Researchers discovered two critical vulnerabilities (CVE-2022-36158 and CVE-2022-36159) in Flexlan devices that provide Wi-Fi on aircraft.
Researchers from Necrum Security Labs discovered some critical vulnerabilities tracked as CVE-2022-36158 and CVE-2022-36159 affecting the Contec Flexlan FXA3000 and FXA2000 series LAN devices.
The FXA3000 and FXA2000 series are access points manufactured by Japan-based Contec and comply with IEEE 802.11n/a/b/g wireless.
These devices are installed on airplanes to provide internet connectivity to passengers. The above vulnerabilities can be exploited by an attacker to compromise the inflight entertainment system and potentially perform other malicious activities.
“It has been determined that our FLEXLAN FX3000/2000 series wireless products have a firmware vulnerability.
Possibilities of data plagiarism, falsification and system destruction with malicious programs exist if
this vulnerability was exploited by malicious attackers.” reads the advisory published by Contec. “We have a private web page for developers to run system commands, which is not linked to other web settings pages. There are opportunities for data plagiarism, forgery, system destruction and malicious program execution if this vulnerability has been exploited by malicious attackers who have access to this private website (with password information).”
The problems affect devices of the Contec FLEXLAN FXA3000 series from version 1.15.00 and below and
Devices of the FLEXLAN FXA2000 series from version 1.38.00 and below.
The CVE-2022-36158 bug is a hidden system command web page discovered while reverse engineering the firmware used by the device. The site was not listed in the Wireless LAN Manager interface, it can allow running Linux commands on the device with root privileges, access all system files and open the telnet port.
“[CVE-2022-36158] – Hidden website for system commands.
After reverse engineering the firmware, we discovered that a hidden page, not listed in the Wireless LAN Manager interface, allows Linux commands to be run on the device with root privileges. From here we had access to all system files, but we were also able to open the telnet port and have full access to the device.” reads the post published by Necrum Security Labs.
The second vulnerability (CVE-2022-36159) links the use of hard-coded weak cryptographic keys and backdoor accounts. The experts discovered a shadow file containing the hash of root and user users.
“[CVE-2022-36159] – Use of weak hard-coded cryptographic keys and backdoor accounts. During our investigation, we also found that the /etc/shadow file contains the hash of two users (root and user), which took us just a few minutes to brute force to restore it.” researchers further. “The problem is that the device owner can only change the account user password through the web admin interface, as the root account is reserved for Contec, probably for maintenance purposes. This means that an attacker could access all FXA2000 and FXA3000 series devices with the hard-coded root password.”
The article published by the experts shows how the vulnerabilities can be exploited and also provides recommendations on how to fix them.
Researchers recommend changing the account user password through the web admin interface and removing the hidden engineering webpage from devices in production.
The experts recommend randomly generating a different password for each device.
Follow me on Twitter: @Security questions and Facebook
(security matters – Hack, Log4Shell)