Published by Chris Watts, Senior Security Consultant, Security Testing and Assurance (STA)
Authenticated RCE (Remote Code Execution)
In January 2024, while examining a Netcomm NL1901ACV VDSL Modem, CyberCX discovered an input sanitisation vulnerability leading to remote code execution. The Netcomm NL1901ACV VDSL Modem is a popular modem in Australia that still comes bundled with some products provided by Internet Service Providers (ISPs).
The vulnerability, exploitable with authenticated access to the web interface, could allow an adversary to alter and monitor network traffic and install harmful network software to attack other connected systems.
The device had been updated to the latest firmware prior to testing.
CyberCX disclosed this vulnerability to the vendor, Casa Systems, for remediation. A Common Vulnerabilities and Exposures (CVE) was raised by CyberCX (CVE-2024-25290). Casa Systems has been responsive and cooperative throughout the process, releasing a patched firmware to address this issue and engaging CyberCX for a retest of the patched firmware version for thorough verification.
CVE Details
CVE ID: CVE-2024-25290
Credit: Chris Watts – CyberCX
CVSSv3.1 Base: 9.9
CVSSv3.1 Vector: AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Affected versions: All firmware versions prior to R6B033
The vendor Casa Systems released patched firmware to address this issue.
NL1901ACV Firmware Version R6B033 released on 11/03/2024 remediates the issue.
What We found
During our analysis, the firmware did not perform sufficient sanitisation of user input on specific web interface input fields. Authentication was required to reach the affected endpoints.
The exploitation of this vulnerability involves transmitting a specially crafted HTTP request with a malicious payload to the device. The payload abuses the lack of user input sanitisation to inject arbitrary commands that would then be executed with root privileges.
Given the recent release of the patched firmware, we are refraining from publicly disclosing details of the vulnerability to uphold responsible and ethical security practices.
Impact
Successful exploitation of the vulnerability could allow an adversary to gain root privileges on the underlying operating system of the router. This means that an adversary could alter and monitor network traffic that passes through the compromised router.
The adversary could also install harmful software on the device to attack other network connected systems. Compromised routers could also be recruited to join botnets commonly used in Distributed Denial of Service (DDoS) attacks.
Netcomm NL1901ACV VDSL Modem – Withdrawal and current usage
- The Netcomm NL1901ACV VDSL router has been withdrawn from sale but is a popular VDSL modem still used in Australia that comes bundled with some Australian Internet Service Provider (ISP) packages and has also been used in international markets.
- CASA Systems advised: “This modem was withdrawn from Sale in September 2022. Critical bug fixes and other vital updates will continue for a further 2 years until 20th September 2024 after which all technical support will be withdrawn” (Casa Systems, 2022). Fortunately, the vulnerability was reported within this support window.
As part of our mission to secure our communities, CyberCX’s STA team regularly examines popular hardware products available in Australia for vulnerabilities and potential exploits. Where these are discovered we raise Common Vulnerabilities and Exposures (CVE) and work with the vendor to patch these as soon as possible.
References
Casa Systems. (2022, 09 20). NL1901ACV. Retrieved from NetComm Wireless Support: https://support.netcommwireless.com/products/NL1901ACV
