Gefen WebFWC AV Over IP Products Unauthenticated Remote Code Execution Vulnerability

A remote code execution vulnerability has been identified in Gefen WebFWC AV over IP products, specifically in versions 1.85h, 1.86v, and 1.70. The issue arises in the '/usr/local/bin/jncs.sh' script, which is executed at startup. This script opens a persistent netcat listener on TCP port 4444, allowing attackers with network access to connect to the device without authentication and execute arbitrary commands with root privileges.

Impact

Exploitation of this vulnerability allows for unauthenticated remote code execution as the root user. An attacker could execute commands with full administrative privileges, potentially leading to unauthorized access, modification of device configurations, or persistence on the device.

Reproduction

The vulnerability can be reproduced by connecting to the affected device over TCP port 4444 using netcat. This establishes a connection to the device's shell, allowing commands to be executed with root privileges.

Remediation

There is currently no fix available for this vulnerability. Users are advised to restrict network access to the devices, blocking access to port 4444 from untrusted networks, and to monitor for unauthorized activity.