Four serious security issues on the popular appliance could be exploited by hackers with any level of access within the host network, Bitdefender researchers say.

A series of vulnerabilities on the popular asset management platform Device42 could be exploited to give attackers full root access to the system, according to Bitdefender.

By exploiting a remote code execution (RCE) vulnerability in the staging instance of the platform, attackers could successfully obtain full root access and gain complete control of the assets housed inside, Bitdefender researchers wrote in the report. The RCE vulnerability (CVE-2022-1399) has a base score of 9.1 out of 10 and is rated "critical," explains Bogdan Botezatu, director of threat research and reporting at Bitdefender.

"By exploiting these issues, an attacker could impersonate other users, obtain admin level access in the application (by leaking session with a LFI) or obtain full access to the appliance files and database (through remote code execution)," the report noted.

RCE vulnerabilities allow attackers to manipulate the platform to execute unauthorized code as root — the most powerful level of access on a device. Such code can compromise the application as well as the virtual environment the app is running on.

To get to the remote code execution vulnerability, an attacker that has no permissions on the platform (such as a regular employee outside of the IT and service desk teams) needs to first bypass authentication and gain access to the platform.

**Chaining Flaws in Attacks**

This can be made possible through another vulnerability described in the paper, CVE-2022-1401, that lets anyone on the network read the contents of several sensitive files in the Device42 appliance.

The file holding session keys are encrypted, but another vulnerability present in the appliance (CVE-2022-1400) helps an attacker retrieve the decryption key that is hardcoded in the app.

"The daisy-chain process would look like this: an unprivileged, unauthenticated attacker on the network would first use CVE-2022-1401 to fetch the encrypted session of an already authenticated user," Botezatu says.

This encrypted session will be decrypted with the key hardcoded in the appliance, thanks to CVE-2022-1400. At this point, the attacker becomes an authenticated user.

"Once logged in, they can use CVE-2022-1399 to fully compromise the machine and gain complete control of the files and database contents, execute malware and so on," Botezatu says. "This is how, by daisy-chaining the described vulnerabilities, a regular employee can take full control of the appliance and the secrets stored inside it."

He adds these vulnerabilities can be discovered by running a thorough security audit for applications that are about to be deployed across an organization.

"Unfortunately, this requires require significant talent and expertise to be available in house or on contract," he says. "Part of our mission to keep customers safe is to identify vulnerabilities in applications and IoT devices, and then to responsible disclose our findings to the affected vendors so they can work on fixes."

These vulnerabilities have been addressed. Bitdefender received version 18.01.00 ahead of public release and was able to validate that the four reported vulnerabilities — CVE-2022-1399, CVE-2022-1400, CVE 2022-1401, and CVE-2022-1410 — are no longer present. Organizations should immediately deploy the fixes, he says.

Earlier this month, a critical RCE bug was discovered in DrayTek routers, which exposed SMBs to zero-click attacks — if exploited, it could give hackers complete control of the device, along with access to the broader network.

Multiple Vulnerabilities Discovered in Device42 Asset Management Appliance

A too-short encoded message can cause a panic in Float.GobDecode and Rat GobDecode in math/big in Go before 1.17.13 and 1.18.5, potentially allowing a denial of service.

**What version of Go are you using (go version)?**

$ go version
go version go1.17.6 darwin/amd64

**Does this issue reproduce with the latest release?**

Yes

**What operating system and processor architecture are you using (go env)?**go env Output  

$ go env
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/Users/catena/Library/Caches/go-build"
GOENV="/Users/catena/Library/Application Support/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="darwin"
GOINSECURE=""
GOMODCACHE="/Users/catena/go/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="darwin"
GOPATH="/Users/catena/go"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/local/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go/pkg/tool/darwin\_amd64"
GOVCS=""
GOVERSION="go1.17.6"
GCCGO="gccgo"
AR="ar"
CC="clang"
CXX="clang++"
CGO\_ENABLED="1"
GOMOD="/Users/catena/go/src/github.com/catenacyber/go/src/go.mod"
CGO\_CFLAGS="-g -O2"
CGO\_CPPFLAGS=""
CGO\_CXXFLAGS="-g -O2"
CGO\_FFLAGS="-g -O2"
CGO\_LDFLAGS="-g -O2"
PKG\_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -arch x86\_64 -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=/var/folders/pp/dc1dtf9x2js3v0jx\_m010nqr0000gn/T/go-build4237848497=/tmp/go-build -gno-record-gcc-switches -fno-common"
GOROOT/bin/go version: go version go1.17.6 darwin/amd64
GOROOT/bin/go tool compile -V: compile version go1.17.6
uname -v: Darwin Kernel Version 21.3.0: Wed Jan  5 21:37:58 PST 2022; root:xnu-8019.80.24~20/RELEASE\_X86\_64
ProductName:	macOS
ProductVersion:	12.2.1
BuildVersion:	21D62
lldb --version: lldb-1316.0.9.41
Apple Swift version 5.6 (swiftlang-5.6.0.323.62 clang-1316.0.20.8)
gdb --version: GNU gdb (GDB) 9.1
**What did you do?**

Run https://go.dev/play/p/-iOX1cXown9 ie Float0.GobDecode([]byte{0x1, 0x0, 0x0, 0x0})

**What did you expect to see?**

The program finishing and printing somme Hello, without having allocated too much space

**What did you see instead?**

    panic: runtime error: index out of range [3] with length 2
    
    goroutine 1 [running]:
    encoding/binary.bigEndian.Uint32(...)
    	/usr/local/go-faketime/src/encoding/binary/binary.go:112
    math/big.(*Float).GobDecode(0x60?, {0xc000070f34?, 0xc00006a000?, 0x0?})
    	/usr/local/go-faketime/src/math/big/floatmarsh.go:83 +0x23d
    main.main()
    	/tmp/sandbox1173043807/prog.go:12 +0x56
    
    Program exited.
    

Found by https://github.com/catenacyber/ngolo-fuzzing on oss-fuzz  
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=49120

CVE-2022-32189: math/big: index out of range in Float.GobDecode · Issue #53871 · golang/go

WAVLINK WN572HP3, WN533A8, WN530H4, WN535G3, WN531P3 wireless.cgi has no filtering on parameters: delete_list, delete_al_mac, b_delete_list and b_delete_al_mac, which leads to command injection in page /wifi_mesh.shtml.

**WAVLINK Router AC1200 page /wizard\_router\_mesh.shtml Command Injection in adm.cgi****Description:**

WAVLINK WN572HP3, WN533A8, WN530H4, WN535G3, WN531P3 adm.cgi has no filtering on parameters: web_pskValue, wl_Method, wlan_ssid, EncrypType, rwan_ip, rwan_mask, rwan_gateway, ppp_username, ppp_passwd and ppp_setver, which leads to command injection in page /wizard\_router\_mesh.shtml.

   

**Poc:**

Login is needed.

Visit /wizard\_router\_mesh.shtml.

When setting ""Router Mode" it redirects to /cgi-bin/adm.cgi with POST parameters: web_pskValue, wl_Method, wlan_ssid, EncrypType, rwan_ip, rwan_mask, rwan_gateway, ppp_username, ppp_passwd and ppp_setver. Use "xxx;command" for command injection.

**WAVLINK Router AC1200 page /ledonoff.shtml Command Injection in adm.cgi****Description:**

WAVLINK WN572HP3, WN533A8, WN530H4, WN535G3, WN531P3 adm.cgi has no filtering on parameter led_switch, which leads to command injection in page /ledonoff.shtml.

**Poc:**

Login is needed.

Visit /ledonoff.shtml.

When switching LED, it redirects to /cgi-bin/adm.cgi with POST parameter led_switch. Use "xxx;command" for command injection.

**WAVLINK Router AC1200 page /wan.shtml Command Injection in adm.cgi****Description:**

WAVLINK WN572HP3, WN533A8, WN530H4, WN535G3, WN531P3 adm.cgi has no filtering on parameters: ppp_username, ppp_passwd, rwan_gateway, rwan_mask and rwan_ip, which leads to command injection in page /wan.shtml.

 

**Poc:**

Login is needed.

Visit /wan.shtml.

When setting "WAN" it redirects to /cgi-bin/adm.cgi with POST parameters: ppp_username, ppp_passwd, rwan_gateway, rwan_mask and rwan_ip. Use "xxx;command" for command injection.

**WAVLINK Router AC1200 page /wizard\_rep.shtml Command Injection in adm.cgi****Description:**

WAVLINK WN572HP3, WN533A8, WN530H4, WN535G3, WN531P3 adm.cgi has no filtering on parameters: wlan_signal, web_pskValue, sel_EncrypTyp, sel_Automode, wlan_bssid, wlan_ssid and wlan_channel, which leads to command injection in page /wizard\_rep.shtml.

  

**Poc:**

Login is needed.

Visit /wizard\_rep.shtml.

When setting "Repeater Mode" it redirects to /cgi-bin/adm.cgi with POST parameters: wlan_signal, web_pskValue, sel_EncrypTyp, sel_Automode, wlan_bssid, wlan_ssid and wlan_channel. Use "xxx;command" for command injection.

 

**WAVLINK Router AC1200 page /ledonoff.shtml hidden parameter "ufconf" Command Injection in api.cgi****Description:**

WAVLINK WN572HP3, WN533A8, WN530H4, WN535G3, WN531P3 api.cgi has no filtering on parameter ufconf, and this is a hidden parameter which doesn't appear in POST body, but exist in cgi binary. This leads to command injection in page /ledonoff.shtml.

**Poc:**

Login is needed.

Visit /ledonoff.shtml.

When switching LED, it redirects to /cgi-bin/adm.cgi. Change url as /cgi-bin/api.cgi and add ufconf in POST body as a parameter. Use "xxx;command" for command injection.

**Command Injection occurs when deleting blacklist in WAVLINK Router AC1200 page /cli\_black\_list.shtml in firewall.cgi****Description:**

WAVLINK WN572HP3, WN533A8, WN530H4, WN535G3, WN531P3 firewall.cgi has no filtering on parameter add_mac, which leads to command injection in page /cli\_black\_list.shtml.

**Poc:**

Login is needed.

Visit /cli\_black\_list.shtml.

When adding WIFI blacklist, it redirects to /cgi-bin/firewall.cgi with POST parameter add_mac. Use "xxx;command" for command injection.

**Command Injection occurs when adding blacklist in WAVLINK Router AC1200 page /cli\_black\_list.shtml in firewall.cgi****Description:**

WAVLINK WN572HP3, WN533A8, WN530H4, WN535G3, WN531P3 firewall.cgi has no filtering on parameter del_mac and parameter flag, which leads to command injection in page /cli\_black\_list.shtml.

**Poc:**

Login is needed.

Visit /cli\_black\_list.shtml.

When deleting WIFI blacklist, it redirects to /cgi-bin/firewall.cgi with POST parameters: del_mac and flag. Use "xxx;command" for command injection.

**WAVLINK Router AC1200 page /man\_security.shtml Command Injection in firewall.cgi****Description:**

WAVLINK WN572HP3, WN533A8, WN530H4, WN535G3, WN531P3 firewall.cgi has no filtering on parameters: remoteManagementEnabled, blockPortScanEnabled, pingFrmWANFilterEnabled and blockSynFloodEnabled, which leads to command injection in page /man\_security.shtml.

**Poc:**

Login is needed.

Visit /man\_security.shtml.

When setting system firewall, it redirects to /cgi-bin/firewall.cgi with POST parameters: remoteManagementEnabled, blockPortScanEnabled, pingFrmWANFilterEnabled and blockSynFloodEnabled. Use "xxx;command" for command injection.

**WAVLINK Router AC1200 page /login.shtml Command Injection in login.cgi****Description:**

WAVLINK WN572HP3, WN533A8, WN530H4, WN535G3, WN531P3 login.cgi has no filtering on parameter key, which leads to command injection in page /login.shtml.

 

**Poc:**

Visit /login.shtml.

When clicking login, it redirects to /cgi-bin/login.cgi with POST parameter key. Use "xxx;command" for command injection.

**WAVLINK Router AC1200 page /nas\_disk.shtml Command Injection in nas.cgi****Description:**

WAVLINK WN572HP3, WN533A8, WN530H4, WN535G3, WN531P3 nas.cgi has no filtering on parameters: User1Passwd and User1, which leads to command injection in page /nas\_disk.shtml.

**Poc:**

Login is needed.

Visit /nas\_disk.shtml.

When clicking the button, it redirects to /cgi-bin/nas.cgi with POST parameters: User1Passwd and User1. Use "xxx;command" for command injection.

**WAVLINK Router AC1200 page /qos.shtml hidden parameters Command Injection in qos.cgi****Description:**

WAVLINK WN572HP3, WN533A8, WN530H4, WN535G3, WN531P3 qos.cgi has no filtering on parameters: cli_list and cli_num, which leads to command injection in page /qos.shtml.

**Poc:**

Login is needed.

Visit /qos.shtml.

 

When clicking the button, it redirects to /cgi-bin/qos.cgi. Modify POST packet and add parameters: cli_list and cli_num. Use "xxx;command" for command injection.

**WAVLINK Router AC1200 page /qos.shtml Command Injection in qos.cgi****Description:**

WAVLINK WN572HP3, WN533A8, WN530H4, WN535G3, WN531P3 qos.cgi has no filtering on parameters: qos_bandwith and qos_dat, which leads to command injection in page /qos.shtml.

**Poc:**

Login is needed.

Visit /qos.shtml.

 

When clicking the button, it redirects to /cgi-bin/qos.cgi with POST parameters: qos_bandwith and qos_dat. Use "xxx;command" for command injection.

**WAVLINK Router AC1200 page /wifi\_multi\_ssid.shtml Command Injection in wireless.cgi****Description:**

WAVLINK WN572HP3, WN533A8, WN530H4, WN535G3, WN531P3 wireless.cgi has no filtering on parameter hiddenSSID32g and SSID2G2, which leads to command injection in page /wifi\_multi\_ssid.shtml.

  

**Poc:**

Login is needed.

Visit /wifi\_multi\_ssid.shtml

When setting WIFI SSID to extend, it redirects to /cgi-bin/wireless.cgi with POST parameter hiddenSSID32g and SSID2G2. Use "xxx;command" for command injection.

 

**WAVLINK Router AC1200 page /wifi\_mesh.shtml hidden parameter Command Injection in wireless.cgi****Description:**

WAVLINK WN572HP3, WN533A8, WN530H4, WN535G3, WN531P3 wireless.cgi has no filtering on parameters: mac_5g and Newname, which leads to command injection in page /wifi\_mesh.shtml.

**Poc:**

Login is needed.

Visit /wifi\_mesh.shtml

When clicking the button, it redirects to /cgi-bin/wireless.cgi. Modify the POST packet and add parameter mac_5g and Newname. Use "xxx;command" for command injection.

**Command Injection occurs when adding extender in WAVLINK Router AC1200 page /wifi\_mesh.shtml in wireless.cgi****Description:**

WAVLINK WN572HP3, WN533A8, WN530H4, WN535G3, WN531P3 wireless.cgi has no filtering on parameter macAddr, which leads to command injection in page /wifi\_mesh.shtml.

**Poc:**

Login is needed.

Visit /wifi\_mesh.shtml

When adding the extender, it redirects to /cgi-bin/wireless.cgi with POST parameter macAddr. Use "xxx;command" for command injection.

**Command Injection occurs when clicking the button in WAVLINK Router AC1200 page /wifi\_mesh.shtml in wireless.cgi****Description:**

WAVLINK WN572HP3, WN533A8, WN530H4, WN535G3, WN531P3 wireless.cgi has no filtering on parameters: delete_list, delete_al_mac, b_delete_list and b_delete_al_mac, which leads to command injection in page /wifi\_mesh.shtml.

**Poc:**

Login is needed.

Visit /wifi\_mesh.shtml  When clicking the button, it redirects to /cgi-bin/wireless.cgi with POST parameters: delete_list, delete_al_mac, b_delete_list and b_delete_al_mac. Use "xxx;command" for command injection.

CVE-2022-35538: othercveinfo/wavlink at main · TyeYeah/othercveinfo

WAVLINK WN572HP3, WN533A8, WN530H4, WN535G3, WN531P3 wireless.cgi has no filtering on parameters: mac_5g and Newname, which leads to command injection in page /wifi_mesh.shtml.

CVE-2022-35537: othercveinfo/wavlink at main · TyeYeah/othercveinfo

WAVLINK WN572HP3, WN533A8, WN530H4, WN535G3, WN531P3 nas.cgi has no filtering on parameters: User1Passwd and User1, which leads to command injection in page /nas_disk.shtml.

CVE-2022-35518: othercveinfo/README.md at main · TyeYeah/othercveinfo

WAVLINK WN572HP3, WN533A8, WN530H4, WN535G3, WN531P3 firewall.cgi has no filtering on parameters: remoteManagementEnabled, blockPortScanEnabled, pingFrmWANFilterEnabled and blockSynFloodEnabled, which leads to command injection in page /man_security.shtml.

CVE-2022-35521: othercveinfo/README.md at main · TyeYeah/othercveinfo

WAVLINK WN572HP3, WN533A8, WN530H4, WN535G3, WN531P3 api.cgi has no filtering on parameter ufconf, and this is a hidden parameter which doesn't appear in POST body, but exist in cgi binary. This leads to command injection in page /ledonoff.shtml.

CVE-2022-35520: othercveinfo/README.md at main · TyeYeah/othercveinfo

WAVLINK WN572HP3, WN533A8, WN530H4, WN535G3, WN531P3 adm.cgi has no filtering on parameters: web_pskValue, wl_Method, wlan_ssid, EncrypType, rwan_ip, rwan_mask, rwan_gateway, ppp_username, ppp_passwd and ppp_setver, which leads to command injection in page /wizard_router_mesh.shtml.

CVE-2022-35517: othercveinfo/README.md at main · TyeYeah/othercveinfo

WAVLINK WN572HP3, WN533A8, WN530H4, WN535G3, WN531P3 wireless.cgi has no filtering on parameter hiddenSSID32g and SSID2G2, which leads to command injection in page /wifi_multi_ssid.shtml.

CVE-2022-35534: othercveinfo/wavlink at main · TyeYeah/othercveinfo

WAVLINK WN572HP3, WN533A8, WN530H4, WN535G3, WN531P3 wireless.cgi has no filtering on parameter macAddr, which leads to command injection in page /wifi_mesh.shtml.

Tag

#mac