Raisecom RAX701-GC Series SSH Authentication Bypass Vulnerability

A vulnerability exists in the Raisecom RAX701-GC series devices, specifically in the RAX701-GC-WP-01 P200R002C52 and P200R002C53 firmware versions. This vulnerability allows SSH sessions to be established without proper user authentication, enabling attackers to gain unauthorized shell access with root privileges. The issue arises from the device's handling of SSH authentication on ports 10022/TCP and 830/TCP, which can be exploited to access the NETCONF service or the system root shell.

Impact

Exploitation of this vulnerability bypasses SSH authentication, allowing remote, unauthenticated attackers to gain root shell access on the affected devices. This access could be used to control the device and manipulate network services, potentially leading to further attacks on connected networks.

Reproduction

The vulnerability can be reproduced using the open-source tool SSHamble. After scanning the target device with SSHamble, the tool can skip the SSH user authentication process and directly access the device's SSH service on port 10022. This action establishes a session with root privileges, bypassing the need for valid credentials. Alternatively, the NETCONF service can be accessed by targeting port 830.

Remediation

Raisecom has not provided a patch for this vulnerability. Users are encouraged to contact Raisecom customer support for more information. CISA recommends minimizing network exposure for control system devices, using firewalls to isolate these devices from business networks, and employing secure remote access methods such as VPNs.