Vulnerability Spotlight: Vulnerabilities in Lantronix PremierWave 2050 could lead to code execution, file deletion

Matt Wiseman discovered these vulnerabilities. Blog by Jon Munshaw.

Cisco Talos recently discovered multiple vulnerabilities in Lantronix’s PremierWave 2050, an embedded Wi-Fi module.

There are several vulnerabilities in PremierWave 2050’s Web Manager, a web-accessible application that allows users to configure settings for the 2050 gateway. An attacker could exploit some of these vulnerabilities to carry out a range of malicious actions, including executing arbitrary code and deleting or replacing files on the targeted device.

Twelve of these vulnerabilities could allow a malicious user to manipulate the Web Manager in a way — for example, overflowing a fixed-size buffer — that would allow them to execute arbitrary code. These vulnerabilities all require the attacker to authenticate to the Web Manager first:

• TALOS-2021-1312 (CVE-2021-21872)
• TALOS-2021-1314 (CVE-2021-21873 - CVE-2021-21875)
• TALOS-2021-1315 (CVE-2021-21876 and CVE-2021-21877)
• TALOS-2021-1325 (CVE-2021-21881)
• TALOS-2021-1326 (CVE-2021-21882)
• TALOS-2021-1327 (CVE-2021-21883)
• TALOS-2021-1328 (CVE-2021-21884)
• TALOS-2021-1331 (CVE-2021-21887)
• TALOS-2021-1332 (CVE-2021-21888)
• TALOS-2021-1333 (CVE-2021-21889)
• TALOS-2021-1335 (CVE-2021-21892)

There are also four directory traversal vulnerabilities that could lead to local file inclusion or overwrite:

• TALOS-2021-1323 (CVE-2021-21879)
• TALOS-2021-1324 (CVE-2021-21880)
• TALOS-2021-1329 (CVE-2021-21885)
• TALOS-2021-1337 (CVE-2021-21894 and CVE-2021-21895)

There is another directory traversal vulnerability in the Web Manager’s FsBrowseCleanr function (TALOS-2021-1338/CVE-2021-21896), though in this case, an attacker could delete files on the targeted device. And a sixth directory traversal vulnerability (TALOS-2021-1330/CVE-2021-21886) could lead to the adversary viewing certain file and directory names after sending the targeted device a specially crafted HTTP request.

Lastly, we also discovered TALOS-2021-1322 (CVE-2021-21878), a local file inclusion vulnerability. An attacker could exploit this vulnerability to bypass certain restrictions and disclose contents of previously inaccessible files through the creation of an intermediate symlink.

Cisco Talos worked with Lantronix to ensure that these issues are resolved and an update is available for affected customers, all in adherence to Cisco’s vulnerability disclosure policy.

Users are encouraged to update these affected products as soon as possible: Lantronix PremierWave 2050, version 8.9.0.0R4. Talos tested and confirmed these versions of PremierWave 2050 could be exploited by this vulnerability.

The following SNORTⓇ rules will detect exploitation attempts against this vulnerability: 57753 - 57759, 57764 - 57769, 57777 - 57779, 57783, 57784, 57796, 57800, 57801, 57805, 57806, 57792 - 57795. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.