Several serious vulnerabilities discovered by researchers in industrial routers made by InHand Networks could expose many organizations to remote attacks, and patches do not appear to be available.
The flaws were discovered nearly one year ago by researchers at industrial cybersecurity firm OTORIO in IR615 LTE routers made by industrial IoT solutions provider InHand Networks. The company has offices in China, the U.S. and Germany, and its products are used all around the world. InHand says its customers include Siemens, GE Healthcare, Coca Cola, Philips Healthcare and other major companies.
According to an advisory published last week by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), OTORIO researchers discovered a total of 13 vulnerabilities in the IR615 router.
The list includes critical cross-site request forgery (CSRF), remote code execution, command injection, and weak password policy issues, as well as high-severity improper authorization and cross-site scripting (XSS) vulnerabilities.
CISA warned that malicious actors could exploit the vulnerabilities to take complete control of affected devices and intercept communications in an effort to steal sensitive information.
OTORIO told SecurityWeek that it has identified thousands of internet-exposed InHand routers that could be vulnerable to attacks, but the company noted that exploitation from the internet requires authentication to the router’s web management portal. An attacker could authenticate to the device using default credentials or by leveraging brute-force attacks to obtain login credentials. Brute-force attacks are made easy by the router’s weak password policy and a flaw that can be used to enumerate all valid user accounts.
The cybersecurity firm warned that an attacker could leverage the vulnerabilities to infiltrate an organization. From the InHand device, the attacker could move to other industrial systems within the victim’s network.
“The attacker may abuse the Remote Code Execution vulnerability to get a first foothold on the device via running CLI commands; implant a first backdoor on the device as a persistence stage; and start scanning the internal organization network in order to elevate the attacker privileges and move on to sensitive assets on the network,” explained Hay Mizrachi, penetration tester at OTORIO. “The final objective is to achieve Domain Admin privileges on the organization. Of course, if there are additional sensitive networks such as OT networks, the attacker can try to get a foothold and disrupt the day-to-day functioning of the product line floor to cause additional damage and financial costs.”
OTORIO reported its findings to InHand Networks, through CISA, in November 2020. However, CISA said in its advisory that the vendor “has not responded to requests to work with CISA to mitigate these vulnerabilities.” CISA has provided some generic mitigations to help impacted organizations reduce the risk of exploitation.
SecurityWeek has reached out to InHand Networks for comment and will update this article if the company responds.
UPDATE 06/30/2022: InHand has informed SecurityWeek that an advisory addressing the vulnerabilities has been published. An update that should patch the flaws has been released.
Related: Cisco Patches Dozen Vulnerabilities in Industrial Routers
Related: Several Vulnerabilities Expose Phoenix Contact Industrial 4G Routers to Attacks