Critical Flaw Exposes Four-Faith Routers to Remote Exploitation

   December 30, 2024  Posted in HackRead


SUMMARY:

  • Vulnerability: CVE-2024-12856 impacts Four-Faith routers (models F3x24 and F3x36), allowing remote code execution.
  • Exploit Path: Attackers use the /apply.cgi endpoint to exploit the adj_time_year parameter.
  • Risk: Over 15,000 devices with default credentials are at high risk.
  • Impact: Exploits enable malware installation, data theft, and network disruption.
  • Fix: Update firmware, change default credentials, and use Suricata rules for detection.

VulnCheck has discovered a critical new vulnerability (CVE-2024-12856) affecting Four-Faith industrial routers (F3x24 and F3x36), with evidence of active exploitation in the wild. This, as per the company, is a post-authentication flaw vulnerability that allows attackers to remotely execute commands on vulnerable devices by exploiting a weakness in the router’s system time adjustment functionality.

“The attack can be conducted against, at least, the Four-Faith F3x24 and F3x36 over HTTP using the /apply.cgi endpoint. Censys finds approximately 15,000 internet-facing devices,” VulnCheck researcher Jacob Baines wrote in the blog post shared with Hackread.com.

As per the investigation from the VulnCheck Initial Access team, the attack specifically targets the /apply.cgi endpoint, which allows for system configuration changes. By manipulating the adj_time_year parameter (responsible for modifying the router’s system time) within a POST request, attackers can inject malicious commands.

This bypasses authentication as the attack leverages the router’s default credentials. However, this vulnerability should not be confused with CVE-2019-12168 even though both flow through the same apply.cgi endpoint, Baines noted.

In addition, VulnCheck observed exploitation attempts originating from the IP address 178.215.23891. The firmware version’s default credentials could potentially escalate the vulnerability into an unauthenticated and remote OS command execution issue if not altered.

Furthermore, another research blog published in November 2024 also documented the exploitation of this vulnerability, with the observed User-Agent matching the User-Agent VulnCheck observed, although with a different payload, corroborating VulnCheck’s findings.

Successful exploitation allows attackers to execute remote code on a router, install malware, steal sensitive data, disrupt network operations, and use the router as a launch point for further attacks.

To mitigate this threat, VulnCheck has provided a Suricata rule to detect exploitation attempts on the network. This rule monitors HTTP traffic, specifically looking for POST requests to /apply.cgi with the adjust_sys_time parameter and suspicious patterns in the adj_time_year field.

VulnCheck has also responsibly disclosed this vulnerability to Four-Faith and its customers. Users are advised to contact Four-Faith directly for information on patches, affected models, and firmware versions.

Routers, responsible for directing internet traffic, are often overlooked in security measures, making them easy targets for cybercriminals. The prevalence of default passwords and outdated firmware creates a significant security risk, as they often contain unpatched vulnerabilities. 

Recently, Censys uncovered 14 critical vulnerabilities in DrayTek Vigor routers, including a buffer overflow and OS command injection flaw. Now the discovery of vulnerability in Four-Faith routers further shows the need for improved security measures to protect routers and their users.

  1. New Botnets Exploit Old D-Link Router for DDoS Attacks
  2. Condi DDoS Botnet Targets Vulnerable TP-Link AX21 Routers
  3. FBI: Hackers Target Ubiquiti Routers for Data, Botnet Creation
  4. ASUS, NordVPN Partner to Integrate VPN Service into Routers
  5. 6,000 Asus Routers Hacked in 72 Hours by TheMoon Malware





Source link