Honeywell MB-Secure OS Command Injection Vulnerability Allowing Privilege Abuse

A command injection vulnerability has been identified in Honeywell MB-Secure and MB-Secure PRO. This issue allows authenticated users to execute arbitrary operating system commands with root privileges, potentially leading to a complete compromise of the affected device. The vulnerability arises from the web interface's ping functionality, which improperly sanitizes command arguments before execution. This issue affects MB-Secure versions from 11.04 prior to 12.53, and MB-Secure PRO versions from 01.06 prior to 03.09.

Impact

Exploitation of this vulnerability allows for authenticated command injection, with executed commands running as the root user.

Reproduction

To reproduce this vulnerability, an authenticated user can access the web interface of an affected MB-Secure device. The ping functionality at '/si/ping' can be exploited by entering a command into the interface field, appending semicolons to terminate the ping command and introduce a new one. Once the 'Ping' button is pressed, the injected command is executed on the operating system with root privileges.

Remediation

Users are advised to upgrade to Honeywell MB-Secure version 12.53 or MB-Secure PRO version 03.09.