Critical Vulnerabilities Provide Root Access to InHand Industrial Routers

A total of 17 vulnerabilities have been found in a wireless industrial router made by InHand Networks, including flaws that can be chained to gain root access by getting a user to click on a malicious link.

The flaws affect the InRouter 302 compact industrial LTE router, which is designed for commercial and industrial environments, including for applications in the hospitality, financial, automotive, utilities, retail, public safety, and energy sectors. Some of the world’s largest organizations use InHand products.

InHand router vulnerabilitiesInHand router vulnerabilitiesThe security holes, a vast majority of which have been assigned a “critical” or “high severity” rating, were discovered by researchers at Cisco’s Talos threat intelligence and research unit. They can lead to arbitrary file uploads, code execution, privilege escalation, OS command injection, and unauthorized firmware updates.

The weaknesses affect IR302 version 3.5.37 and prior, and they have been patched with the release of version 3.5.45.

Some of the 17 vulnerabilities discovered by Talos researchers in the InRouter 302 product can be chained to gain root access to the device. The router can be managed through a web interface or a console that can be accessed via telnet or SSH, but users should not have access to the underlying Linux system.

A theoretical attack scenario described by Talos starts with the exploitation of a cross-site scripting (XSS) vulnerability that allows the attacker to execute arbitrary JavaScript code and exfiltrate the session cookie of a user who clicks on a specially crafted link that triggers the exploit.

Regardless of whether the stolen cookie gives them privileged or non-privileged access, the attacker can exploit one of three vulnerabilities to obtain root access. This includes abusing a hidden command that spawns a root shell, and uploading a specially crafted file to achieve remote code execution.

In Talos’ attack scenario, if the attacker obtains non-privileged access following the exploitation of the XSS vulnerability, they can use one of two vulnerabilities that allow a user with lower privileges to escalate permissions, including by changing or obtaining a privileged user’s password.

Learn more about vulnerabilities in industrial systems at 

SecurityWeek’s 2022 ICS Cyber Security Conference 

If the XSS attack helps the attacker obtain privileged access, they have at least two vulnerabilities at their disposal that they can exploit to gain root access to the Linux operating system running on the router.

“Once root access to the router is obtained any number of effects can be achieved including, but not limited to, injecting, dropping, or inspecting packets, DNS poisoning, or further pivoting into the network,” Talos explained.

Talos published a blog post and advisories describing its findings on Thursday and InHand released its own advisory on May 10.

InHand seems to be improving its vulnerability handling process. In October 2021, the US Cybersecurity and Infrastructure Security Agency (CISA) published an advisory to inform organizations about 13 vulnerabilities discovered in InHand’s IR615 router nearly one year earlier.

The flaws exposed many companies to remote attacks, but they appeared to be unpatched at the time of disclosure, with the vendor only releasing its own advisory and announcing fixes a few weeks later.

Related: Cisco Patches Dozen Vulnerabilities in Industrial Routers

Related: Several Vulnerabilities Expose Phoenix Contact Industrial 4G Routers to Attacks

view counter

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Previous Columns by Eduard Kovacs:
Tags:

Related Posts

Leave a Reply

Your email address will not be published.