification. This can lead to arbitrary firmware update.
TIMELINE
2022-07-13 - Vendor Disclosure
2022-10-14 - Public Release
Discovered by Francesco Benvenuto of Cisco Talos.
Related news
Given the privileged position these devices occupy on the networks they serve, they are prime targets for attackers, so their security posture is of paramount importance.
Francesco Benvenuto of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw. Cisco Talos recently discovered nine vulnerabilities in the Robustel R1510 industrial cellular router, several of which could allow an adversary to inject operating system code remotely. The Robustel R1510 router is a dual-ethernet port wireless router that shares 3G and 4G wireless signals for use in industrial and internet-of-things environments. The router includes the use of open VPN tunneling, a cloud management platform to manage other devices and routers and different safeguards to manage data caps. Talos discovered five operating system command injection vulnerabilities in the router that an adversary could trigger by sending the targeted device a specially crafted network request. All these vulnerabilities have a CVSS severity score of 9.1 out of 10: TALOS-2022-1578 (CVE-2022-34850) TALOS-2022-1577 (CVE-2022-33150) TALOS-2022-1576 (CVE-2022-32765) TALOS-2022-1573 (CVE-2022-33325 ...
Cisco Talos recently discovered nine vulnerabilities in the Robustel R1510 industrial cellular router, several of which could allow an adversary to inject operating system code remotely.