Research
Security Advisory: Remote Command Execution in Cisco Access Point WAP Products
Security Advisory: Remote Command Execution in Cisco Access Point WAP Products
Lorem Ipsum
Lorem ipsum
TablE of contents

READY TO UPGRADE YOUR RISK MANAGEMENT?

Make cybersecurity and compliance efficient and effective with ONEKEY.

Book a Demo

Introduction

With the recent release of our binary zero-day identification feature, we wanted to demonstrate what it would look like, when applied in a variant analysis approach.

The research team spotted a Synacktiv blog post and immediately launched an analysis on Cisco WAP321 to see if we could find other vulnerabilities or simple variants of what was initially reported by them.

After a few minutes, the results were in. We identified 2 format string vulnerabilities, 160 stack buffer overflows, and 25 command injections. All of these paths are valid and unique but corresponds to a variation of the same vulnerability repeated over and over again.

For device manufacturers, having such capabilities will not only empower your PSIRT team to quickly assess bug reports but also enhance their ability to identify variations of reported bugs, thereby maximizing the impact of vulnerability fixes. Consequently, this will reduce the risk of cybercriminals, state-sponsored attackers, and opportunistic security researchers exploiting variations of reported and resolved issues.

Remote Command Execution

Affected vendor & productCisco Small Business 100, 300, and 500 Series Wireless APs
Vendor Advisoryhttps://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sb-wap-multi-85G83CRB
Vulnerable versionALL
Fixed versionN/A
CVE IDsCVE-2024-20335
Impact (CVSS)CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
CreditQ. Kaiser, ONEKEY Research Lab
Research supported by Certainity

Summary

The firmware version 1.3.0.7 of Cisco Access Point WAP371 is affected by a vulnerability allowing privileged and unprivileged users to execute commands on the system hosting the web service.

Impact

By successfully exploiting this vulnerability, remote authenticated attackers could gain remote command execution on the appliance with elevated privileges.

Description

One source of command injections is the use of unsanitized user input in tftp commands. Instead of reusing a unique TFTP handling function, this function is repeated for each and every feature needing TFTP.

For example, the pcap_download_handler feature will get the update.device.packet-capture.tftp-file-name parameter from the request:

And feed it right to the following command:

Similar behavior is observed for 16 of our reported issues, corresponding to 8 paths multiplied by 2 vulnerable parameters (the TFTP server parameter, and the fetched filename parameter).

Other examples of command injections include the Access Point management feature where authenticated users can define MAC address filtering. By injecting a command into the grantedMac request parameter, they could gain remote command execution:

Another one involves the setup wizard where a malicious user could gain remote command execution by injecting a payload in the wiz-manual-time-string request parameter holding the date setting of the access point:

Recommendation

This product being EOL, Cisco will not patch the vulnerability. If replacement of the EOL device is not possible, ensure access to the administration interface is restricted to administration network zones only, to reduce likelihood of exploitation.

Format String

Affected vendor & productCisco Small Business 100, 300, and 500 Series Wireless APs
Vendor AdvisoryTBA
Vulnerable versionALL
Fixed versionN/A
CVE IDsTBD
Impact (CVSS)CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
CreditQ. Kaiser, ONEKEY Research Lab
Research supported by Certainity

Summary

The firmware version 1.3.0.7 of Cisco Access Point WAP371 is affected by a vulnerability allowing privileged and unprivileged users to execute commands on the system hosting the web service.

Impact

By successfully exploiting this vulnerability, remote authenticated attackers could gain arbitrary code execution on the appliance with elevated privileges.

Description

This is one of the funniest bugs of this device. The download.cgi allows authenticated users to pull logs from the device. Logs are either system logs pulled with the /splashbin/get log-entry > /tmp/logs.txt command or rogue access points logs created by the RogueAP agent and saved to /tmp/rogueap_knownlist_export.txt.

To provide the logs, the CGI script opens the log file and read it line by line. For each line it reads, it sends it back to the HTTP client by using printf. See where this is going ?

So, if you can poison the system logs with a format operator (e.g. %p, %x), or emit beacon frames in the vicinity of that device with an SSID holding a format operator, you can obtain read-write primitives through format strings when the administrator pulls the logs from the appliance.

Recommendation

This product being EOL, Cisco will not patch the vulnerability. If replacement of the EOL device is not possible, ensure access to the administration interface is restricted to administration network zones only, to reduce likelihood of exploitation.

Stack Buffer Overflow

Affected vendor & productCisco Small Business 100, 300, and 500 Series Wireless APs
Vendor Advisoryhttps://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sb-wap-multi-85G83CRB
Vulnerable versionALL
Fixed versionN/A
CVE IDsCVE-2024-20336
Impact (CVSS)CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
CreditQ. Kaiser, ONEKEY Research Lab
Research supported by Certainity

Summary

The firmware version 1.3.0.7 of Cisco Access Point WAP371 is affected by a vulnerability allowing privileged and unprivileged users to gain arbitrary code execution.

Impact

By successfully exploiting this vulnerability, remote authenticated attackers could gain remote command execution on the appliance with elevated privileges.

Description

All the stack buffer overflows that were detected are

Recommendation

This product being EOL, Cisco will not patch the vulnerability. If replacement of the EOL device is not possible, ensure access to the administration interface is restricted to administration network zones only, to reduce likelihood of exploitation.

Key Takeaways

Our recently introduced binary static analysis feature equips the Product Security Response Team with an invaluable tool for identifying vulnerability variants within product lines. Whether detecting bugs during internal reviews or responding to reports from security researchers, this automated solution will report on every combination of user controlled source to dangerous function call path for known patterns.

With this innovative feature, users gain the confidence that every variant of a specific bug has been identified, all without necessitating access to the source code. Auditors and reversers will find this automated binary static analysis akin to having a diligent intern spot and validate "low hanging fruit" vulnerabilities, allowing them to direct their focus towards more complex issues.

Timeline

  • 2024-01-25 –Report submitted to Cisco PSIRT, a case is opened.
  • 2024-01-29 –Case is picked up by analysts, investigation starts.
  • 2024-01-31 –Analysts mention the device is end-of-life but they still plan on releasing an advisory on March 6th.
  • 2024-03-06 –Coordinated advisory release.
  • 2024-03-06 –Release Cisco advisory.
  • 2024-03-18 –Release ONEKEY advisory.

Share

About Onekey

ONEKEY is the leading European specialist in Product Cybersecurity & Compliance Management and part of the investment portfolio of PricewaterhouseCoopers Germany (PwC). The unique combination of an automated Product Cybersecurity & Compliance Platform (PCCP) with expert knowledge and consulting services provides fast and comprehensive analysis, support, and management to improve product cybersecurity and compliance from product purchasing, design, development, production to end-of-life.

CONTACT:
Sara Fortmann

Marketing Manager
sara.fortmann@onekey.com

euromarcom public relations GmbH
+49 611 973 150
team@euromarcom.de

RELATED RESEARCH ARTICLES

The X in XFTP Stands For eXecute
Security Advisory: Arbitrary Command Execution on TP-Link Archer C5400X
Security Advisory: Remote Code Execution in Ligowave Devices

Ready to automate your Product Cybersecurity & Compliance?

Make cybersecurity and compliance efficient and effective with ONEKEY.