Security Advisory: Multiple Vulnerabilities in NetModule Routers
Introduction
This is the third security advisory we release that is related to the introduction of a "zero-day identification" module that performs static code analysis on proprietary applications found within firmware uploaded to ONEKEY's platform. You can find the first two here: Asus M25 NAS Vulnerability and Unauthenticated Configuration Export in Multiple WAGO Products.
NetModule is an Original Equipment Manufacturer of industrial grade routers. The vulnerabilities identified within the web management interface allow authenticated users to execute arbitrary commands with elevated privileges or to access any file on the system.
These vulnerabilities were automatically identified by our platform during one of those industrial routers firmware scan:
All our findings were validated using an emulated device and reported to NetModule, whose PSIRT team confirmed our findings.
| Affected vendor & product |
Some of these models are also branded as "HOTSPLOTS" and "Hahlbrock Marine Technologie". |
| Vendor Advisory | https://share.netmodule.com/public/system-software/4.7/4.7.0.103/NRSW-RN-4.7.0.103.pdf |
| Vulnerable version |
|
| Fixed version |
|
| CVE IDs | |
| Impact (CVSS) | 7.2 (high) - AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
| Credit | Q. Kaiser, ONEKEY Research Lab Research supported by Certainity |
Authenticated Command Injection
Summary
The NetModule web administration interface executes an OS command constructed with unsanitized user input.
Impact
A successful exploit could allow an authenticated user to execute arbitrary commands with elevated privileges.
Description
The NetModule Router Software web admin interface is written in PHP and has a page allowing for GNSS receiver configuration at
/home/www-data/admin/gnssAutoAlign.php. On line 36, the script calls
exec with an unsanitized $device_id variable obtained from the POST request on line 6:<?php
require_once('config/config.php');
if (isset($c))
$device_id = $c;
else
$device_id = $_REQUEST['device_id'];
$status = "disabled";
define("STATUS_FILENAME", "/tmp/status/gnss". $device_id ."/dr-auto-align");
define("ANGLES_FILENAME", "/tmp/status/gnss". $device_id ."/dr-auto-align-angles");
define("PID_FILENAME", "/run/gnss". $device_id ."/dr-auto-align.pid");
if (file_exists(STATUS_FILENAME)) {
$statusfile = fopen(STATUS_FILENAME, "r");
$status = fread($statusfile, filesize(STATUS_FILENAME));
fclose($statusfile);
}
$yaw = "n/a";
$pitch = "n/a";
$roll = "n/a";
if (file_exists(ANGLES_FILENAME)) {
$anglesfile = fopen(ANGLES_FILENAME, "r");
$angles = fread($anglesfile, filesize(ANGLES_FILENAME));
fclose($anglesfile);
$angles = explode("\n", $angles);
$yaw = explode("yaw: ", $angles[0])[1];
$pitch = explode("pitch: ", $angles[1])[1];
$roll = explode("roll: ", $angles[2])[1];
}
if (isset($_POST['toggleAlignment'])) {
if ($status == "disabled") {
exec("/usr/local/sbin/www-scripts/various/doAutoAlignment " . $device_id . " > /dev/null &");
$status = "starting";
}
else {
exec("kill $(cat ". PID_FILENAME . ")");
$status = "stopping";
}
}Authenticated Path Traversal
Summary
The NetModule web administration interface is vulnerable to path traversals, which could lead to arbitrary file uploads and deletion.
Impact
By uploading a malicious PHP file within the web administration root directory, an authenticated user could gain unconstrained remote command execution.
Description
The NetModule Router Software web admin interface is written in PHP and has a page to handle what they call "SDK jobs" at
/home/www-data/admin/include/sdkJobs.php. This script calls move_uploaded_file on line 320 with unsanitized user input:if (!move_uploaded_file($_FILES["scriptUpload"]["tmp_name"], $uploadpath))
The unsanitized user input is constructed this way:
$name = trim($_POST['scriptName']); $uploadpath = UPLOAD_DIR . "/" . $name;
Key Takeaways
Obviously, updates need to be installed to resolve the reported vulnerabilities. But although prior authentication is required to exploit this vulnerability, this issue serves as an example of a mission-critical device being shipped with high-risk vulnerabilities. Ideally, such issues would be discovered during the vendor's quality assurance processes, but operators of critical infrastructure in particular must practice due diligence. In this writeup, we demonstrate that this does not always need to be a manual test but that the better part of such an assessment can be automated.
Timeline
2022-09-20 – Sent coordinated disclosure request to support@netmodule.com
2022-09-20 – Answer from NetModule Support, establishment of secure communication channel and report sent out.
2022-10-17 – First feedback from NetModule dev team.
2022-11-15 – Coordination between NetModule and ONEKEY on firmware release planning.
2022-11-28 – NetModule releases fixed firmware for supported branches. ONEKEY and NetModule agree on embargo on publication to allow for NetModule clients to apply patches
2023-02-24 – ONEKEY releases its advisory
Über Onekey
ONEKEY ist der führende europäische Spezialist für Product Cybersecurity & Compliance Management und Teil des Anlageportfolios von PricewaterhouseCoopers Deutschland (PwC). Die einzigartige Kombination der automatisierten ONEKEY Product Cybersecurity & Compliance Platform (OCP) mit Expertenwissen und Beratungsdiensten bietet schnelle und umfassende Analyse-, Support- und Verwaltungsfunktionen zur Verbesserung der Produktsicherheit und -konformität — vom Kauf über das Design, die Entwicklung, die Produktion bis hin zum Ende des Produktlebenszyklus.
KONTAKT:
Sara Fortmann
Senior Marketing Manager
sara.fortmann@onekey.com
euromarcom public relations GmbH
team@euromarcom.de
VERWANDTE FORSCHUNGSARTIKEL
Unblob 2024 Highlights: Sandboxing, Reporting, and Community Milestones
Explore the latest developments in Unblob, including enhanced sandboxing with Landlock, improved carving reporting, and χ² randomness analysis. Celebrate community contributions, academic research collaborations, and new format handlers, while looking forward to exciting updates in 2025.
%201.avif)
Critical Vulnerabilities in EV Charging Stations: Analysis of eCharge Controllers
Discover how severe security flaws, including unauthenticated remote command execution (CVE-2024-11665 & CVE-2024-11666), affect eCharge EV charging controllers. Learn about insecure firmware practices, cloud infrastructure issues, and actionable steps to mitigate risks in EV charging systems.
Bereit zur automatisierung ihrer Cybersicherheit & Compliance?
Machen Sie Cybersicherheit und Compliance mit ONEKEY effizient und effektiv.