Report an incident
Back
  • About us
  • News
  • For experts
Report an incident
About us
About our team Contact
Baza wiedzy
Fałszywe inwestycje Uważaj na fałszywe sklepy online (Nie)bezpieczne płatności Fałszywi konsultanci Zadbaj o bezpieczne hasła i logowanie Fałszywe załączniki w mailach Fałszywe prośby o szybki przelew Fałszywe SMSy - plaga ostatnich miesięcy
Biuletyn OUCH!
Porady bezpieczeństwa OUCH!
For experts
Publications
Projects
n6 Artemis MWDB
CVD program
CVD policy Advisories

Vulnerabilities in Hongdian Router H8951-4G-ESP software
12 January 2024 | CERT Polska | #vulnerability, #warning, #cve
CVE ID CVE-2023-49253
Publication date 12 January 2024
Vendor Hongdian
Product H8951-4G-ESP
Vulnerable versions before build 2310271149
Vulnerability type (CWE) Use of Hard-coded Credentials (CWE-798)
Report source Report to CERT Polska
CVE ID CVE-2023-49254
Publication date 12 January 2024
Vendor Hongdian
Product H8951-4G-ESP
Vulnerable versions before build 2310271149
Vulnerability type (CWE) OS Command Injection (CWE-78)
Report source Report to CERT Polska
CVE ID CVE-2023-49255
Publication date 12 January 2024
Vendor Hongdian
Product H8951-4G-ESP
Vulnerable versions before build 2310271149
Vulnerability type (CWE) Missing Authentication for Critical Function (CWE-306)
Report source Report to CERT Polska
CVE ID CVE-2023-49256
Publication date 12 January 2024
Vendor Hongdian
Product H8951-4G-ESP
Vulnerable versions before build 2310271149
Vulnerability type (CWE) Use of Hard-coded Credentials (CWE-798)
Report source Report to CERT Polska
CVE ID CVE-2023-49257
Publication date 12 January 2024
Vendor Hongdian
Product H8951-4G-ESP
Vulnerable versions before build 2310271149
Vulnerability type (CWE) Incorrect Permission Assignment for Critical Resource (CWE-732)
Report source Report to CERT Polska
CVE ID CVE-2023-49258
Publication date 12 January 2024
Vendor Hongdian
Product H8951-4G-ESP
Vulnerable versions before build 2310271149
Vulnerability type (CWE) Cross-site Scripting (CWE-79)
Report source Report to CERT Polska
CVE ID CVE-2023-49259
Publication date 12 January 2024
Vendor Hongdian
Product H8951-4G-ESP
Vulnerable versions before build 2310271149
Vulnerability type (CWE) Use of a Broken or Risky Cryptographic Algorithm (CWE-327)
Report source Report to CERT Polska
CVE ID CVE-2023-49260
Publication date 12 January 2024
Vendor Hongdian
Product H8951-4G-ESP
Vulnerable versions before build 2310271149
Vulnerability type (CWE) Cross-site Scripting (CWE-79)
Report source Report to CERT Polska
CVE ID CVE-2023-49261
Publication date 12 January 2024
Vendor Hongdian
Product H8951-4G-ESP
Vulnerable versions before build 2310271149
Vulnerability type (CWE) Exposure of Sensitive Information to an Unauthorized Actor (CWE-200)
Report source Report to CERT Polska
CVE ID CVE-2023-49262
Publication date 12 January 2024
Vendor Hongdian
Product H8951-4G-ESP
Vulnerable versions before build 2310271149
Vulnerability type (CWE) Improper Authentication (CWE-287)
Report source Report to CERT Polska

Description

CERT Polska has received a report about vulnerabilities in Hongdian 4G Cellular Router (H8951-4G-ESP) firmware and participated in coordination of their disclosure.

The vulnerability CVE-2023-49253 is a predefined root password. Root user password is hardcoded into the device and cannot be changed in the user interface.

The vulnerability CVE-2023-49254 allows authenticated user to execute arbitrary commands in the context of the root user by providing payload in the "destination" field of the network test tools. This is similar to the vulnerability CVE-2021-28151 mitigated on the user interface level by blacklisting characters with JavaScript, however, it can still be exploited by sending POST requests directly.

The vulnerability CVE-2023-49255 allows access router console without authentication. The router console is accessible without authentication at "data" field, and while a user needs to be logged in order to modify the configuration, the session state is shared. If any other user is currently logged in, the anonymous user can execute commands in the context of the authenticated one.

The vulnerability CVE-2023-49256 allows to download the configuration backup without authorization and decrypt included passwords using hardcoded static key.

The vulnerability CVE-2023-49257 allows authenticated user to upload an arbitrary CGI-compatible file using the certificate upload utility and execute it with the root user privileges.

The vulnerability CVE-2023-49258 is cross-site scripting (XSS) located at "/gui/terminal_tool.cgi" in the "data" parameter.

The vulnerability CVE-2023-49259 allows to brute-force the authentication cookies, which are generated using a weak algorithm based on the username, hardcoded secret and the up-time.

The vulnerability CVE-2023-49260 allows to change the MOTD banner and perform an XSS attack.

The vulnerability CVE-2023-49261 allows to take "tokenKey" value from HTML source code of the login page.

The vulnerability CVE-2023-49262 allows to bypass the authentication mechanism by overflowing the value of the Cookie "authentication" field, provided there is an active user session.

The manufacturer, Hongdian Company, has removed vulnerabilities in version (build) 2310271149, which was confirmed by the reporter.

Credits

We thank Robert Pogorzelski from SEQRED company for the responsible vulnerability report.

More about the coordinated vulnerability disclosure process at CERT Polska can be found at https://cert.pl/en/cvd/.