CVE-2022-26994 in SBR-AC1900P
Summary
by MITRE • 03/16/2022
Arris routers SBR-AC1900P 1.0.7-B05, SBR-AC3200P 1.0.7-B05 and SBR-AC1200P 1.0.5-B05 were discovered to contain a command injection vulnerability in the pptp function via the pptpUserName and pptpPassword parameters. This vulnerability allows attackers to execute arbitrary commands via a crafted request.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 03/18/2022
The CVE-2022-26994 vulnerability affects Arris residential gateway routers including the SBR-AC1900P, SBR-AC3200P, and SBR-AC1200P models with specific firmware versions. This represents a critical command injection flaw that resides within the Point-to-Point Tunneling Protocol implementation of these devices. The vulnerability specifically manifests in the pptpUserName and pptpPassword parameters, which are utilized when configuring pptp client settings on the affected routers. The flaw stems from insufficient input validation and sanitization within the web interface handling of these parameters, creating an avenue for malicious actors to inject arbitrary commands into the underlying operating system.
This vulnerability operates at the application layer and directly relates to CWE-77 which defines command injection flaws where untrusted data is incorporated into system commands without proper validation or escaping. The attack vector involves sending specially crafted HTTP requests to the router's web administration interface, where the vulnerable parameters are processed without adequate sanitization. When an attacker submits malicious input through the pptpUserName or pptpPassword fields, the router fails to properly escape or validate the input before incorporating it into system commands, allowing for arbitrary code execution with the privileges of the web server process. The impact is particularly severe as these routers typically operate with administrative privileges and are often accessible from local networks.
The operational implications of this vulnerability extend beyond simple remote code execution, as it can enable attackers to fully compromise the affected devices. Once exploited, adversaries can gain persistent access to the router's operating system, potentially allowing them to modify network configurations, redirect traffic, establish backdoors, or use the device as a pivot point for attacking other systems within the local network. The vulnerability affects devices that are commonly deployed in residential and small office environments, where network security may be less stringent, making these targets particularly attractive for attackers. Network reconnaissance tools can easily identify these vulnerable devices on the network, and the relatively simple exploitation process means that even less sophisticated attackers can leverage this vulnerability.
Mitigation strategies should focus on immediate firmware updates from Arris, which would contain patches addressing the input validation issues in the pptp implementation. Organizations and individuals should also implement network segmentation to isolate these devices from critical systems and consider disabling pptp functionality if it is not required. Network monitoring solutions should be configured to detect unusual traffic patterns that might indicate exploitation attempts. The vulnerability demonstrates the importance of input validation and proper sanitization of user-supplied data in web applications, aligning with ATT&CK technique T1059.001 for command and script injection. Additionally, network administrators should consider implementing network access controls and firewall rules to limit access to router administrative interfaces to trusted IP addresses only, reducing the attack surface for such vulnerabilities.