RBS-2022-001 – NetModule Router Software (NRSW)

PHP type juggling flaws in NetModule Route Software

Vendor / Product information

“The NetModule Router Software is the standard software on our mobile and stationary router products. It comes with a comprehensive set of network features and a user interface for integrators or end users.”

Source:
https://www.netmodule.com/en/products/software-overview

Vulnerable program details

Tested products and version:

Vendor: NetModule
Product: NetModule Router Software (NRSW)
Version:3.8.0.100, 3.8.0.114, 4.0.0.109, 4.0.0.111, 4.1.0.102

Credits

Carsten Eiram, Flashpoint
Twitter: @FlashpointIntel

Vulnerability details

NetModule Router Software (NRSW) contains vulnerabilities that are triggered as two PHP scripts accessible via the web-based management interface are vulnerable to PHP type juggling. This allows remote attackers to bypass authentication and access certain administrative functionality.

Please note that these vulnerabilities were discovered during audits of older firmware versions that are still used on multiple publicly accessible devices. The vendor addressed both issues in updated versions released at the end of 2018 without mention in the release changelogs. Based on conversations with the vendor, they were seemingly unaware that their code changes addressed these two vulnerabilities and were not trying to silently fix them.

/upload.php PHP Juggling Remote Authentication Bypass

NetModule Router Software (NRSW) contains a PHP type juggling flaw in the /upload.php script that is triggered as it fails to properly check the supplied password if passed as an array type. With a specially crafted HTTP request, a remote attacker can bypass authentication and access the configuration file upload functionality.

Example:
http://[IP]/upload.php?usr=admin&pwd[]=notThePassword

/cli.php PHP Juggling Remote Authentication Bypass

NetModule Router Software (NRSW) contains a PHP type juggling flaw in the /cli.php script that is triggered as it fails to properly check the supplied password if passed as an array type. With a specially crafted HTTP request, a remote attacker can bypass authentication and access the CLI interface.

Example:
http://[IP]/cli.php?usr=admin&pwd[]=notThePassword&command=[command]

Solution

The vulnerability in upload.php was addressed in version 4.1.0.103 by removing the vulnerable script. The vulnerability in cli.php was addressed in version 4.2.0.100 while fixing another issue.

As NetModule does not mention these critical vulnerability fixes in a security advisory or release changelogs, Flashpoint contacted the vendor. The hope was to encourage them to alert their customers e.g. via a security advisory to ensure that anyone still using an old, vulnerable version would become aware of the risk and upgrade to a fixed, supported version prior to publication of this report. The vendor has stated that they do not plan to issue a security advisory, as they only do that for supported releases. They further state that they already publish Discontinuation Notices and continuously ask customers to keep devices up to date and that customers still running old, unsupported releases, therefore, have knowingly accepted the risk.

It should be noted that multiple vulnerable devices have been found to be publicly accessible with e.g. one Danish company having more than 100 of them exposed on the Internet. Vulnerable devices are also accessible in many other countries. Anyone using these vulnerable versions are encouraged to immediately upgrade to a fixed version or ensure that they are no longer Internet accessible.

References

VulnDB: 292261 and 292262.

Timeline

2022-03-28: Vulnerabilities discovered.
2022-05-30: Vendor contacted.
2022-05-30: Vendor acknowledges receipt of report.
2022-06-09: Alert sent to RBS VulnDB clients.
2022-07-05: Publication of this vulnerability report.