Full Report
Cisco Talos' Vulnerability Research team recently discovered two vulnerabilities in MC Technologies LR Router and three vulnerabilities in the GoCast service. These vulnerabilities have not been patched at time of this posting. For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule
Analysis Summary
# Vulnerability: MC Technologies LR Router and GoCast Unpatched Flaws (OS Command Injection/Auth Bypass)
## CVE Details
- **CVE ID:** CVE-2024-28025, CVE-2024-28026, CVE-2024-28027, CVE-2024-21786, CVE-2024-21855, CVE-2024-28892, CVE-2024-29224
- **CVSS Score:** Not explicitly provided in the text for individual CVEs, but the description indicates critical flaws (OS command injection). Implied High/Critical severity.
- **CWE:** Command Injection (likely CWE-78) for injection flaws; Authorization Bypass (likely CWE-287/CWE-862) for GoCast flaws.
## Affected Systems
- **Products:**
- MC Technologies LR Router (Two-port and four-port variants)
- GoCast Service
- **Versions:** Not specified, but the vulnerabilities are present in the versions running the impacted functionality at the time of the advisory (December 9, 2024).
- **Configurations:**
- **MC-LR Router:** Exploitable via the I/O configuration functionality of the web interface (authenticated HTTP requests) and via configuration file importation.
- **GoCast:** Exploitable via the HTTP API endpoints used for application registration/deregistration (lacks authentication).
## Vulnerability Description
This summary covers combined vulnerabilities discovered across two products:
**1. MC Technologies LR Router (TALOS-2024-1953 & TALOS-2024-1954):**
* **OS Command Injection (TALOS-2024-1953):** Three vulnerabilities (CVE-2024-28025 through CVE-2024-28027) exist in the I/O configuration functionality of the web interface that allow for OS command injection. These require an authenticated HTTP request.
* **OS Command Injection (TALOS-2024-1954):** One vulnerability (CVE-2024-21786) related to the importation of uploaded configuration files, also leading to OS command injection via an authenticated HTTP request.
**2. GoCast Service (TALOS-2024-1960, TALOS-2024-1961, TALOS-2024-1962):**
* **Authentication Bypass (CVE-2024-21855):** The HTTP API procedures for registering and deregistering applications can be accessed without requiring any authentication.
* **OS Command Injection (CVE-2024-28892 & CVE-2024-29224):** Due to the lack of authentication, an attacker can exploit these flaws, leading to OS command injection and arbitrary command execution.
## Exploitation
- **Status:** Unpatched at the time of the report (December 9, 2024). Exploitation status in the wild is not confirmed but potential is high given the nature of the flaws.
- **Complexity:** Likely Low to Medium, especially for the GoCast product where authentication is bypassed entirely for registration functions.
- **Attack Vector:**
- **MC-LR Router:** Network (via HTTP requests).
- **GoCast:** Network (via unauthenticated HTTP API requests).
## Impact
- **Confidentiality:** High (OS command injection can lead to information disclosure).
- **Integrity:** High (OS command injection allows arbitrary command execution, critical integrity loss).
- **Availability:** High (Arbitrary command execution can lead to denial of service or system compromise).
## Remediation
### Patches
- **Status:** These vulnerabilities **have not been patched** at the time the article was published (December 9, 2024). Researchers are advised to check vendor advisories for updates. (No specific patch versions provided in the source text).
### Workarounds
- No specific workarounds are detailed in the provided text. Users should consult vendor advisories for immediate mitigation guidance. For the GoCast service, restricting network access to the HTTP API or implementing strong external authentication mechanisms would serve as an emergency workaround pending patches.
## Detection
- **Indicators of Compromise:** Successful exploitation of OS command injection would result in unauthorized system activity, execution of unexpected binaries, or modification of system files/configurations on the affected devices.
- **Detection Methods and Tools:** Snort coverage for detecting the exploitation of these vulnerabilities is available for download from Snort.org (latest rule sets).
## References
- **Vendor Advisories:** Cisco Talos Intelligence's website ([talosintelligence.com/vulnerability_reports/](https://talosintelligence.com/vulnerability_reports/)) for TALOS-2024-1953, TALOS-2024-1954, TALOS-2024-1962/1960/1961.
- **Relevant Links:**
- Cisco Talos Blog Post: hxxps://blog.talosintelligence.com/mc-lr-router-and-gocast-zero-day-vulnerabilities-2/