Cisco Talos recently discovered several vulnerabilities in InHand Networks’ InRouter302 that could allow an attacker to access the router’s console and make changes to the router’s settings, including security protocols.
The InRouter is an industrial LTE router that includes remote management functionalities and several security protection mechanisms, such as VPN connections and a firewall.
This is just the latest set of vulnerabilities Talos has discovered in the InRouter302. We previously outlined how an attacker could string together several other since-patched security issues to gain root access to the device.
Additionally, the router’s firmware contains leftover code in the debug feature. The InRouter302 offers telnet and SSHD services. When provided with the correct credentials, both will allow access to the router’s console. From the console, an attacker could manipulate several crucial security settings, including providing a specific command to manipulate the firmware signature verification flag and upload malicious firmware to the device.
These vulnerabilities are:
- TALOS-2022-1518 (CVE-2022-29481)
- TALOS-2022-1519 (CVE-2022-30543)
- TALOS-2022-1520 (CVE-2022-26023)
- TALOS-2022-1521 (CVE-2022-28689)
TALOS-2022-1522 (CVE-2022-29888) could be exploited if an attacker sends the device a specially crafted HTTP request. If exploited correctly, the adversary could gain the ability to delete arbitrary files on the device, potentially disrupting its operations or settings.
Cisco Talos worked with InHand Networks to ensure that these issues are resolved and an update is available for affected customers, all in adherence to Cisco’s vulnerability disclosure policy.
Users are encouraged to update these affected products as soon as possible: InHand Networks InRouter302, version 3.5.45. Talos tested and confirmed these versions of the router could be exploited by these vulnerabilities.
The following Snort rules will detect exploitation attempts against this vulnerability: 59152, 59153, 59882 – 59884 and 59886. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.