CVE-2022-24150 in AX3info

Summary

by MITRE • 02/04/2022

Tenda AX3 v16.03.12.10_CN was discovered to contain a command injection vulnerability in the function formSetSafeWanWebMan. This vulnerability allows attackers to execute arbitrary commands via the remoteIp parameter.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 02/05/2022

The vulnerability identified as CVE-2022-24150 affects the Tenda AX3 wireless router model running firmware version v16.03.12.10_CN. This issue resides within the formSetSafeWanWebMan function which handles configuration management for the router's WAN settings. The flaw represents a critical security weakness that enables remote code execution through improper input validation mechanisms. Security researchers discovered that the remoteIp parameter within this function fails to properly sanitize user-supplied data, creating an avenue for malicious command injection attacks.

The technical implementation of this vulnerability stems from insufficient input validation and sanitization practices within the router's web management interface. When the remoteIp parameter is processed by the formSetSafeWanWebMan function, the system does not adequately filter or escape special characters that could be interpreted as command delimiters or shell metacharacters. This allows attackers to inject malicious commands that are subsequently executed within the router's operating environment. The vulnerability manifests as a classic command injection flaw that aligns with CWE-77, which specifically addresses improper neutralization of special elements used in commands.

From an operational perspective, this vulnerability presents significant risks to network security and device integrity. An attacker with remote access capabilities can leverage this flaw to execute arbitrary commands on the affected router, potentially gaining full control over the device's functionality. The implications extend beyond simple command execution as attackers could modify network configurations, redirect traffic, establish persistent backdoors, or use the compromised device as a pivot point for attacking internal network resources. This vulnerability directly maps to ATT&CK technique T1059.001 for command and scripting interpreter, and T1021.001 for remote services, demonstrating the multi-faceted attack vectors available to threat actors.

The impact of this vulnerability is particularly concerning given the widespread deployment of Tenda AX3 routers in residential and small office environments where network security may be insufficiently managed. The remote nature of the attack means that exploitation can occur without physical access to the device, making it accessible to attackers globally. Network administrators and security professionals should consider this vulnerability as a high-priority concern for any network containing affected devices. The lack of authentication requirements for the vulnerable endpoint further amplifies the risk, as attackers can exploit this without needing valid credentials. Organizations should implement immediate mitigation strategies including firmware updates, network segmentation, and monitoring for suspicious network activity originating from affected devices.

Mitigation strategies should prioritize firmware updates from Tenda to address the underlying command injection vulnerability. Network administrators should also consider implementing network access controls to restrict access to the router's management interface, particularly when the device is exposed to untrusted networks. Additional defensive measures include monitoring for unusual network traffic patterns, implementing intrusion detection systems, and conducting regular security assessments of network infrastructure. The vulnerability highlights the importance of proper input validation and secure coding practices, emphasizing the need for manufacturers to adhere to security standards and conduct thorough penetration testing of network devices before public release.

Reservation

01/31/2022

Disclosure

02/04/2022

Moderation

accepted

CPE

ready

EPSS

0.02724

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!