Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

Multiple Vulnerabilities Fixed in CUJO Smart Firewall

Vulnerabilities recently addressed by CUJO AI in the CUJO Smart Firewall could be exploited to take over the device, Cisco Talos security researchers reveal. 

Vulnerabilities recently addressed by CUJO AI in the CUJO Smart Firewall could be exploited to take over the device, Cisco Talos security researchers reveal. 

Based on a Linux-based operating system running a kernel with PaX patches, the Smart Firewall was designed to protect home networks against attacks such as malware, phishing websites, and hacking attempts, and may be deployed in sensitive locations within the network.

Talos discovered 11 vulnerabilities in the device, including two chains that could be used to execute code remotely without authentication. 

The first roots in the Webroot BrightCloud SDK, which CUJO uses as part of their safe browsing protection. Tracked as CVE-2018-4012, the security bug allows an unauthenticated attacker to impersonate BrightCloud’s services and execute code on the device as the root user. 

Because the BrightCloud SDK also defaults to using HTTP connections (CVE-2018-4015) to communicate with the remote BrightCloud services, exploitation is trivial if the attacker can intercept the traffic. 

One other issue steams in CUJO’s use of the Lunatik Lua engine to execute Lua scripts from within the kernel context. A script injection vulnerability (CVE-2018-4031) allows an unauthenticated user in the local network to execute Lua scripts in the kernel.

Advertisement. Scroll to continue reading.

Another bug (CVE-2018-4030) could be abused to trick CUJO into extracting and analyzing any arbitrary hostname and an attacker could chain these vulnerabilities together to trigger the Lua injection and effectively execute code in the kernel. The flaws can also be targeted from the local network, Talos says. 

One other issue resides in the fact that CUJO users can download a mobile app to configure their device, with CUJO acting as a router and serving DHCP requests. The application can be used to set up static DHCP entries, and a vulnerability (CVE-2018-3963) in the way DHCP hostnames are handled can be leveraged to execute arbitrary operating system commands as the root user.

CUJO uses Das U-Boot’s open-source primary boot loader “Verified Boot,” and also permanently protects the first 16MB of CUJO’s eMMC to prevent modifications to the system’s bootloaders, but Talos also discovered two vulnerabilities that bypass these protections.

The first (CVE-2018-3968) resides in Das U-Boot and affects versions 2013.07-rc1 to 2014.07-rc2 (inclusive). Because U-Boot FIT images’ signatures are not enforced, making it possible to boot from legacy unsigned images, an attacker can replace a signed FIT image with a legacy, unsigned image, the researchers say. 

Because the U-Boot bootloader is unmodifiable, the vulnerability cannot be fixed in CUJO. The issue, however, is not as severe in isolation. 

It is also possible to execute arbitrary commands as root at device boot by modifying the `dhcpd.conf` file and making the DHCP server execute shell commands (CVE-2018-3969). The file persists across reboots, and the code would be executed at each boot. 

The device is also impacted by a vulnerability that could be abused to bypass safe browsing, potentially allowing malicious websites to serve malware even in presence of CUJO’s filtering.

Two other code execution vulnerabilities were found in the parsing of mDNS messages, but, because CUJO constrains the affected `mdnscap` process in a low-privileged chroot-ed environment, an attacker would need to escalate privileges to fully compromise the device (CVE-2018-3985 and CVE-2018-4003).

The security researchers also discovered two denial-of-service vulnerabilities (CVE-2018-4002 and CVE-2018-4011) in the CUJO Smart Firewall.

CUJO AI has already released security patches for these vulnerabilities and users should make sure their devices have been updated as soon as possible.

Related: Cisco Aware of Attacks Exploiting Critical Firewall Flaw

Related: Experts Find 10 Flaws in Linksys Smart Wi-Fi Routers

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

James Phillips has been promoted to the role of Vice President, Cybersecurity Risk Management at AT&T.

Rafal Los has joined Binary Defense as Chief Strategy Officer.

Tracey Mustacchio has joined Everfox as Chief Marketing Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.