Site icon GIXtools

Cisco IoT wireless access points hit by severe command injection flaw

Cisco’s Ultra-Reliable Wireless Backhaul (URWB) hardware has been hit with a hard-to-ignore flaw that could allow attackers to hijack the access points’ web interface using a crafted HTTP request.

Identified as CVE-2024-20418, Cisco said the issue affects three products: the Catalyst IW9165D Heavy Duty Access Points, the Catalyst IW9165E Rugged Access Points and Wireless Clients, and the Catalyst IW9167E Heavy Duty Access Points.

However, the access points are only vulnerable if they are running vulnerable software in URWB mode, Cisco said. Admins can confirm whether URWB mode is in operation by using the show mpls-config command. If this is disabled, the device was not affected. Cisco’s other wireless access point products that don’t use URWB are unaffected.

As to the flaw itself:

“This vulnerability is due to improper validation of input to the web-based management interface. An attacker could exploit this vulnerability by sending crafted HTTP requests to the web-based management interface of an affected system,” Cisco said in its advisory.

“A successful exploit could allow the attacker to execute arbitrary commands with root privileges on the underlying operating system of the affected device.”

In other words, it would be a complete compromise. This type of vulnerability is identified as number 77 on the Common Weakness Enumeration (CWE) database, and is otherwise known as “command injection.”

That’s significant, because as recently as July, CISA warned about the dangers of precisely this type of flaw.

“OS command injection vulnerabilities arise when manufacturers fail to properly validate and sanitize user input when constructing commands to execute on the underlying OS,” CISA wrote.

The organization implored manufacturers to avoid this issue by adopting the principles of secure by design, a polite way of saying these errors shouldn’t still be happening. 

Who uses URWB access points?

The URWB product line is a ruggedized family of access points for use in industrial or outdoor settings. The technology underpinning URWB came to Cisco in 2020 when it acquired Italian company Fluidmesh Networks.

URWB mode allows access points to support high-speed, reliable, low-latency wireless connectivity in environments where that would normally be difficult to guarantee.

In a 2021 blog about the technology, Fluidmesh Network’s co-founder and former CEO Umberto Malesci gave several examples of how the technology was being used, including use cases that make possible a 1,000-device IP camera network on moving trains in France, enabling wireless control of port cranes in Malta, and as part of infrastructure supporting driverless metro trains in Milan.

“Imagine remotely monitoring and controlling moving assets on trains, subways, public transit, mines, or ports. If a few packets drop while you’re checking email, no one notices. In contrast, dropped packets when you’re remotely controlling a crane or autonomous vehicle can have serious consequences,” wrote Malesci.

The critical nature of these use cases underlines how important it is to patch the flaw as a high priority. However, it’s not clear how easy it would be for an attacker to target the vulnerability directly, given that this type of access point is normally isolated on a dedicated IoT network segment. If that is the case, an attacker would probably need wireless proximity to exploit the weakness.

Patching advice

With a CVSS score of a maximum 10.0, and with no workarounds available, fixing the flaw requires admins to apply software patches through Cisco’s update channel. Organizations using software version 17.14 and earlier should update to a fixed release, while those using 17.15 should update to version 17.15.1, Cisco said.

Any organizations that bought URWB access points through an unsupported channel are advised to contact the Cisco Technical Assistance Center.

However, in a small piece of good news, Cisco’s Product Security Incident Response Team (PSIRT) said it was not aware of any exploits targeting the flaw.

Source:: Network World

Exit mobile version