"If you've ever used Wi-Fi in a hotel, you're familiar with these types of devices as they are typically tied to a specific room number for billing purposes," Cylance researcher Brian Wallace wrote in a blog post explaining the issue.
The vulnerability, CVE-2015-0932, allows a remote, unauthenticated attacker to read or modify any file on the InnGate device's filesystem.
As Wallace explained, "Remote access is obtained through an unauthenticated rsync daemon running on TCP 873. Once the attacker has connected to the rsync daemon, they are then able to read and write to the file system of the Linux based operating system without restriction."https://o1.qnsr.com/log/p.gif?;n=203;c=204660766;s=9477;x=7936;f=201812281312070;u=j;z=TIMESTAMP;a=20392931;e=i
At that point, Wallace said, it's easy to turn that into remote code execution. The attacker could easily upload a backdoored version of any executable on the system, or just add an additional user with root level access. "Once full file system access is obtained, the endpoint is at the mercy of the attacker," he wrote.
Affected devices include the following models:
- IG 3100 model 3100, model 3101
- InnGate 3.00 E-Series, 3.01 E-Series, 3.02 E-Series, 3.10 E-Series
- InnGate 3.01 G-Series, 3.10 G-Series
Cylance researchers found 277 vulnerable devices in 29 countries that were directly accessible online. "The Cylance team is working to alert the affected organizations," Wallace wrote.
As Wallace noted, the vulnerability could be leveraged to perform attacks similar to the Darkhotel APT campaign that was uncovered by Kaspersky Lab researchers last fall -- that campaign specifically targeted traveling executives via Wi-Fi networks at luxury hotels.
"While the DarkHotel campaign was clearly carried out by an advanced threat actor with a large number of resources, CVE-2015-0932 is a very simple vulnerability with devastating impact," Wallace wrote. "The severity of this issue is escalated by how little sophistication is required for an attacker to exploit it."
"Targets could be infected with malware using any method from modifying files being downloaded by the victim or by directly launching attacks against the now accessible systems," Wallace added. "Given the level of access that this vulnerability offers to attackers, there is seemingly no limit to what they could do."
According to an ANTlabs Security Advisory published yesterday, a hotfix has been released that eliminates the issue. "If your product is still under valid support contract, you may download the latest patch from our online patching system," the company stated. "For expired support contracts or any other issues, please contact our support at firstname.lastname@example.org."
"To mitigate this vulnerability, you can also ensure the gateway is placed behind a trusted network or ensure that access to the rsync TCP port 873 is restricted," ANTlabs added.
"ANTLabs, the creator of the vulnerable InnGate device, should be commended for their response to our notification of the vulnerability," Wallace wrote. "We reported this vulnerability to US-CERT on February 12th and a patch was scheduled for release by ANTLabs on March 26th. It’s not often that vulnerability reporting goes smoothly and ultimately results in a timely patch from the vendor."