Quantenna Wi-Fi Chipset Command Injection Vulnerability in Local Control Script

A command injection vulnerability has been identified in a local control script, router_command.sh, used by the Quantenna Wi-Fi chipset. This vulnerability allows an attacker to execute arbitrary commands by injecting them into the script's arguments. The issue arises from improper sanitization of command arguments, enabling exploitation through the qcsapi rpc service. This vulnerability affects Quantenna Wi-Fi chipsets through version 8.0.0.28 of the latest SDK.

Impact

Exploitation of this vulnerability allows for arbitrary command execution as root. This could be used to enable the telnet service, providing remote access to the device.

Reproduction

The vulnerability can be reproduced by using the qcsapi rpc service to run the run_script command with the set_tx_pow script. Inject a command as the first argument, which will be executed with root privileges. For example, injecting a command to spawn a telnet service would demonstrate the exploitation.

Remediation

Users are advised to consult the onsemi Quantenna Wi-Fi chipset support and security best practices guide, which includes recommendations for securing the chipset and disabling unnecessary services like telnet for production releases.