ON Semiconductor Quantenna Wi-Fi Chipset Command Injection Vulnerability

A command injection vulnerability has been identified in the Quantenna Wi-Fi chipset by ON Semiconductor, affecting several product families through version 8.0.0.28 of the latest SDK. The vulnerability arises from a local control script, 'router_command.sh', which improperly sanitizes input in the 'get_syslog_from_qtn' argument, allowing arbitrary commands to be executed. This issue is categorized as CWE-88, 'Improper Neutralization of Argument Delimiters in a Command (Argument Injection)'. Exploitation of this vulnerability could lead to unauthorized command execution with root privileges, potentially allowing an attacker to gain complete control over the affected device.

Impact

Exploitation of this vulnerability allows for arbitrary command execution as root on the affected device. This could be used to enable the telnet service, providing remote access and control over the device, as described in CVE-2025-3461.

Reproduction

The vulnerability can be reproduced by using the 'qcsapi' RPC service to execute the 'run_script' command with the 'set_tx_pow' script as the target. The first argument can be replaced with any command, which will be executed with root privileges. For example, injecting a command to spawn a telnet service would demonstrate the vulnerability.

Remediation

Users are advised to consult the 'Quantenna Wi-Fi Chipset Support and Security Best Practices' guide published by ON Semiconductor. This guide includes recommendations for securing the chipset, such as disabling the 'qcsapi' RPC service, changing default passwords, and configuring production software releases to meet security needs.