Nautel VX Series Remote Code Execution Vulnerability in Firmware Update Process

A remote code execution vulnerability has been identified in the Nautel VX Series transmitters running firmware versions through 6.4.0. This vulnerability arises from the absence of digital signature verification in the firmware update process, allowing attackers to upload crafted update packages via the '/#/software/upgrades' endpoint. Exploitation of this vulnerability enables unauthorized execution of arbitrary code with root privileges on the affected device.

Impact

Exploitation of this vulnerability allows for unauthorized remote code execution with root access on the affected transmitter. This could lead to a complete compromise of the device, including the ability to disrupt broadcast operations or alter transmission parameters. Additionally, such access could be used to pivot into internal networks.

Reproduction

To reproduce this vulnerability, download a legitimate VX Series firmware update from the Nautel public update repository. Extract the update package and locate the 'init.sh' script. Modify this script to include a reverse shell payload, then repackage the update file. Upload the modified firmware through the transmitter's web interface at the '/#/software/upgrades' endpoint. After uploading, initiate the update process, which will execute the 'init.sh' script and provide root-level shell access.

Remediation

Nautel should implement digital signature verification for firmware updates, ensuring that all update packages are cryptographically signed and validated before installation. Additionally, access to the software upload process should be restricted to authorized users only, possibly through multi-factor authentication. Integrity checks, such as SHA256 hash validation, could be employed to detect modifications in firmware before installation. Finally, execution permissions on update scripts should be limited to prevent arbitrary script execution from firmware packages.