Site icon API Security Blog

Robustel R1510 sysupgrade firmware update vulnerability

# Talos Vulnerability Report

### TALOS-2022-1580

## Robustel R1510 sysupgrade firmware update vulnerability

##### October 14, 2022

##### CVE Number

CVE-2022-34845

##### SUMMARY

A firmware update vulnerability exists in the sysupgrade functionality of Robustel R1510 3.1.16 and 3.3.0. A specially-crafted network packet can lead to arbitrary firmware update. An attacker can send a sequence of requests to trigger this vulnerability.

##### CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Robustel R1510 3.1.16
Robustel R1510 3.3.0

##### PRODUCT URLS

R1510 –

##### CVSSv3 SCORE

6.7 – CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H

##### CWE

CWE-345 – Insufficient Verification of Data Authenticity

##### DETAILS

The R1510 is an industrial cellular router. It offers several advanced software features like an innovative use of Open VPN, Cloud management, data over-use guard, smart reboot and others.

The R1510 offers to the admin user the possibility of upgrading the firmware. The API `/action/import_firmware` is used to upload the firmware file. Then the `/ajax/system_upgrade_start/` API can be called. This function, eventually, will call the `sysupgrade` binary that will perform the actual firmware upgrade.

Here is the relevant portion of the `/ajax/system_upgrade_start/` API:

[…]
{
command[0] = “sysupgrade”;
command[1] = “-q”;
command[2] = FILENAME;
command[3] = 0;
void var_18;
_eval(command, 0, 0, &pid);
}
[…]

The `/ajax/system_upgrade_start/` API is a wrapper for executing `sysupgrade -q `. The `FILENAME` variable is set in the `/action/import_firmware` and has as value the pathname to the firmware file. The `sysupgrade` will perform the firmware upgrade, but with the current settings the binary does not check for any signature verification. This can lead to arbitrary firmware update.

##### TIMELINE

2022-07-13 – Vendor Disclosure
2022-10-14 – Public Release

##### Credit

Discovered by Francesco Benvenuto of Cisco Talos.

* * *

Vulnerability Reports Previous Report

TALOS-2022-1578Read More

Exit mobile version