CVE-2024-7469 in MSG1200info

Summary

by MITRE • 08/05/2024

A vulnerability was found in Raisecom MSG1200, MSG2100E, MSG2200 and MSG2300 3.90. It has been declared as critical. This vulnerability affects the function sslvpn_config_mod of the file /vpn/list_vpn_web_custom.php of the component Web Interface. The manipulation of the argument template/stylenum leads to os command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-273562 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 08/05/2024

The CVE-2024-7469 vulnerability represents a critical security flaw affecting Raisecom MSG1200, MSG2100E, MSG2200, and MSG2300 devices running firmware version 3.90. This vulnerability resides within the web interface component of these network security appliances, specifically in the sslvpn_config_mod function located in the /vpn/list_vpn_web_custom.php file. The flaw manifests as an operating system command injection vulnerability that occurs when manipulating the template/stylenum argument, creating a significant attack surface that allows remote exploitation without requiring authentication. The vulnerability's classification as critical stems from its ability to enable arbitrary command execution on the affected devices, potentially granting attackers complete control over the network infrastructure. This represents a severe compromise of network security posture since the attack vector is remote and the exploit has been publicly disclosed, making it immediately available to threat actors.

The technical implementation of this vulnerability follows the classic command injection pattern where user-supplied input is directly incorporated into system commands without proper sanitization or validation. The template/stylenum parameter serves as the attack vector, allowing an attacker to inject malicious commands that get executed by the underlying operating system. This type of vulnerability maps directly to CWE-77, which specifically addresses command injection flaws in software applications. The web interface component of these devices provides an accessible attack surface since it typically operates over standard HTTP/HTTPS protocols and may be exposed to untrusted networks. The fact that the vulnerability affects the SSL VPN configuration management function indicates that attackers could potentially compromise the entire virtual private network infrastructure, affecting all users who rely on these devices for secure remote access.

The operational impact of this vulnerability extends far beyond simple unauthorized access, as it enables complete system compromise of the affected Raisecom devices. An attacker with remote access could potentially modify VPN configurations, create persistent backdoors, intercept network traffic, or use the compromised device as a pivot point to attack other systems within the network. The vulnerability's exploitation could lead to data breaches, man-in-the-middle attacks, and complete network infiltration since these devices often serve as critical network gateways. The disclosed exploit (VDB-273562) increases the immediate risk level significantly, as it provides threat actors with a ready-made attack method. Organizations relying on these devices for network security may face severe consequences including regulatory violations, financial losses, and reputational damage. The lack of vendor response to early disclosure attempts compounds the risk, leaving affected organizations without official patches or mitigation guidance.

Organizations affected by this vulnerability should immediately implement network segmentation to isolate the impacted devices from critical systems and consider disabling the vulnerable web interface functionality until proper patches are available. The recommended mitigations align with ATT&CK framework techniques T1059.001 for command and scripting interpreter and T1071.004 for application layer protocol. Network monitoring should be enhanced to detect suspicious command execution patterns and unusual traffic to the affected devices. Security teams should consider implementing web application firewalls to filter malicious payloads targeting the specific vulnerable endpoint. The absence of vendor response necessitates immediate action from affected organizations to conduct comprehensive vulnerability assessments of their network infrastructure and implement temporary workarounds. Additionally, organizations should review their incident response procedures to prepare for potential exploitation of this vulnerability, as the public availability of the exploit increases the probability of successful attacks. The vulnerability underscores the importance of maintaining up-to-date firmware and establishing robust vendor communication channels for security vulnerability management.

Responsible

VulDB

Disclosure

08/05/2024

Moderation

accepted

CPE

ready

Exploit

Download

EPSS

0.24873

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!