Raisecom Multi-Service Intelligent Gateway OS Command Injection Vulnerability in vpn_template_style.php

A critical OS command injection vulnerability has been identified in the Raisecom Multi-Service Intelligent Gateway, affecting versions prior to 20250208. The issue resides in the Request Parameter Handler component, specifically within the vpn_template_style.php file. The vulnerability allows remote attackers to inject system commands through the stylenum parameter, bypassing security measures and executing arbitrary commands on the device. This exploitation could lead to unauthorized access, data manipulation, or disruption of services.

Impact

Exploitation of this vulnerability allows for complete control over the affected device, enabling attackers to execute arbitrary commands with the same privileges as the web server user. This could result in unauthorized access to sensitive data, disruption of network services, or manipulation of device configurations. Additionally, compromised devices could be used to launch attacks on other systems within the internal network.

Reproduction

The vulnerability can be reproduced by sending a GET request to the vpn_template_style.php file with the mySubmit parameter set to true and the stylenum parameter containing a command injection payload. This payload can include commands wrapped in backticks or pipe symbols to execute arbitrary system commands on the device. The successful execution of the injected command can be verified by checking for the command's output in a file or through another means.

Remediation

Users are advised to update to the latest version of the Raisecom Multi-Service Intelligent Gateway firmware. Additionally, implementing input validation to sanitize the stylenum parameter, removing special characters that could be used for command injection, and employing a web application firewall to block malicious requests can help mitigate this vulnerability.