CVE-2022-26993 in SBR-AC1900P
Summary
by MITRE • 03/16/2022
Arris routers SBR-AC1900P 1.0.7-B05, SBR-AC3200P 1.0.7-B05 and SBR-AC1200P 1.0.5-B05 were discovered to contain a command injection vulnerability in the pppoe function via the pppoeUserName, pppoePassword, and pppoe_Service parameters. This vulnerability allows attackers to execute arbitrary commands via a crafted request.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 03/18/2022
The CVE-2022-26993 vulnerability affects Arris routers including models SBR-AC1900P, SBR-AC3200P, and SBR-AC1200P with specific firmware versions. This represents a critical command injection flaw that resides within the router's pppoe function implementation, specifically targeting three parameters: pppoeUserName, pppoePassword, and pppoe_Service. The vulnerability stems from inadequate input validation and sanitization within the router's web interface processing logic, creating an avenue for malicious actors to inject arbitrary commands into the underlying operating system.
The technical exploitation of this vulnerability occurs through crafted HTTP requests that manipulate the specified pppoe parameters. When these parameters are processed by the router's firmware without proper sanitization, attackers can inject malicious commands that get executed within the context of the router's operating system. This command injection vulnerability maps directly to CWE-77 and CWE-94, which categorize improper input validation and code injection flaws respectively. The attack vector leverages the web-based management interface of the router, making it accessible to remote attackers who can craft malicious requests without requiring physical access to the device.
The operational impact of this vulnerability is severe as it allows remote code execution on affected routers, potentially enabling attackers to gain full administrative control over the network infrastructure. Once compromised, attackers can modify router configurations, intercept network traffic, redirect DNS requests, and establish persistent backdoors. The vulnerability affects the core network connectivity functions of the routers, potentially disrupting services for all connected devices and creating a significant attack surface for further network exploration and lateral movement. This aligns with ATT&CK technique T1059.001 for command and scripting interpreter and T1021.001 for remote services, as the compromised routers can serve as entry points for broader network infiltration.
Mitigation strategies should prioritize immediate firmware updates from Arris to address the command injection vulnerability. Network administrators should also implement network segmentation to limit the impact of potential compromise and monitor for unusual network traffic patterns that might indicate exploitation attempts. Additional protective measures include disabling unnecessary remote management features, implementing strong authentication mechanisms, and conducting regular security assessments of network infrastructure. The vulnerability highlights the importance of secure coding practices and input validation in embedded systems, particularly those handling network configuration parameters that directly interface with underlying operating system commands.