[German]Security researchers have discovered a severe security vulnerability CVE-2023-22598 in the InRouter firmware from manufacturer InHand Networks GmbH. The vulnerability, with a CVE value of 10, leaves thousands of wireless IIoT devices vulnerable to remote code execution via the cloud. Vulnerabilities in the absence of a patch range from industrial robots to smart electricity meters to medical devices.
I was notified by cybersecurity firm OTORIO, which specializes in the security of operational technology (OT) environments, about that issue. But the Cybersecurity & Infrastructure Security Agency (CISA) has also issued a security warning about vulnerabilities in InHand Networks InRouters as of January 12, 2023.
InHand Networks was founded in 2001 as an M2M startup and today supplies industrial communication products and complete IoT solutions. The company is likely to be represented with its products in all major industrial companies in the field of Industrial Internet of Things (IIoT).
Five vulnerabilities in InRouter firmware
The OTORIO team discovered five CVEs in InHand Networks' cloud management platform and InRouter firmware. These vulnerabilities allowed attackers to bypass NAT and traditional security layers and remotely execute unauthenticated code as root on cloud-connected InRouter devices. The CISA warning provides details on the CVE-2023-22598 vulnerability:
1. EXECUTIVE SUMMARY
- CVSS v3 10.0
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: InHand Networks
- Equipment: InRouter302, InRouter615
- Vulnerabilities: Cleartext Transmission of Sensitive Information, OS Command Injection, Use of a One-way Hash with a Predictable Salt, Improper Access Control, Use of Insufficiently Random Values
By default, the affected products use an unsecured channel to communicate with the cloud platform. An unauthorized user could intercept this communication and steal sensitive information such as configuration information and MQTT credentials; this could enable MQTT command injection.
Successful exploitation of this vulnerability could allow MQTT (Message Queuing Telemetry Transport) command injection, unauthorized disclosure of sensitive device information, and remote code execution. If properly chained, these vulnerabilities could allow an unauthorized remote user to fully control any InHand Networks cloud-managed device. The following versions of InRouter are affected:
- InRouter 302: All versions prior to IR302 V3.5.56
- InRouter 615: All versions prior to InRouter6XX-S-V2.3.0.r5542
This poses a significant threat, OTORIO security researchers write, because InRouters are used in many different cyber-physical systems, including industrial robots, oil drilling rigs, elevators, medical devices, electric car charging stations and smart meters.
"While InHand Network has already closed the cloud vulnerabilities, others may still be at risk. Users are advised to update their firmware to the latest version," said Roni Gavrilov, Security Researcher at OTORIO. "Successful exploitation of industrial wireless IoT (IIoT / Industrial Internet of Things) can allow an attacker to bypass all layers of security protecting the internal OT network at once. This allows direct access to connected PLCs, HMIs and field devices at the attacked site, which can easily impact the process and potentially extend the attack to the control center."
Cookies helps to fund this blog: Cookie settings