Ethical Hacking News
Four-Faith router owners and users are advised to update their firmware immediately and change default credentials to avoid potential exploitation of the CVE-2024-12856 post-authentication remote command injection vulnerability. Experts warn that 15,000 internet-facing routers could become targets of this attack.
Hackers have exploited a post-authentication remote command injection vulnerability in Four-Faith routers, allowing them to open reverse shells back to the attackers.The vulnerability targets default credentials that can be easily brute-forced, giving hackers access to devices.A sample payload has been shared by VulnCheck, which creates a reverse shell to an attacker's computer, providing full remote access to the routers.15,000 internet-facing Four-Faith routers are potentially vulnerable to this attack.Users must run the latest firmware version and change default credentials to unique and strong passwords to mitigate the threat.A Suricata rule is available to detect and block exploitation attempts of CVE-2024-12856.
The cybersecurity world has been dealt another blow as hackers have taken advantage of a post-authentication remote command injection vulnerability in Four-Faith routers, allowing them to open reverse shells back to the attackers. The malicious activity was discovered by VulnCheck on December 20, 2024, and it is still unclear if security updates for the vulnerability are currently available.
The exploitation of this vulnerability has raised serious concerns among security experts, as many Four-Faith routers deployed in various sectors such as energy, utilities, transportation, telecommunications, and manufacturing have default credentials that can be easily brute-forced. This means that hackers can gain access to these devices by sending a specially crafted HTTP POST request to the router's '/apply.cgi' endpoint targeting the 'adj_time_year' parameter.
The 'adj_time_year' parameter is used for adjusting the system time but can also be manipulated to include a shell command, allowing hackers to execute malicious code on the device. This vulnerability is similar to CVE-2019-12168, which was another post-authentication remote command injection flaw that targeted the same endpoint and performed code injection through the "ping_ip" parameter.
VulnCheck has shared a sample payload that creates a reverse shell to an attacker's computer, giving them full remote access to the routers. After gaining access, hackers can modify configuration files for persistence, explore the network for other devices to pivot to, and generally escalate the attack.
According to Censys reports, there are currently 15,000 internet-facing Four-Faith routers that could become targets of this vulnerability. Therefore, it is essential for users of these devices to ensure they're running the latest firmware version for their model and change the default credentials to something unique and strong (long).
Furthermore, VulnCheck has shared a Suricata rule to detect CVE-2024-12856 exploitation attempts and block them in time. Users should also contact their Four-Faith sales representative or customer support agent to request advice on how to mitigate this vulnerability.
The discovery of this vulnerability highlights the importance of regular firmware updates, unique default credentials, and awareness of post-authentication remote command injection vulnerabilities. As security experts continue to work on patches for this vulnerability, it is crucial that users take proactive steps to protect their devices from exploitation.
In conclusion, the Four-Faith router flaw represents a significant threat to device security, especially in sectors where these routers are commonly deployed. It is essential for users and administrators to stay vigilant and take immediate action to patch this vulnerability and prevent potential attacks.
Related Information:
https://www.bleepingcomputer.com/news/security/hackers-exploit-four-faith-router-flaw-to-open-reverse-shells/
https://nvd.nist.gov/vuln/detail/CVE-2019-12168
https://www.cvedetails.com/cve/CVE-2019-12168/
https://nvd.nist.gov/vuln/detail/CVE-2024-12856
https://www.cvedetails.com/cve/CVE-2024-12856/
Published: Mon Dec 30 12:41:18 2024 by llama3.2 3B Q4_K_M
