Connect with us

Hi, what are you looking for?


Network Security

Multiple Vulnerabilities Fixed in CUJO Smart Firewall

Vulnerabilities recently addressed by CUJO AI in the CUJO Smart Firewall could be exploited to take over the device, Cisco Talos security researchers reveal. 

Vulnerabilities recently addressed by CUJO AI in the CUJO Smart Firewall could be exploited to take over the device, Cisco Talos security researchers reveal. 

Based on a Linux-based operating system running a kernel with PaX patches, the Smart Firewall was designed to protect home networks against attacks such as malware, phishing websites, and hacking attempts, and may be deployed in sensitive locations within the network.

Talos discovered 11 vulnerabilities in the device, including two chains that could be used to execute code remotely without authentication. 

The first roots in the Webroot BrightCloud SDK, which CUJO uses as part of their safe browsing protection. Tracked as CVE-2018-4012, the security bug allows an unauthenticated attacker to impersonate BrightCloud’s services and execute code on the device as the root user. 

Because the BrightCloud SDK also defaults to using HTTP connections (CVE-2018-4015) to communicate with the remote BrightCloud services, exploitation is trivial if the attacker can intercept the traffic. 

One other issue steams in CUJO’s use of the Lunatik Lua engine to execute Lua scripts from within the kernel context. A script injection vulnerability (CVE-2018-4031) allows an unauthenticated user in the local network to execute Lua scripts in the kernel.

Another bug (CVE-2018-4030) could be abused to trick CUJO into extracting and analyzing any arbitrary hostname and an attacker could chain these vulnerabilities together to trigger the Lua injection and effectively execute code in the kernel. The flaws can also be targeted from the local network, Talos says. 

One other issue resides in the fact that CUJO users can download a mobile app to configure their device, with CUJO acting as a router and serving DHCP requests. The application can be used to set up static DHCP entries, and a vulnerability (CVE-2018-3963) in the way DHCP hostnames are handled can be leveraged to execute arbitrary operating system commands as the root user.

Advertisement. Scroll to continue reading.

CUJO uses Das U-Boot’s open-source primary boot loader “Verified Boot,” and also permanently protects the first 16MB of CUJO’s eMMC to prevent modifications to the system’s bootloaders, but Talos also discovered two vulnerabilities that bypass these protections.

The first (CVE-2018-3968) resides in Das U-Boot and affects versions 2013.07-rc1 to 2014.07-rc2 (inclusive). Because U-Boot FIT images’ signatures are not enforced, making it possible to boot from legacy unsigned images, an attacker can replace a signed FIT image with a legacy, unsigned image, the researchers say. 

Because the U-Boot bootloader is unmodifiable, the vulnerability cannot be fixed in CUJO. The issue, however, is not as severe in isolation. 

It is also possible to execute arbitrary commands as root at device boot by modifying the `dhcpd.conf` file and making the DHCP server execute shell commands (CVE-2018-3969). The file persists across reboots, and the code would be executed at each boot. 

The device is also impacted by a vulnerability that could be abused to bypass safe browsing, potentially allowing malicious websites to serve malware even in presence of CUJO’s filtering.

Two other code execution vulnerabilities were found in the parsing of mDNS messages, but, because CUJO constrains the affected `mdnscap` process in a low-privileged chroot-ed environment, an attacker would need to escalate privileges to fully compromise the device (CVE-2018-3985 and CVE-2018-4003).

The security researchers also discovered two denial-of-service vulnerabilities (CVE-2018-4002 and CVE-2018-4011) in the CUJO Smart Firewall.

CUJO AI has already released security patches for these vulnerabilities and users should make sure their devices have been updated as soon as possible.

Related: Cisco Aware of Attacks Exploiting Critical Firewall Flaw

Related: Experts Find 10 Flaws in Linksys Smart Wi-Fi Routers

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.