ONEKEY Security Advisory NetModule industrial routers vulnerable_Blog-Banner

Security Advisory: Multiple Vulnerabilities in NetModule Routers

Introduction

This is the third security advisory we release that is related to the introduction of a “zero-day identification” module that performs static code analysis on proprietary applications found within firmware uploaded to ONEKEY’s platform. You can find the first two here: Asus M25 NAS Vulnerability and Unauthenticated Configuration Export in Multiple WAGO Products.

NetModule is an Original Equipment Manufacturer of industrial grade routers. The vulnerabilities identified within the web management interface allow authenticated users to execute arbitrary commands with elevated privileges or to access any file on the system.

These vulnerabilities were automatically identified by our platform during one of those industrial routers firmware scan:

All our findings were validated using an emulated device and reported to NetModule, whose PSIRT team confirmed our findings. 

Affected vendor & product
  • NetModule NB1601
  • NetModule NB1800
  • NetModule NB1810
  • NetModule NB2800
  • NetModule NB2810
  • NetModule NB3701
  • NetModule NB3800
  • NetModule NB800
  • NetModule NG800

Some of these models are also branded as “HOTSPLOTS” and “Hahlbrock Marine Technologie”. 

Vendor Advisory https://share.netmodule.com/public/system-software/4.7/4.7.0.103/NRSW-RN-4.7.0.103.pdf 
Vulnerable version
  • < 4.3.0.119
  • < 4.4.0.118
  • < 4.6.0.105
  • < 4.7.0.103
Fixed version
  • 4.3.0.119
  • 4.4.0.118
  • 4.6.0.105
  • 4.7.0.103
CVE IDs

CVE-2023-0861

CVE-2023-0862

Impact (CVSS) 7.2 (high) – AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Credit Q. Kaiser, ONEKEY Research Lab
Research supported by Certainity

 

Authenticated Command Injection

Summary

The NetModule web administration interface executes an OS command constructed with unsanitized user input.

Impact

A successful exploit could allow an authenticated user to execute arbitrary commands with elevated privileges.

Description

The NetModule Router Software web admin interface is written in PHP and has a page allowing for GNSS receiver configuration at /home/www-data/admin/gnssAutoAlign.php.

On line 36, the script calls exec with an unsanitized $device_id variable obtained from the POST request on line 6:

<?php
require_once('config/config.php');
if (isset($c))
    $device_id = $c;
else
    $device_id = $_REQUEST['device_id'];

$status = "disabled";
define("STATUS_FILENAME", "/tmp/status/gnss". $device_id ."/dr-auto-align");
define("ANGLES_FILENAME", "/tmp/status/gnss". $device_id ."/dr-auto-align-angles");
define("PID_FILENAME", "/run/gnss". $device_id ."/dr-auto-align.pid");

if (file_exists(STATUS_FILENAME)) {
    $statusfile = fopen(STATUS_FILENAME, "r");
    $status = fread($statusfile, filesize(STATUS_FILENAME));
    fclose($statusfile);
}

$yaw = "n/a";
$pitch = "n/a";
$roll = "n/a";
if (file_exists(ANGLES_FILENAME)) {
    $anglesfile = fopen(ANGLES_FILENAME, "r");
    $angles = fread($anglesfile, filesize(ANGLES_FILENAME));
    fclose($anglesfile);

    $angles = explode("\n", $angles);
    $yaw = explode("yaw: ", $angles[0])[1];
    $pitch = explode("pitch: ", $angles[1])[1];
    $roll = explode("roll: ", $angles[2])[1];

}

if (isset($_POST['toggleAlignment'])) {
    if ($status == "disabled") {
        exec("/usr/local/sbin/www-scripts/various/doAutoAlignment " . $device_id . " > /dev/null &");
        $status = "starting";
    }
    else {
        exec("kill $(cat ". PID_FILENAME . ")");
        $status = "stopping";
    }
}

Authenticated Path Traversal

Summary

The NetModule web administration interface is vulnerable to path traversals, which could lead to arbitrary file uploads and deletion.

Impact

By uploading a malicious PHP file within the web administration root directory, an authenticated user could gain unconstrained remote command execution.

Description

The NetModule Router Software web admin interface is written in PHP and has a page to handle what they call “SDK jobs” at /home/www-data/admin/include/sdkJobs.php. This script calls move_uploaded_file on line 320 with unsanitized user input:

if (!move_uploaded_file($_FILES["scriptUpload"]["tmp_name"], $uploadpath))

The unsanitized user input is constructed this way:

$name = trim($_POST['scriptName']);
$uploadpath = UPLOAD_DIR . "/" . $name;

Key Takeaways

Obviously, updates need to be installed to resolve the reported vulnerabilities. But although prior authentication is required to exploit this vulnerability, this issue serves as an example of a mission-critical device being shipped with high-risk vulnerabilities. Ideally, such issues would be discovered during the vendor’s quality assurance processes, but operators of critical infrastructure in particular must practice due diligence. In this writeup, we demonstrate that this does not always need to be a manual test but that the better part of such an assessment can be automated.

Timeline

2022-09-20 – Sent coordinated disclosure request to support@netmodule.com

2022-09-20 – Answer from NetModule Support, establishment of secure communication channel and report sent out.

2022-10-17 – First feedback from NetModule dev team. 

2022-11-15 – Coordination between NetModule and ONEKEY on firmware release planning. 

2022-11-28 – NetModule releases fixed firmware for supported branches. ONEKEY and NetModule agree on embargo on publication to allow for NetModule clients to apply patches

2023-02-24 – ONEKEY releases its advisory

About ONEKEY

ONEKEY is the leading European specialist in Product Cybersecurity & Compliance Management and part of the investment portfolio of PricewaterhouseCoopers Germany (PwC). The unique combination of an automated Product Cybersecurity & Compliance Platform (PCCP) with expert knowledge and consulting services provides fast and comprehensive analysis, support, and management to improve product cybersecurity and compliance from product purchasing, design, development, production to end-of-life.

Critical vulnerabilities and compliance violations in device firmware are automatically identified in binary code by AI-based technology in minutes – without source code, device, or network access. Proactively audit software supply chains with integrated software bill of materials (SBOM) generation. “Digital Cyber Twins” enable automated 24/7 post-release cybersecurity monitoring throughout the product lifecycle.

The patent-pending, integrated Compliance Wizardâ„¢ already covers the upcoming EU Cyber Resilience Act (CRA) and existing requirements according to IEC 62443-4-2, ETSI EN 303 645, UNECE R 155 and many others.

The Product Security Incident Response Team (PSIRT) is effectively supported by the integrated automatic prioritisation of vulnerabilities, significantly reducing the time to remediation.

Leading international companies in Asia, Europe and the Americas already benefit from the ONEKEY Product Cybersecurity & Compliance Platform and ONEKEY Cybersecurity Experts.

 

CONTACT:

Sara Fortmann

Marketing Manager

sara.fortmann@onekey.com

 

euromarcom public relations GmbH

+49 611 973 150

team@euromarcom.de