A security company Cylance, discovered a vulnerability in ANTlabs InnGate devices, after which they issued a public advisory on March 26 about its system vulnerability (CVE-2015-0932), which provide Wi-Fi access in hotels and convention centers and other places.
In its advisory ANTlabs warns, "An incorrect rsync configuration on certain models of our gateway products allows an external system to obtain unrestricted remote read/write file access.”
Researcher Brian Wallace wrote in a detailed blog post that “Remote access is obtained through an unauthenticated rsync daemon running on TCP 873. Once the attacker has connected to the rsync daemon, they are then able to read and write to the file system of the Linux based operating system without restriction.”
In his blog Brian Wallace explains that after gaining full read and write access, the attacker could upload a backdoored version or add an user with root level access and a password known to the attacker. “Once this is done the endpoint is at the mercy of the attacker.”
According to Cylance researchers there are 277 vulnerable devices in 29 countries including the United States, Cuba, Australia and Italy, that could be directly exploited from the Internet.
The Darkhotel APT campaign that specifically targeted executives via Wi-Fi networks at luxury hotels, was uncovered by Kaspersky Lab researchers last fall. The similar attack could be leveraged by this vulnerability.
According to the blog post, “The DarkHotel campaign was carried out by an advanced threat actor with a large number of resources, CVE-2015-0932 is a very simple vulnerability with devastating impact. The severity of this issue is escalated by how little sophistication is required for an attacker to exploit it."
Wallace added, “Targets could be infected with malware using any method from modifying files being downloaded by the victim or by directly launching attacks against the now accessible systems. Given the level of access that this vulnerability offers to attackers, there is seemingly no limit to what they could do.”
When InnGate devices were integrated into Property Management Systems (PMS),a software application used to coordinate the operational functions, they stores credentials to the PMS, and an attacker could potentially gain full access to the PMS.
By blocking the unauthenticated RSYNC process from internet access, a TCP-DENY on port 873 on the upstream network device from the affected InnGate device, the vulnerability can be mitigated.
In its advisory ANTlabs warns, "An incorrect rsync configuration on certain models of our gateway products allows an external system to obtain unrestricted remote read/write file access.”
Researcher Brian Wallace wrote in a detailed blog post that “Remote access is obtained through an unauthenticated rsync daemon running on TCP 873. Once the attacker has connected to the rsync daemon, they are then able to read and write to the file system of the Linux based operating system without restriction.”
In his blog Brian Wallace explains that after gaining full read and write access, the attacker could upload a backdoored version or add an user with root level access and a password known to the attacker. “Once this is done the endpoint is at the mercy of the attacker.”
According to Cylance researchers there are 277 vulnerable devices in 29 countries including the United States, Cuba, Australia and Italy, that could be directly exploited from the Internet.
The Darkhotel APT campaign that specifically targeted executives via Wi-Fi networks at luxury hotels, was uncovered by Kaspersky Lab researchers last fall. The similar attack could be leveraged by this vulnerability.
According to the blog post, “The DarkHotel campaign was carried out by an advanced threat actor with a large number of resources, CVE-2015-0932 is a very simple vulnerability with devastating impact. The severity of this issue is escalated by how little sophistication is required for an attacker to exploit it."
Wallace added, “Targets could be infected with malware using any method from modifying files being downloaded by the victim or by directly launching attacks against the now accessible systems. Given the level of access that this vulnerability offers to attackers, there is seemingly no limit to what they could do.”
When InnGate devices were integrated into Property Management Systems (PMS),a software application used to coordinate the operational functions, they stores credentials to the PMS, and an attacker could potentially gain full access to the PMS.
By blocking the unauthenticated RSYNC process from internet access, a TCP-DENY on port 873 on the upstream network device from the affected InnGate device, the vulnerability can be mitigated.