ON Semiconductor Quantenna Wi-Fi Chipset Command Injection Vulnerability

A command injection vulnerability has been identified in the Quantenna Wi-Fi chipset by ON Semiconductor, affecting through version 8.0.0.28 of the latest SDK. The vulnerability arises from a local control script, 'router_command.sh', which allows improper neutralization of argument delimiters, enabling arbitrary command execution. This issue is present in various product families, including QT6300 AX3, QT62000 AX2, QSR10G and QSR5G AX, QSR1000 and QSR2000, and QHS710.

Impact

Exploitation of this vulnerability allows for arbitrary command execution as root. This could be used to enable the telnet service, potentially leading to unauthorized remote access, especially when combined with another identified vulnerability in the same chipset.

Reproduction

The vulnerability can be reproduced by using the 'qcsapi' RPC service to execute the 'run_script' command with the 'set_tx_pow' script as the target. The first argument can be replaced with any command, which will be executed with root privileges. For example, injecting a command to spawn a telnet service would demonstrate the exploitation.

Remediation

ON Semiconductor has published a best practices guide for Quantenna Wi-Fi chipsets, recommending the configuration of security options that are disabled by default. This guide includes instructions for compiling a secure binary image, disabling unnecessary features, and changing default passwords. For specific guidance on managing the telnet service, refer to the 'Quantenna-AN-Telnet-v1.0' application note.