-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2021.3346
          Advisory (icsa-21-280-05) InHand Networks IR615 Router
                              8 October 2021

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           InHand Networks IR615 Router
Publisher:         ICS-CERT
Operating System:  Network Appliance
Impact/Access:     Administrator Compromise        -- Remote with User Interaction
                   Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Cross-site Request Forgery      -- Remote with User Interaction
                   Delete Arbitrary Files          -- Existing Account            
                   Cross-site Scripting            -- Remote with User Interaction
                   Reduced Security                -- Remote/Unauthenticated      
                   Access Confidential Data        -- Remote with User Interaction
Resolution:        Mitigation
CVE Names:         CVE-2021-38486 CVE-2021-38484 CVE-2021-38482
                   CVE-2021-38480 CVE-2021-38478 CVE-2021-38476
                   CVE-2021-38474 CVE-2021-38472 CVE-2021-38470
                   CVE-2021-38468 CVE-2021-38466 CVE-2021-38464
                   CVE-2021-38462  

Original Bulletin: 
   https://us-cert.cisa.gov/ics/advisories/icsa-21-280-05

- --------------------------BEGIN INCLUDED TEXT--------------------

ICS Advisory (ICSA-21-280-05)

InHand Networks IR615 Router

Original release date: October 07, 2021

Legal Notice

All information products included in https://us-cert.cisa.gov/ics are provided
"as is" for informational purposes only. The Department of Homeland Security
(DHS) does not provide any warranties of any kind regarding any information
contained within. DHS does not endorse any commercial product or service,
referenced in this product or otherwise. Further dissemination of this product
is governed by the Traffic Light Protocol (TLP) marking in the header. For more
information about TLP, see https://us-cert.cisa.gov/tlp/ .



1. EXECUTIVE SUMMARY

  o CVSS v3 9.8
  o ATTENTION: Exploitable remotely/low attack complexity
  o Vendor: InHand Networks
  o Equipment: IR615 Router
  o Vulnerabilities: Improper Restriction of Rendered UI Layers or Frames,
    Improper Authorization, Cross-site Request Forgery, Inadequate Encryption
    Strength, Improper Restriction of Excessive Authentication Attempts,
    Unrestricted Upload of File with Dangerous Type, Cross-site Scripting, OS
    Command Injection, Observable Response Discrepancy, Weak Password
    Requirements

2. RISK EVALUATION

Successful exploitation of these vulnerabilities may allow an attacker to have
full control over the product, remotely perform actions on the product,
intercept communication and steal sensitive information, session hijacking, and
successful brute-force against user passwords. Additional successful
exploitation may allow for the uploading of malicious files, deletion of system
files, execution of remote code, and enumeration of user accounts and
passwords.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of the InHand Networks IR615 Router are affected:

  o IR615 Router: Versions 2.3.0.r4724 and 2.3.0.r4870

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER RESTRICTION OF RENDERED UI LAYERS OR FRAMES CWE-1021

The affected product's management portal does not contain an X-FRAME-OPTIONS
header, which an attacker may take advantage of by sending a link to an
administrator that frames the router's management portal and could lure the
administrator to perform changes.

CVE-2021-38472 has been assigned to this vulnerability. A CVSS v3 base score of
4.7 has been assigned; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:R/S:C/C:N/
I:L/A:N ).

3.2.2 IMPROPER AUTHORIZATION CWE-285

The vendor's cloud portal allows for self-registration of the affected product
without any requirements to create an account, which may allow an attacker to
have full control over the product and execute code within the internal network
to which the product is connected.

CVE-2021-38486 has been assigned to this vulnerability. A CVSS v3 base score of
8.0 has been assigned; the CVSS vector string is ( AV:N/AC:H/PR:L/UI:R/S:C/C:H/
I:H/A:H ).

3.2.3 CROSS-SITE REQUEST FORGERY (CSRF) CWE-352

The affected product is vulnerable to cross-site request forgery when
unauthorized commands are submitted from a user the web application trusts.
This may allow an attacker to remotely perform actions on the router's
management portal, such as making configuration changes, changing administrator
credentials, and running system commands on the router.

CVE-2021-38480 has been assigned to this vulnerability. A CVSS v3 base score of
9.6 has been assigned; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:R/S:C/C:H/
I:H/A:H ).

3.2.4 INADEQUATE ENCRYPTION STRENGTH CWE-326

The affected product has inadequate encryption strength, which may allow an
attacker to intercept the communication and steal sensitive information or
hijack the session.

CVE-2021-38464 has been assigned to this vulnerability. A CVSS v3 base score of
6.4 has been assigned; the CVSS vector string is ( AV:A/AC:H/PR:N/UI:R/S:U/C:H/
I:H/A:N ).

3.2.5 IMPROPER RESTRICTION OF EXCESSIVE AUTHENTICATION ATTEMPTS CWE-307

The affected product has no account lockout policy configured for the login
page of the product. This may allow an attacker to execute a brute-force
password attack with no time limitation and without harming the normal
operation of the user. This could allow an attacker to gain valid credentials
for the product interface.

CVE-2021-38474 has been assigned to this vulnerability. A CVSS v3 base score of
6.3 has been assigned; the CVSS vector string is ( AV:N/AC:L/PR:L/UI:N/S:U/C:L/
I:L/A:L ).

3.2.6 UNRESTRICTED UPLOAD OF FILE WITH DANGEROUS TYPE CWE-434

The affected product does not have a filter or signature check to detect or
prevent an upload of malicious files to the server, which may allow an
attacker, acting as an administrator, to upload malicious files. This could
result in cross-site scripting, deletion of system files, and remote code
execution.

CVE-2021-38484 has been assigned to this vulnerability. A CVSS v3 base score of
9.1 has been assigned; the CVSS vector string is ( AV:N/AC:L/PR:H/UI:N/S:C/C:H/
I:H/A:H ).

3.2.7 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION ('CROSS-SITE
SCRIPTING') CWE-79

The affected product does not perform sufficient input validation on client
requests from the help page. This may allow an attacker to perform a reflected
cross-site scripting attack, which could allow an attacker to run code on
behalf of the client browser.

CVE-2021-38466 has been assigned to this vulnerability. A CVSS v3 base score of
8.8 has been assigned; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:R/S:C/C:H/
I:L/A:L ).

3.2.8 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND ('OS
COMMAND INJECTION') CWE-78

The affected product is vulnerable to an attacker using a ping tool to inject
commands into the device. This may allow the attacker to remotely run commands
on behalf of the device.

CVE-2021-38470 has been assigned to this vulnerability. A CVSS v3 base score of
9.1 has been assigned; the CVSS vector string is ( AV:N/AC:L/PR:H/UI:N/S:C/C:H/
I:H/A:H ).

3.2.9 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND ('OS
COMMAND INJECTION') CWE-78

The affected product is vulnerable to an attacker using a traceroute tool to
inject commands into the device. This may allow the attacker to remotely run
commands on behalf of the device.

CVE-2021-38478 has been assigned to this vulnerability. A CVSS v3 base score of
9.1 has been assigned; the CVSS vector string is ( AV:N/AC:L/PR:H/UI:N/S:C/C:H/
I:H/A:H ).

3.2.10 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION ('CROSS-SITE
SCRIPTING') CWE-79

The affected product's website used to control the router is vulnerable to
stored cross-site scripting, which may allow an attacker to hijack sessions of
users connected to the system.

CVE-2021-38482 has been assigned to this vulnerability. A CVSS v3 base score of
8.7 has been assigned; the CVSS vector string is ( AV:N/AC:L/PR:H/UI:N/S:C/C:N/
I:H/A:H ).

3.2.11 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION ('CROSS-SITE
SCRIPTING') CWE-79

The affected product is vulnerable to stored cross-scripting, which may allow
an attacker to hijack sessions of users connected to the system.

CVE-2021-38468 has been assigned to this vulnerability. A CVSS v3 base score of
8.7 has been assigned; the CVSS vector string is ( AV:N/AC:L/PR:H/UI:N/S:C/C:N/
I:H/A:H ).

3.2.12 OBSERVABLE RESPONSE DISCREPANCY CWE-204

The affected product's authentication process response indicates and validates
the existence of a username. This may allow an attacker to enumerate different
user accounts.

CVE-2021-38476 has been assigned to this vulnerability. A CVSS v3 base score of
6.5 has been assigned; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/C:L/
I:L/A:N ).

3.2.13 WEAK PASSWORD REQUIREMENTS CWE-521

The affected product does not enforce an efficient password policy. This may
allow an attacker with obtained user credentials to enumerate passwords and
impersonate other application users and perform operations on their behalf.

CVE-2021-38462 has been assigned to this vulnerability. A CVSS v3 base score of
9.8 has been assigned; the CVSS vector is ( AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
).

3.3 BACKGROUND

  o CRITICAL INFRASTRUCTURE SECTORS: Multiple
  o COUNTRIES/AREAS DEPLOYED: Worldwide
  o COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Haviv Vaizman, Hay Mizrachi, Alik Koldobsky, Ofir Manzur, and Nikolay Sokolik
of OTORIO reported these vulnerabilities to CISA.

4. MITIGATIONS

InHand Networks has not responded to requests to work with CISA to mitigate
these vulnerabilities. Users of this affected product are invited to contact
InHand Networks customer support .

CISA recommends users take defensive measures to minimize the risk of
exploitation of this vulnerability. Specifically, users should:

  o Minimize network exposure for all control system devices and/or systems,
    and ensure that they are not accessible from the Internet .
  o Locate control system networks and remote devices behind firewalls, and
    isolate them from the business network.
  o When remote access is required, use secure methods, such as Virtual Private
    Networks (VPNs), recognizing VPNs may have vulnerabilities and should be
    updated to the most current version available. Also recognize VPN is only
    as secure as its connected devices.

CISA reminds organizations to perform proper impact analysis and risk
assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices
on the ICS webpage on us-cert.cisa.gov . Several recommended practices are
available for reading and download, including Improving Industrial Control
Systems Cybersecurity with Defense-in-Depth Strategies .

Additional mitigation guidance and recommended practices are publicly available
on the ICS webpage on us-cert.cisa.gov in the Technical Information Paper,
ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation
Strategies .

Organizations observing any suspected malicious activity should follow their
established internal procedures and report their findings to CISA for tracking
and correlation against other incidents.

No known public exploits specifically target these vulnerabilities.

For any questions related to this report, please contact the CISA at:

Email: CISAservicedesk@cisa.dhs.gov
Toll Free: 1-888-282-0870

CISA continuously strives to improve its products and services. You can help by
choosing one of the links below to provide feedback about this product.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYV+89uNLKJtyKPYoAQhHVw//Qr49sxI0qoLhwyc9SapfG5w/x/Ah6RBu
7uZ537t8HAGRrs17qAjlG5xetrHRZSRBE2iMYVp6zNt77+8YYxlTfEDQbbjqFAaP
fUSC3eQS8VNusnUZneaK/f15DpY4Fz+3Mznh8PlL3LgU1xwE+pQjO+6aUahx7HoS
El+eOB3LicA9aOICl5ZEKPktzRKUSWbuwQhY+xRnHSwn1ph8HmrHhulU6vBfyYah
00QgeQGTJttRcRNTC8SuXaDtSBgfMEsp0/QPm5eG9ae78LDqp6Q96A+hdcUNX3ak
NnsI7tBBOodp/4a4Y5lmW+y6Q/tGwufOVD10Rm3Pcl9GZc6Dq0IZzFppKYo02k+i
EphYcjpXRCg/2O5tP+SyvRpsGUmFXFa5dImZgeWkfQvGGb3debecH8CkA0FVDtDV
Fldh8pnsBYsv3welJ8aQT7dmOkGU3Cjjsg7/3CQiKwiLNCJ0rsOM90gWVU8/qNA5
K/s1gpz2Ol052hw2pYhzK9ZZaSa6HXDDQ8k71umcZ3mHwqM7OPfFzYiZRcqIExgV
MZK07pujWAxmwMhGweYt8Mfyj8qRLir+Ingnj8p7P3mLxSes+QX9IKwAH4RXTz4P
AImTs9tp6h4lYg6npuZfte8UgTFpgT0morgOJDjlXGtdnqfFDLvUMY2zj1bnFnAN
M1FUXo0P3Ko=
=tVmV
-----END PGP SIGNATURE-----