Three vulnerabilities found in a variety of Korenix JetWave industrial access points and LTE cellular gateways may allow attackers to either disrupt their operation or to use them as a foothold for further attacks, CyberDanube researchers have found.
“If such a device is acting as key device in an industrial network, or controls various critical equipment via serial ports, more extensive damage in the corresponding network can be done by an attacker,” the researchers noted.
About the vulnerabilities
The vulnerabilities, which have yet to be assigned CVE numbers, include:
- Two command injection flaws in the devices’ web server
- One vulnerability that could be triggered to achieve denial of web service
All three vulnerabilities require attackers to authenticate before launching an exploit.
“If default credentials are used (e.g., admin:admin), it’s easy [to do that]. If not, it’s also possible for attackers to sniff unencrypted network traffic (as HTTP is also allowed for web-interface login),” CyberDanube Technical Director Thomas Weber told Help Net Security. (They have not tested if a cross-site request forgery attack would work.)
A denial of web service attack can be temporarily solved by rebooting the targeted device, but attackers could inject commands that could lead to indefinite compromise.
The researchers have released an advisory containing PoC exploits, which create an innocuous file on a targeted device’s temporary file system
“If other commands are injected instead – and we tested that, as well – it’s also possible to initiate a reverse-shell to an arbitrary server. This qualifies the device to act as persistent foothold for an attacker,” Weber noted.
Which devices are affected?
Vulnerable devices include:
- Korenix JetWave 4221 HP-E
- Korenix JetWave 3220/3420v3
- Korenix JetWave 2212G
- Korenix JetWave 2212X/2112S
- Korenix JetWave 2211C
- Korenix JetWave 2411/2111
- Korenix JetWave 2411L/2111L
- Korenix JetWave 2414/2114
- Korenix JetWave 2424
- Korenix JetWave 2460
The researchers discovered the vulnerabilities by creating a digital twin of the firmware running on the first two industrial devices on that list, and Beijer Electronics (the company that manufactures devices under the Korenix brand) confirmed the other JetWave devices are also vulnerable.
New firmware versions with fixes have been released in January 2023 and Korenix has sent to their customers a notification with the security advisory. The company advises customers to upgrade affected devices to the latest firmware version available.