Monday, November 15, 2021

Vulnerability Spotlight: Vulnerabilities in Lantronix PremierWave 2050 could lead to code execution, file deletion



Matt Wiseman discovered these vulnerabilities. Blog by Jon Munshaw. 

Cisco Talos recently discovered multiple vulnerabilities in Lantronix’s PremierWave 2050, an embedded Wi-Fi module. 

There are several vulnerabilities in PremierWave 2050’s Web Manager, a web-accessible application that allows users to configure settings for the 2050 gateway. An attacker could exploit some of these vulnerabilities to carry out a range of malicious actions, including executing arbitrary code and deleting or replacing files on the targeted device. 

Twelve of these vulnerabilities could allow a malicious user to manipulate the Web Manager in a way — for example, overflowing a fixed-size buffer — that would allow them to execute arbitrary code. These vulnerabilities all require the attacker to authenticate to the Web Manager first: 

There are also four directory traversal vulnerabilities that could lead to local file inclusion or overwrite: 

There is another directory traversal vulnerability in the Web Manager’s FsBrowseCleanr function (TALOS-2021-1338/CVE-2021-21896), though in this case, an attacker could delete files on the targeted device. And a sixth directory traversal vulnerability (TALOS-2021-1330/CVE-2021-21886) could lead to the adversary viewing certain file and directory names after sending the targeted device a specially crafted HTTP request. 

Lastly, we also discovered TALOS-2021-1322 (CVE-2021-21878), a local file inclusion vulnerability. An attacker could exploit this vulnerability to bypass certain restrictions and disclose contents of previously inaccessible files through the creation of an intermediate symlink. 

In adherence to Cisco’s vulnerability disclosure policy, Talos is disclosing these issues, although no formal fix is currently available. Talos tested and confirmed Lantronix PremierWave 2050, version 8.9.0.0R4 could be exploited by these vulnerabilities. 

The following SNORTⓇ rules will detect exploitation attempts against this vulnerability: 57753 - 57759, 57764 - 57769, 57777 - 57779, 57783, 57784, 57796, 57800, 57801, 57805, 57806, 57792 - 57795. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org. 

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.