Researchers from Necrum Security have discovered two vulnerabilities in two different wireless LAN products from Contec. The vulnerabilities are found in the FLEXLAN FX2000 and FX3000 series of devices, which are primarily used to create Wi-Fi networks in aircraft.
Vulnerable wireless LAN devices can also be used by the Japanese company in offices, factories and other areas where high-speed connectivity is necessary and/or the requirement is integration with embedded devices. Flight control systems are not likely to be affected by two defects in the FLEXLAN FX2000 and FX3000 series of devices.
However, there is a threat to other passengers or anyone connected to a WiFi network created on vulnerable Contec devices. “There is a potential for data spoofing and system destruction with malware if this vulnerability is exploited by malicious attackers,” Contec noted in its advisory, acknowledging the vulnerabilities.
Meaning: An attacker can spread malware to a user’s devices through a wireless network established on any of the fifteen models of the FLEXLAN FX3000 series and eight models of the FLEXLAN FX2000 series.
The vulnerabilities, namely CVE-2022-36158 and CVE-2022-36159, are in firmware version 1.38.00 and lower in FLEXLAN FX2000 and version 1.15.00 and below in FX3000. Researchers Thomas Knudsen and Sami Yunus of Necrum Security detailed the two vulnerabilities in a blog and how they discovered them.
The CVE-2022-36158 discovery came from reverse engineering the firmware of two FLEXLAN devices that led Knudsen and Younsi to a hidden web page not listed in the Wireless LAN Manager interface.
This allowed researchers, and possibly anyone exploiting CVE-2022-36158, to execute Linux commands with root privileges. From here, accessing system files is a bit of a walk, not to mention hitting the telnet port for full access to the device.
Another security flaw, CVE-2022-36159, exists due to poor implementation of root account cryptographic keys on devices. The researchers added that the root account is intended as a backdoor for maintenance purposes. Although the default password encrypted with the root account is hashed, Knudsen and Yunus can crack it in a few minutes.
“During our investigation, we also found that /etc/shadow The file contains a hash of two users (root and user), which only took us a few minutes to recover with a brute force attack,” the duo wrote. Changing the password seems like a simple solution. However, the researchers explained:
The problem is that only the owner of the device is able to change the password for the account user From the web management interface, because a file root The account is reserved for Contec, possibly for maintenance purposes. This means that an attacker with an extension root The encrypted password can access all FX2000 series and FX3000 series devices”.
Even worse, since all devices have one root account password set, a threat actor who manages to hack it could theoretically compromise all other devices. The only saving grace is the fact that attackers will necessarily need to be close enough to connect to the wireless network, which doesn’t take much.
Knudsen and Yunus advised removing the hidden webpage in production to mitigate CVE-2022-36158.
For CVE-2022-36159, they recommended that Contec assign a unique, randomly generated password to each device. However, this will not really eliminate the threat completely.
Contec has chest Fix for two vulnerabilities. While Knudsen and Yunus’ recommendation to remove the hider can be achieved through a software update, the second vulnerability (CVE-2022-36158) is unlikely to be eliminated by a software patch since encrypting passwords for root users is something that is done during manufacture. .
It’s not clear exactly what Contec did to mitigate the two errors. However, for the FX3000 series, users need to Firmware Update to version 1.16.00 or higher. For FX2000 series, updating to version 1.39.00 or higher should fix the problem.
Contec said that users/administrators who cannot update immediately can change the default password for the Wireless LAN Manager interface and set up a firewall as temporary measures.
More about security vulnerabilities