The security researcher Ian Ling discovered a serious remote command execution (RCE) flaw in the Siklu EtherHaul Radios devices.
Security expert Ian Ling has discovered a severe remote command execution (RCE) vulnerability in the Siklu’s EtherHaul wireless point-to-point radios.
The flaw could be exploited by remote unauthenticated attackers to execute commands and retrieve sensitive information, including usernames and plaintext passwords from the device.
The Israeli firm Siklu has already released a patch to address the vulnerability in the vast majority of its products that have been sold to mobile operators, service providers, wireless security network operators, governments, and enterprises.
The security expert discovered the flaw while testing a feature in the web interface that could be used by operators to configure one radio from another that has a wireless connection to it.
“Siklu EtherHaul devices (wireless point-to-point radios) have a feature in the web interface that allows you to configure both radios in a pair from either side.” reads the post published by the experts.
Ling noticed that the EtherHaul radios have three ports open, the 22 and 443 for management purposes, and the 555 (its use was not clear).
Further analysis of the port 555 allowed the researchers to discover that the service it exposes requires only a username for the authentication process. This means that a remote attacker can send specially crafted requests that look like sent from another Siklu EtherHaul device in order to execute arbitrary commands on the radio.
“Using another vulnerability I found on the EtherHauls, I was able to log in as root and access a Linux shell. The EtherHauls have a tcpdump binary on them, which allowed me to record a packet capture of all traffic involving port 555 and see exactly what data was being sent between the devices.” continues the analysis.
“Prior to the “mo-info rf” command being sent, the device making the request first “authenticates” by sending the username of whoever is logged in, surrounded by a lot of null bytes:”
The researcher discovered that using specific commands it was possible to retrieve login credentials of the EtherHauls and set a new administrator password.
Ling has published the following proof-of-concept (PoC) code exploits:
Show username and password in plaintext: https://gist.github.com/ianling/c06636fba1b294393f0d3b7df082aa91
Set password to “Abc123123″: https://gist.github.com/ianling/6f4b8c76aa369618e3ae7dd494958762
The vulnerability was reported to Siklu on December 22 and the company issued security updates on February 13.
Last year, Ling has spotted another serious vulnerability in the Siklu EtherHaul radios, a hidden root account that had the same unchangeable password on all devices.