Claudio Bozzato of Cisco Talos discovered these vulnerabilities.
Executive summary
CUJO AI produces the CUJO Smart Firewall, a device that provides protection to home networks against a myriad of threats such as malware, phishing websites and hacking attempts. Cisco Talos recently discovered 11 vulnerabilities in the CUJO Smart Firewall. These vulnerabilities could allow an attacker to bypass the safe browsing function and completely take control of the device, either by executing arbitrary code in the context of the root account, or by uploading and executing unsigned kernels on affected systems.
In accordance with our coordinated disclosure policy, Cisco Talos worked with CUJO AI to ensure that these issues are resolved and that a firmware update is available for affected customers. In most typical scenarios the firmware update process is handled by CUJO AI, allowing this update to be deployed to affected customers automatically. Given that these devices are typically deployed to provide protection for networked environments, it is recommended that affected users confirm their devices have been updated as soon as possible to ensure that the devices are no longer affected by these vulnerabilities.
Exploitation
In order to better convey the threat that these issues pose in real-world implementations, this section groups the vulnerabilities based on realistic attack scenarios in which the vulnerabilities would likely be exploited, and illustrates how chaining them together would raise the impact on the device.
CUJO is based on the OCTEON's SDK, which results in a Linux-based operating system running a kernel with PaX patches, which is not common for internet-of-things (IoT) appliances. However, the majority of the vulnerabilities are not affected by this countermeasure.
Remote code execution, unauthenticated, with persistence
We identified two chains that could be used to execute code remotely without authentication.
- TALOS-2018-0683 describes a vulnerability in the Webroot BrightCloud SDK, a service used to retrieve websites' classification and reputation data. CUJO uses BrightCloud as part of their safe browsing protection. By exploiting this vulnerability, an unauthenticated attacker could be able to impersonate BrightCloud's services and execute code on the device as the root user. As described in TALOS-2018-0686, the BrightCloud SDK defaults to using HTTP connections to communicate with the remote BrightCloud services, making the exploitation of TALOS-2018-0683 trivial if an attacker is able to intercept traffic between CUJO and BrightCloud.
- CUJO uses the Lunatik Lua engine in order to execute Lua scripts from within the kernel context. This is used to analyze the traffic of the entire network and is part of CUJO's safe browsing protection. TALOS-2018-0703 describes a script injection vulnerability that allows any unauthenticated user in the local network to execute Lua scripts in the kernel by specifying an arbitrary "Host" header in HTTP requests. Since Lunatik permits the use of the unsafe `load()` Lua function, this allows an attacker to execute arbitrary code in the kernel. Additionally, TALOS-2018-0702 describes an issue that can be used to trick CUJO into extracting and analyzing any arbitrary hostname. As shown at the end of the TALOS-2018-0703 advisory, a malicious website could chain both vulnerabilities together in order to force any client machine in CUJO's network to perform a POST request via JavaScript, triggering the Lua injection and effectively executing code in the kernel. Note that the vulnerabilities above can also be executed from the local network. Moreover, they can be further chained with the "verified boot bypass" described below in order to permanently compromise the device.
Local network code execution, unauthenticated
As previously stated, the two chains above can be exploited from the local network.
Additionally, we identified two code execution vulnerabilities (TALOS-2018-0653 and TALOS-2018-0672) that affect the parsing of mDNS messages. Note, however, that CUJO constrains the affected `mdnscap` process in a low-privileged chroot-ed environment. Therefore, an attacker would need to escalate their privileges in order to fully compromise the device.
Smartphone app code execution, with persistence
CUJO users can download an app on Android and iOS devices to configure their device. Since CUJO acts as a router and serves DHCP requests, it is possible to use the app to set up static DHCP entries. TALOS-2018-0627 shows how to leverage a vulnerability in the way DHCP hostnames are handled in order to execute arbitrary operating system commands as the root user.
Note that this can be further chained with the "verified boot bypass" described below in order to permanently compromise the device.
Device-local verified boot bypass (persistence methods)
CUJO uses Das U-Boot's "Verified Boot," an open-source primary boot loader that aims to protect the boot process from unauthorized modifications, and as a consequence, at avoiding a persistent compromise of the device. Moreover, the first 16MB of CUJO's eMMC have been permanently write-protected, so that it is not possible, even for the manufacturer, to modify the system's bootloaders. We identified two vulnerabilities that bypass these protections.
- We identified an issue in Das U-Boot, affecting versions 2013.07-rc1 to 2014.07-rc2 (inclusive). TALOS-2018-0633 shows that U-Boot FIT images' signatures are not enforced, since it is still possible to boot from legacy unsigned images. This behavior can be exploited by simply replacing a signed FIT image with a legacy (and thus unsigned) image. CUJO uses the OCTEON SDK, which in turn uses U-Boot version 2013.07, so they are both vulnerable to this issue. Because of this, and since products have no possibility to use the impacted U-Boot versions without avoiding the issue, this CVE has been assigned to U-Boot.
As previously stated, since the U-Boot bootloader is unmodifiable, TALOS-2018-0633 cannot be fixed in CUJO. Note, however, that, in isolation, this is less severe of an issue. See our discussion below for more details. - TALOS-2018-0634 describes an additional way to bypass the secure boot process. By modifying the `dhcpd.conf` file, it is possible to make the DHCP server execute shell commands. Since this file persists across reboots, it is possible to execute arbitrary commands as root at each boot, effectively compromising the system's integrity.
Safe browsing bypass
Finally, TALOS-2018-0702 shows how to bypass CUJO's safe browsing, potentially allowing malicious websites to serve malware even in presence of CUJO's filtering.
Vulnerability details
CUJO Smart Firewall static DHCP hostname command injection vulnerability (TALOS-2018-0627/CVE-2018-3963)
The CUJO Smart Firewall is vulnerable to command injection within the DHCP daemon configuration present on affected devices. This vulnerability exists due to a lack of proper input sanitization during the DHCP configuration process. This vulnerability can be triggered when configuring a new static DHCP address on affected devices. An attacker could send a DHCP request message and set up a corresponding static DHCP entry to trigger this vulnerability. It should be noted that in order to modify the DHCP configuration on devices, an attacker would first need to authenticate to the system using valid user credentials. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands within the context of the root account on the system. For additional information, please see the advisory here.
Das U-Boot verified boot bypass (TALOS-2018-0633/CVE-2018-3968)
Das U-Boot allows an attacker to execute an unsigned kernel embedded in a legacy image format if they are able to supply a boot image to the device. This vulnerability exists due to the fact that the version of Das U-Boot used by the devices lacks proper FIT signature enforcement during the boot process. While Das U-Boot has silently fixed this issue, the version used by the CUJO Smart Firewall was not updated to the new version, and is thus vulnerable. However we believe it's only a medium severity issue in CUJO specifically, since the exploitation requires either physical or local access to the device (e.g. via an additional root exploit). For additional information, please see the advisory here.
CUJO Smart Firewall dhcpd.conf verified boot bypass (TALOS-2018-0634/CVE-2018-3969)
The CUJO Smart Firewall is vulnerable to a bypass of the verified boot process. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary system commands during the system boot process. By embedding system commands into the `/config/dhcpd.conf` file, an attacker can force those commands to be executed each time the system is rebooted. Also, since this information is stored in the /config partition, it is persistent across reboots. In order to successfully exploit this vulnerability, an attacker would need the ability to write to the `/config/dhcpd.conf` file on affected systems. It is important to note that this is achievable using TALOS-2018-0627, which is described above. For additional information, please see the advisory here.
CUJO Smart Firewall mdnscap mDNS record parsing code execution vulnerability (TALOS-2018-0653/CVE-2018-3985)
The CUJO Smart Firewall is vulnerable to an exploitable double free vulnerability present in the `mdnscap` binary on affected systems. This vulnerability exists due to the system freeing a memory space twice when an invalid query name is encountered while the device is parsing mDNS packets. This vulnerability could be leveraged by an unauthenticated attacker to obtain the ability to execute arbitrary code in the context of the mdnscap process. In order to fully compromise the system, an attacker would still need to escape the `chroot` environment and further escalate privileges. For additional information, please see the advisory here.
CUJO Smart Firewall mdnscap mDNS label compression denial-of-service vulnerability (TALOS-2018-0671/CVE-2018-4002)
The CUJO Smart Firewall is vulnerable to an exploitable denial-of-service vulnerability in the `mdnscap` binary present on affected systems. This vulnerability exists due to the system incorrectly processing label compression pointers while parsing mDNS packets. In certain conditions, the improper handling of compression pointers in mDNS packets can lead to uncontrolled recursion, which causes stack exhaustion and ultimately crashes the `mdnscap` process, causing a denial-of-service condition. An unauthenticated remote attacker could leverage a specially crafted mDNS packet to exploit this vulnerability and create a denial-of-service condition on affected devices. For additional information, please see the advisory here.
CUJO Smart Firewall mdnscap mDNS character-strings code execution vulnerability (TALOS-2018-0672/CVE-2018-4003)
The CUJO Smart Firewall is vulnerable to an exploitable code execution vulnerability in the `mdnscap` binary present on affected systems. This vulnerability exists due to the system incorrectly handling string lengths that may exist in the character strings in mDNS resource records. A specially crafted mDNS resource record could be leveraged by an unauthenticated remote attacker to create a heap-based buffer overflow condition and ultimately lead to arbitrary code execution in the context of the `mdnscap` process on affected devices. In order to fully compromise the system, an attacker would still need to escape the `chroot` environment and further escalate privileges. For additional information, please see the advisory here.
CUJO Smart Firewall mdnscap mDNS SRV Record denial-of-service vulnerability (TALOS-2018-0681/CVE-2018-4011)
The CUJO Smart Firewall is vulnerable to an exploitable integer underflow vulnerability present in the `mdnscap` binary present on affected systems. This vulnerability exists due to the system incorrectly handling the "RDLENGTH" value when parsing SRV records in mDNS packets. An unauthenticated remote attacker could leverage a specially crafted SRV record to trigger this vulnerability and create a denial-of-service condition on affected devices. For additional information, please see the advisory here.
Webroot BrightCloud SDK HTTP headers-parsing code execution vulnerability (TALOS-2018-0683/CVE-2018-4012)
The Webroot BrightCloud SDK is vulnerable to an exploitable buffer overflow in the HTTP header-parsing function. The function `bc_http_read_header` incorrectly handles overlong headers, leading to arbitrary code execution. An unauthenticated attacker could impersonate a remote BrightCloud server to trigger this vulnerability and gain arbitrary code execution on affected devices. This SDK is found inside the CUJO Smart Firewall, as well as the CUJO Smart Firewall and the Webroot BrightCloud SDK. For additional information, please see the advisory here.
Webroot BrightCloud SDK HTTP connection unsafe defaults vulnerability (TALOS-2018-0686/CVE-2018-4015)
An exploitable vulnerability exists in the HTTP client function of the Webroot BrightCloud SDK, which is used by the CUJO Smart Firewall. The configuration of the HTTP client does not enforce a secure connection by default, resulting in a failure to validate TLS certificates. An attacker could impersonate a remote BrightCloud server to exploit this vulnerability using a man-in-the-middle attack. Successful exploitation could result in exposure of sensitive credentials, the transparent alteration of BrightCloud queries, or exploitation of vulnerabilities in the underlying SDK. For additional information, please see the advisory here.
CUJO Smart Firewall safe browsing Host header parsing firewall bypass vulnerability (TALOS-2018-0702/CVE-2018-4030)
The CUJO Smart Firewall is vulnerable to an exploitable firewall evasion in the HTTP and HTTPS parsing used by the firewall's safe browsing function. This vulnerability exists due to the firewall improperly processing host information in HTTP and HTTPS traffic that is inspected by the devices during web reputation checking. An attacker could create specially crafted web traffic to evade this reputation checking and allow hosts to access external web servers that the firewall would not otherwise allow access to. For additional information, please see the advisory here.
CUJO Smart Firewall threatd hostname reputation check code execution vulnerability (TALOS-2018-0703 / CVE-2018-4031)
The CUJO Smart Firewall is vulnerable to an exploitable code execution vulnerability in the HTTP and HTTPS parsing used by the firewall's safe browsing function. This vulnerability exists due to lack of sanitization of host information present in HTTP and HTTPS traffic that is inspected by the devices during web reputation checking. This vulnerability could be leveraged by an attacker to execute arbitrary code on affected devices. An attacker could create a specially crafted network packet or leverage a malicious web server to exploit this vulnerability. For additional information, please see the advisory here.
Versions Tested
Talos tested and confirmed that the following CUJO Smart Firewall firmware versions are affected:
TALOS-2018-0627 affects CUJO Smart Firewall, version 7003.
TALOS-2018-0633 affects CUJO Smart Firewall, version 7003; OCTEON-SDK 3.1.2 to 5.1; and Das U-Boot 2013.07-rc1 to 2014.07-rc2.
Conclusion
As previously described, CUJO AI has provided a system update to resolve these issues. Since these devices are typically relied on to secure home network environments, they may be deployed in sensitive locations within the network. It is recommended that affected users confirm their devices have been updated as soon as possible to ensure that the devices are no longer affected by these vulnerabilities.
Coverage
The following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.
Snort Rules: 47234, 47663, 47809, 47811, 47842, 48261, 48262