Full Report
The vulnerability, found in versions of Four-Faith routers, appears to have been exploited in the wild and has been connected to attempted infections of Mirai. The post Thousands of industrial routers vulnerable to command injection flaw appeared first on CyberScoop.
Analysis Summary
# Vulnerability: Command Injection in Four-Faith Industrial Routers
## CVE Details
- CVE ID: CVE-2024-12856
- CVSS Score: 7.2 (High)
- CWE: (Not explicitly stated, but implied to be related to Improper Neutralization of Special Elements used in an Operating System Command 'OS Command Injection')
## Affected Systems
- Products: Four-Faith Industrial Routers (F3x24 and F3x36 models)
- Versions: Firmware version 2.0 (and possibly others)
- Configurations: Requires authentication (leverages default credentials).
## Vulnerability Description
The vulnerability is a post-authentication command injection flaw in Four-Faith F3x24 and F3x36 routers. An attacker who manages to authenticate (potentially using default credentials) can remotely inject arbitrary commands into the underlying operating system over HTTP.
## Exploitation
- Status: Exploited in the wild, connected to attempted infections of Mirai malware variants.
- Complexity: Low (due to reliance on default credentials).
- Attack Vector: Network (Remote)
## Impact
- Confidentiality: High (Ability to run OS commands allows access to sensitive data)
- Integrity: High (Ability to execute arbitrary code allows system modification)
- Availability: High (Can lead to device compromise or disruption, observed linking to Mirai botnet activity)
## Remediation
### Patches
- No specific patch versions were detailed in the provided article text.
### Workarounds
- The information provided does not detail specific workarounds, but the vulnerability relies on authentication, suggesting immediate action should be taken to change default credentials if applicable.
## Detection
- **Indicators of Compromise (IoCs):** Observing malicious network activity originating historically from IP address `178.215.238.91`.
- **Detection Methods and Tools:** VulnCheck provided a Suricata detection rule for identifying instances of infected routers using CVE-2024-12856.
## References
- [VulnCheck summary of CVE-2024-12856](https://nvd.nist.gov/vuln/detail/CVE-2024-12856) (Implied Defanged Link)
- [DucklingStudio blog on Mirai detection](https://ducklingstudio.blog.fc2.com/blog-entry-392.html#google_vignette) (Implied Defanged Link)