InHand Networks’ wireless industrial router contains 17 vulnerabilities, including holes that may be chained to get root access by convincing a user to click on a malicious link.
The problems impact the InRouter 302 small industrial LTE router, which is intended for use in commercial and industrial settings, including hospitality, finance, automotive, utilities, retail, public safety, and energy. InHand products are used by some of the world’s leading corporations.
Researchers at Cisco’s Talos threat intelligence and research team uncovered the security flaws, the great majority of which have been rated “critical” or “high severity.” They can result in arbitrary file uploads, code execution, privilege escalation, OS command injection, and illegal firmware changes, among other things.
The flaws were discovered in IR302 versions 3.5.37 and earlier, and they were fixed with the release of version 3.5.45.
Talos researchers uncovered 17 vulnerabilities in the InRouter 302 product that may be chained to acquire root access to the device. Users should not have access to the underlying Linux system, which may be administered using a web interface or a console accessible through telnet or SSH.
Talos describes a hypothetical attack scenario that begins with the exploitation of a cross-site scripting (XSS) vulnerability, which allows an attacker to run arbitrary JavaScript code and steal a user’s session cookie if the user clicks on a specially crafted link that triggers the exploit.
Regardless of whether the stolen cookie grants privileged or non-privileged access, the attacker can get root access by exploiting one of three vulnerabilities. This involves exploiting a secret command to launch a root shell and uploading a specially designed file to get remote code execution.
If the attacker has non-privileged access as a result of the XSS vulnerability, they can leverage one of two flaws that allow a user with lower rights to escalate permissions, such as altering or gaining a privileged user’s password, according to Talos’ attack scenario.
If the XSS attack allows the attacker to get privileged access, they have at least two vulnerabilities to exploit in order to gain root access to the router’s Linux operating system.
“Any number of impacts may be performed after root access to the router is acquired, including, but not limited to, injecting, discarding, or examining packets, DNS poisoning, or further pivoting into the network,” Talos warned.
On Thursday, Talos issued a blog post and warnings outlining its results, and InHand followed suit on May 10.
InHand’s vulnerability handling appears to be improving. The US Cybersecurity and Infrastructure Security Agency (CISA) issued an alert in October 2021 to notify enterprises about 13 vulnerabilities detected in InHand’s IR615 router over a year before.
The issues exposed several firms to remote attacks, but they looked to be unpatched at the time of discovery, with the vendor only disclosing remedies and issuing its own advice a few weeks later.