TG8 Firewall Pre-Authentication Remote Code Execution Vulnerability

A remote code execution vulnerability has been identified in TG8 Firewall. This issue arises in the runphpcmd.php endpoint, where the syscmd POST parameter is directly passed to a system command without proper validation. Executed with root privileges, this vulnerability allows remote, unauthenticated attackers to execute arbitrary operating system commands, leading to full device compromise.

Impact

Exploitation of this vulnerability allows for remote code execution on the affected device with root privileges, resulting in complete control over the device.

Reproduction

To reproduce this vulnerability, send a POST request to the runphpcmd.php endpoint with the syscmd parameter. The value of this parameter should include a command prefixed with 'sudo', as the command execution is performed with root privileges. The response will contain the output of the executed command, indicating successful exploitation.

Remediation

Users are advised to block internet-facing ports 80 and 443, which are used for administering the device, to prevent potential exploitation.