Security Advisory: Remote Command Execution in Cisco Access Point WAP Products

IoT 4周前 admin
34 0 0

Security Advisory: Remote Command Execution in Cisco Access Point WAP Products

Introduction 介绍

With the recent release of our binary zero-day identification feature, we wanted to demonstrate what it would look like, when applied in a variant analysis approach.
随着我们最近发布的二进制零日识别功能,我们想演示它在变体分析方法中应用时会是什么样子。

The research team spotted a Synacktiv blog post and immediately launched an analysis on Cisco WAP321 to see if we could find other vulnerabilities or simple variants of what was initially reported by them.
研究团队发现了Synacktiv的一篇博客文章,并立即对Cisco WAP321进行了分析,看看我们是否能找到其他漏洞或他们最初报告的简单变体。

After a few minutes, the results were in. We identified 2 format string vulnerabilities, 160 stack buffer overflows, and 25 command injections. All of these paths are valid and unique but corresponds to a variation of the same vulnerability repeated over and over again.
几分钟后,结果出来了。我们发现了 2 个格式字符串漏洞、160 个堆栈缓冲区溢出和 25 个命令注入。所有这些路径都是有效且唯一的,但对应于同一漏洞的变体,一遍又一遍地重复。

Security Advisory: Remote Command Execution in Cisco Access Point WAP Products

For device manufacturers, having such capabilities will not only empower your PSIRT team to quickly assess bug reports but also enhance their ability to identify variations of reported bugs, thereby maximizing the impact of vulnerability fixes. Consequently, this will reduce the risk of cybercriminals, state-sponsored attackers, and opportunistic security researchers exploiting variations of reported and resolved issues.
对于设备制造商来说,拥有此类功能不仅可以使 PSIRT 团队能够快速评估错误报告,还可以增强他们识别所报告错误变体的能力,从而最大限度地提高漏洞修复的影响。因此,这将降低网络犯罪分子、国家支持的攻击者和机会主义安全研究人员利用报告和已解决问题的变体的风险。

Remote Command Execution
远程命令执行

Affected vendor & product
受影响的供应商和产品
Cisco Small Business 100, 300, and 500 Series Wireless APs
思科S系列100、300和500系列无线AP
Vendor Advisory 供应商咨询 https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sb-wap-multi-85G83CRB
Vulnerable version 易受攻击的版本 ALL
Fixed version 固定版本 N/A
CVE IDs CVE ID CVE-2024-20335 CVE-2024-20335 漏洞
Impact (CVSS) 影响 (CVSS) CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
Credit 信用 Q. Kaiser, ONEKEY Research Lab
Q. Kaiser,ONEKEY研究实验室

Research supported by Certainity
Certainity支持的研究

Summary 总结

The firmware version 1.3.0.7 of Cisco Access Point WAP371 is affected by a vulnerability allowing privileged and unprivileged users to execute commands on the system hosting the web service.
Cisco Access Point WAP371 的固件版本 1.3.0.7 受到一个漏洞的影响,该漏洞允许特权和非特权用户在托管 Web 服务的系统上执行命令。

Impact 冲击

By successfully exploiting this vulnerability, remote authenticated attackers could gain remote command execution on the appliance with elevated privileges.
通过成功利用此漏洞,经过身份验证的远程攻击者可以使用提升的权限在设备上远程执行命令。

Description 描述

One source of command injections is the use of unsanitized user input in tftp commands. Instead of reusing a unique TFTP handling function, this function is repeated for each and every feature needing TFTP.
命令注入的一个来源是在 tftp 命令中使用未经审查的用户输入。不是重用唯一的 TFTP 处理函数,而是对每个需要 TFTP 的功能重复此函数。

For example, the pcap_download_handler feature will get the update.device.packet-capture.tftp-file-name parameter from the request:
例如,pcap_download_handler 功能将从请求中获取 update.device.packet-capture.tftp-file-name 参数:

Security Advisory: Remote Command Execution in Cisco Access Point WAP Products

And feed it right to the following command:
并将其直接馈送到以下命令:

Security Advisory: Remote Command Execution in Cisco Access Point WAP Products

Similar behavior is observed for 16 of our reported issues, corresponding to 8 paths multiplied by 2 vulnerable parameters (the TFTP server parameter, and the fetched filename parameter).
在我们报告的 16 个问题中观察到类似的行为,对应于 8 个路径乘以 2 个易受攻击的参数(TFTP 服务器参数和 fetched filename 参数)。

Other examples of command injections include the Access Point management feature where authenticated users can define MAC address filtering. By injecting a command into the grantedMac request parameter, they could gain remote command execution:
命令注入的其他示例包括接入点管理功能,经过身份验证的用户可以在其中定义 MAC 地址过滤。通过将命令注入到请求参数中 grantedMac ,他们可以获得远程命令执行:

Security Advisory: Remote Command Execution in Cisco Access Point WAP Products

Another one involves the setup wizard where a malicious user could gain remote command execution by injecting a payload in the wiz-manual-time-string request parameter holding the date setting of the access point:
另一个涉及设置向导,恶意用户可以通过在保存接入点日期设置的 wiz-manual-time-string 请求参数中注入有效负载来获得远程命令执行:

Security Advisory: Remote Command Execution in Cisco Access Point WAP Products

Recommendation 建议

This product being EOL, Cisco will not patch the vulnerability. If replacement of the EOL device is not possible, ensure access to the administration interface is restricted to administration network zones only, to reduce likelihood of exploitation.
本产品为EOL,思科不会修补该漏洞。如果无法更换 EOL 设备,请确保对管理接口的访问仅限于管理网络区域,以减少被利用的可能性。

Format String 格式化字符串

Affected vendor & product
受影响的供应商和产品
Cisco Small Business 100, 300, and 500 Series Wireless APs
思科S系列100、300和500系列无线AP
Vendor Advisory 供应商咨询 TBA
Vulnerable version 易受攻击的版本 ALL
Fixed version 固定版本 N/A
CVE IDs CVE ID TBD
Impact (CVSS) 影响 (CVSS) CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
Credit 信用 Q. Kaiser, ONEKEY Research Lab
Q. Kaiser,ONEKEY研究实验室

Research supported by Certainity
Certainity支持的研究

Summary 总结

The firmware version 1.3.0.7 of Cisco Access Point WAP371 is affected by a vulnerability allowing privileged and unprivileged users to execute commands on the system hosting the web service.
Cisco Access Point WAP371 的固件版本 1.3.0.7 受到一个漏洞的影响,该漏洞允许特权和非特权用户在托管 Web 服务的系统上执行命令。

Impact 冲击

By successfully exploiting this vulnerability, remote authenticated attackers could gain arbitrary code execution on the appliance with elevated privileges.
通过成功利用此漏洞,经过身份验证的远程攻击者可以使用提升的权限在设备上执行任意代码。

Description 描述

This is one of the funniest bugs of this device. The download.cgi allows authenticated users to pull logs from the device. Logs are either system logs pulled with the /splashbin/get log-entry > /tmp/logs.txt command or rogue access points logs created by the RogueAP agent and saved to /tmp/rogueap_knownlist_export.txt.
这是该设备最有趣的错误之一。允许 download.cgi 经过身份验证的用户从设备中提取日志。日志是使用 /splashbin/get log-entry > /tmp/logs.txt 命令拉取的系统日志,也可以是 RogueAP 代理创建并保存到 /tmp/rogueap_knownlist_export.txt 的恶意访问点日志。

To provide the logs, the CGI script opens the log file and read it line by line. For each line it reads, it sends it back to the HTTP client by using printf. See where this is going ?
为了提供日志,CGI 脚本打开日志文件并逐行读取它。对于它读取的每一行,它使用 printf .看看这是怎么回事?

Security Advisory: Remote Command Execution in Cisco Access Point WAP Products

So, if you can poison the system logs with a format operator (e.g. %p%x), or emit beacon frames in the vicinity of that device with an SSID holding a format operator, you can obtain read-write primitives through format strings when the administrator pulls the logs from the appliance.
因此,如果您可以使用格式运算符(例如 %p , %x )毒害系统日志,或者使用包含格式运算符的 SSID 在该设备附近发出信标帧,则当管理员从设备中提取日志时,您可以通过格式字符串获取读写基元。

Recommendation 建议

This product being EOL, Cisco will not patch the vulnerability. If replacement of the EOL device is not possible, ensure access to the administration interface is restricted to administration network zones only, to reduce likelihood of exploitation.
本产品为EOL,思科不会修补该漏洞。如果无法更换 EOL 设备,请确保对管理接口的访问仅限于管理网络区域,以减少被利用的可能性。

Stack Buffer Overflow 堆栈缓冲区溢出

Affected vendor & product
受影响的供应商和产品
Cisco Small Business 100, 300, and 500 Series Wireless APs
思科S系列100、300和500系列无线AP
Vendor Advisory 供应商咨询 https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sb-wap-multi-85G83CRB
Vulnerable version 易受攻击的版本 ALL
Fixed version 固定版本 N/A
CVE IDs CVE ID CVE-2024-20336 CVE-2024-20336 漏洞
Impact (CVSS) 影响 (CVSS) CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
Credit 信用 Q. Kaiser, ONEKEY Research Lab
Q. Kaiser,ONEKEY研究实验室

Research supported by Certainity
Certainity支持的研究

Summary 总结

The firmware version 1.3.0.7 of Cisco Access Point WAP371 is affected by a vulnerability allowing privileged and unprivileged users to gain arbitrary code execution.
Cisco Access Point WAP371 的固件版本 1.3.0.7 受到允许特权和非特权用户执行任意代码的漏洞的影响。

Impact 冲击

By successfully exploiting this vulnerability, remote authenticated attackers could gain remote command execution on the appliance with elevated privileges.
通过成功利用此漏洞,经过身份验证的远程攻击者可以使用提升的权限在设备上远程执行命令。

Description 描述

All the stack buffer overflows that were detected are
检测到的所有堆栈缓冲区溢出都是

Recommendation 建议

This product being EOL, Cisco will not patch the vulnerability. If replacement of the EOL device is not possible, ensure access to the administration interface is restricted to administration network zones only, to reduce likelihood of exploitation.
本产品为EOL,思科不会修补该漏洞。如果无法更换 EOL 设备,请确保对管理接口的访问仅限于管理网络区域,以减少被利用的可能性。

Key Takeaways 关键要点

Our recently introduced binary static analysis feature equips the Product Security Response Team with an invaluable tool for identifying vulnerability variants within product lines. Whether detecting bugs during internal reviews or responding to reports from security researchers, this automated solution will report on every combination of user controlled source to dangerous function call path for known patterns.
我们最近推出的二进制静态分析功能为产品安全响应团队提供了一个宝贵的工具,用于识别产品线中的漏洞变体。无论是在内部审查期间检测错误,还是响应安全研究人员的报告,此自动化解决方案都将报告已知模式的用户控制源到危险函数调用路径的每个组合。

With this innovative feature, users gain the confidence that every variant of a specific bug has been identified, all without necessitating access to the source code. Auditors and reversers will find this automated binary static analysis akin to having a diligent intern spot and validate “low hanging fruit” vulnerabilities, allowing them to direct their focus towards more complex issues.
借助这一创新功能,用户可以确信已识别出特定错误的每个变体,而无需访问源代码。审计人员和反向人员会发现,这种自动化的二进制静态分析类似于让一个勤奋的实习生发现并验证“唾手可得的果实”漏洞,使他们能够将注意力集中在更复杂的问题上。

Timeline 时间线

  • 2024-01-25 –Report submitted to Cisco PSIRT, a case is opened.
    2024-01-25 –报告已提交给Cisco PSIRT,并已打开案例。
  • 2024-01-29 –Case is picked up by analysts, investigation starts.
    2024-01-29 – 案件被分析师发现,调查开始。
  • 2024-01-31 –Analysts mention the device is end-of-life but they still plan on releasing an advisory on March 6th.
    2024-01-31 – 分析师提到该设备已停产,但他们仍计划在 3 月 6 日发布公告。
  • 2024-03-06 –Coordinated advisory release.
    2024-03-06 – 协调公告发布。
  • 2024-03-06 –Release Cisco advisory.
    2024-03-06 – 发布思科公告。
  • 2024-03-18 –Release ONEKEY advisory.
    2024-03-18 – 发布 ONEKEY 公告。

About ONEKEY  关于ONEKEY

ONEKEY is the leading European specialist in Product Cybersecurity & Compliance Management and part of the investment portfolio of PricewaterhouseCoopers Germany (PwC). The unique combination of an automated Product Cybersecurity & Compliance Platform (PCCP) with expert knowledge and consulting services provides fast and comprehensive analysis, support, and management to improve product cybersecurity and compliance from product purchasing, design, development, production to end-of-life.
ONEKEY是欧洲领先的产品网络安全和合规管理专家,也是普华永道德国(PwC)投资组合的一部分。自动化产品网络安全与合规平台(PCCP)与专业知识和咨询服务的独特结合提供了快速和全面的分析、支持和管理,以改善产品网络安全和合规性,从产品采购、设计、开发、生产到报废。

Critical vulnerabilities and compliance violations in device firmware are automatically identified in binary code by AI-based technology in minutes – without source code, device, or network access. Proactively audit software supply chains with integrated software bill of materials (SBOM) generation. “Digital Cyber Twins” enable automated 24/7 post-release cybersecurity monitoring throughout the product lifecycle.
基于 AI 的技术可在几分钟内以二进制代码自动识别设备固件中的关键漏洞和违规行为,无需源代码、设备或网络访问。通过集成软件物料清单 (SBOM) 生成主动审核软件供应链。“数字网络孪生”可在整个产品生命周期内实现 24/7 全天候自动化发布后网络安全监控。

The patent-pending, integrated Compliance Wizard™ already covers the upcoming EU Cyber Resilience Act (CRA) and existing requirements according to IEC 62443-4-2, ETSI EN 303 645, UNECE R 155 and many others.
正在申请专利的集成合规向导™已经涵盖了即将出台的欧盟网络弹性法案 (CRA) 以及根据 IEC 62443-4-2、ETSI EN 303 645、UNECE R 155 等的现有要求。

The Product Security Incident Response Team (PSIRT) is effectively supported by the integrated automatic prioritisation of vulnerabilities, significantly reducing the time to remediation.
产品安全事件响应团队 (PSIRT) 通过集成的漏洞自动优先级排序得到有效支持,从而大大缩短了修复时间。

Leading international companies in Asia, Europe and the Americas already benefit from the ONEKEY Product Cybersecurity & Compliance Platform and ONEKEY Cybersecurity Experts.
亚洲、欧洲和美洲的领先国际公司已经从ONEKEY产品网络安全与合规平台和ONEKEY网络安全专家中受益。

原文始发于onekey:Security Advisory: Remote Command Execution in Cisco Access Point WAP Products

版权声明:admin 发表于 2024年3月18日 下午9:57。
转载请注明:Security Advisory: Remote Command Execution in Cisco Access Point WAP Products | CTF导航

相关文章