Researchers from Necrum Security have discovered two vulnerabilities in two different wireless LAN products from Contec. The vulnerabilities exist in the FLEXLAN FX2000 and FX3000 series of devices, which are primarily used to create Wi-Fi networks in airplanes.
The vulnerable wireless LAN devices by the Japanese company can also be used in offices, factories, and other areas where high-speed communication is necessary and/or the requirement is integration with embedded devices. It is unlikely that flight control systems could be impacted by the two flaws in the FLEXLAN FX2000 and FX3000 series of devices.
However, a threat exists to other passengers or anyone connected to the WiFi network created on the vulnerable Contec devices. â€œThere are possibilities of data plagiarism, falsification, and system destruction with malicious programs if this vulnerability was exploited by malicious attackers,â€ Contec noted in its advisory acknowledging the vulnerabilities.
Meaning: a hacker could deploy malware to user devices through the wireless network created on any of the 15 models of the FLEXLAN FX3000 series and eight models of the FLEXLAN FX2000 series.
The vulnerabilities, viz., CVE-2022-36158 and CVE-2022-36159, exist in firmware version 1.38.00 and lower in FLEXLAN FX2000 and version 1.15.00 and below in FX3000. Researchers Thomas Knudsen and Samy Younsi of Necrum Security published details of the two vulnerabilities in a blog and how they discovered them.
The discovery of CVE-2022-36158 came about from reverse engineering the firmware of the two FLEXLAN devices that led Knudsen and Younsi to a hidden webpage that is unlisted in the Wireless LAN Manager interface.
This allowed researchers, and possibly anyone who exploits CVE-2022-36158, to execute Linux commands with root privileges. From here, accessing system files is a cakewalk, not to mention accessing the telnet port to gain full access to the device.
The other security flaw, CVE-2022-36159, exists due to the weak implementation of hard-coded cryptographic keys for a root account on the devices. The root account, researchers added, is set up as a backdoor for maintenance purposes. Even though the root account’s default hard-coded password was hashed, Knudsen and Younsi could break it in a few minutes.
â€œDuring our investigation, we also found that the / etc / shadow file contains the hash of two users (root and user), which only took us a few minutes to recover by a brute-force attack,â€ the duo wrote. Changing the password seems like a simple solution. However, the researchers explained:
â€œThe problem is that the owner of the device is only able to change the password for the account user from the web administration interface, because the root account is reserved for Contec, probably for maintenance purposes. This means an attacker with the root hard coded password can access all FX2000 series and FX3000 series devices.â€
Worse yet, since one password is set for the root account on all devices, a threat actor who manages to crack it can theoretically compromise all others. The only saving grace is the fact that attackers would necessarily need to be close enough to connect to the wireless network, which isn’t a lot to go on.
Knudsen and Younsi advised removing the hidden web page in production to mitigate CVE-2022-36158.
For CVE-2022-36159, they recommended that Contec set a randomly generated and unique password for each device. However, this wouldn’t really eliminate the threat altogether.
Contec has releasedOpens a new window a fix for the two vulnerabilities. While Knudsen and Younsi’s recommendation on removing the hidden is achievable through a software update, it is improbable that the second (CVE-2022-36158) vulnerability could be eliminated through a software patch since hard-coding passwords for root users is something that is done during manufacturing.
It is unclear precisely what Contec has done to mitigate the two bugs. Nonetheless, for the FX3000 series, users need to update the firmwareOpens a new window to version 1.16.00 or above. For the FX2000 series, updating to version 1.39.00 or above should do the trick.
Users/admins who cannot update immediately could change the default password of the Wireless LAN Manager interface and set up a firewall as temporary measures, Contec said.