search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Vulnerable WiFi Alliance example code found in Arcadyan FMIMG51AX000J

Vulnerability Note VU#123336

Original Release Date: 2024-10-23 | Last Revised: 2024-10-23

Overview

A command injection vulnerability has been identified in the Wi-Fi Test Suite, a tool developed by the WiFi Alliance, which has been found deployed on Arcadyan routers. This flaw allows an unauthenticated local attacker to exploit the Wi-Fi Test Suite by sending specially crafted packets, enabling the execution of arbitrary commands with root privileges on the affected routers.

Description

The Wi-Fi Test Suite, as described by its developer, was originally created by the Wi-Fi Alliance—a global non-profit industry association responsible for Wi-Fi standards—to support the development of certification programs and device certification. This software was not designed for use in production environments. However, it has been discovered in commercial router deployments, exposing a vulnerbility in the test code in production. The Wi-Fi Test Suite contains vulnerable code that is susceptible to command injection attacks. An attacker can exploit this vulnerability by sending specially crafted packets to a device running the Wi-Fi Test Suite, allowing them to execute commands with administrative (root) privileges.

CVE-2024-41992 It is possible for an unauthenticated local attacker to use specially crafted packets to execute commands as root.

Impact

An attacker who successfully exploits this vulnerability can gain full administrative control over the affected device. With this access, the attacker can modify system settings, disrupt critical network services, or reset the device entirely. These actions can result in service interruptions, compromise of network data, and potential loss of service for all users dependent on the affected network.

Solution

The CERT/CC recommends that vendors, who have included the Wi-Fi Test Suite, to update it to version >=9.0 or remove it entirely from production devices to reduce the risk of exploitation.

Acknowledgements

Thanks to the reporter Noam Rathaus from SSD Disclosure. This document was written by Timur Snoke.

Vendor Information

123336
 

Bouygues Telecom Affected

Notified:  2024-04-11 Updated: 2024-10-23

Statement Date:   September 26, 2024

CVE-2024-41992 Affected

Vendor Statement

We have not received a statement from the vendor.

CERT Addendum

The National Cybersecurity Agency of France (ANSSI) has coordinated this vulnerability with Bouygues Telecom and confirmed that they have deployed a fix on all of their equipment.

Wi-Fi Alliance Affected

Notified:  2024-04-11 Updated: 2024-10-23

Statement Date:   May 26, 2024

CVE-2024-41992 Affected

Vendor Statement

Affected parties are Wi-Fi Alliance member companies that ship wfa_dut, which is intended for development and certification testing purposes, with their final products. The code at https://github.com/Wi-FiTestSuite/Wi-FiTestSuite-Linux-DUT was made open source as sample code. Shipping this code (as binary executable) as part of a commercial product requires the individual vendor to perform its own security review and implementation. Following this report, Wi-Fi Alliance has made fixes in input sanitization to protect against command injection in the Wi-Fi Test Suite/wfa_dut project, currently available to Wi-Fi Alliance members. The updates will be reflected in the open-source project by 2024-06-30. Wi-Fi Alliance is also reiterating two advisories to its members: (1) Wi-Fi Test Suite is only required for development and certification testing purposes. (2) Wi-Fi Alliance advises against enabling wfa_dut on any interface other than the LAN interface used by the automation system to control and monitor device behavior.

Wi-Fi Alliance would like to express its gratitude to the reporter for this vulnerability report. If interested, we can also share the patch for review and discussion before we apply it to the open-source repository.

Arcadyan Unknown

Notified:  2024-04-17 Updated: 2024-10-23

CVE-2024-41992 Unknown

Vendor Statement

We have not received a statement from the vendor.


Other Information

CVE IDs: CVE-2024-41992
API URL: VINCE JSON | CSAF
Date Public: 2024-08-19
Date First Published: 2024-10-23
Date Last Updated: 2024-10-23 17:28 UTC
Document Revision: 1

Sponsored by CISA.