ON Semiconductor Quantenna Wi-Fi Chipset Command Injection Vulnerability in Local Control Script

A command injection vulnerability has been identified in a local control script of the Quantenna Wi-Fi chipset, which is part of ON Semiconductor's product line. This vulnerability, categorized as CWE-88 'Improper Neutralization of Argument Delimiters in a Command,' allows an attacker to inject and execute arbitrary commands with root privileges. The issue arises in the 'sync_time' argument of the 'router_command.sh' script, which is vulnerable through version 8.0.0.28 of the latest SDK. The vulnerability remains unpatched, although the vendor has released a best practices guide for implementors.

Impact

Exploitation of this vulnerability allows for arbitrary command execution as root. This could be used to gain complete control over the affected device. Notably, the vulnerability can be exploited to enable the telnet service, which transmits data in clear text and is vulnerable to brute force attacks, thereby providing an attacker with remote access to the device.

Reproduction

To reproduce this vulnerability, first ensure that the Quantenna Wi-Fi chipset is in a product that has not disabled the 'qcsapi rpc service.' Then, use the 'run_script' command of the 'qcsapi' rpc service to execute the 'set_tx_pow' script, injecting a command payload. The injected command will be executed with root privileges on the device.

Remediation

Implementors are advised to consult the ON Semiconductor Quantenna Wi-Fi chipset support and security best practices guide, which includes recommendations for securing the chipset from external access and disabling unnecessary services for production releases.