ON Semiconductor Quantenna Wi-Fi Chipset Command Injection Vulnerability in Local Control Script

A command injection vulnerability has been identified in the Quantenna Wi-Fi chipset by ON Semiconductor, affecting chipsets through version 8.0.0.28 of the latest SDK. The vulnerability arises in a local control script called set_tx_pow, which lacks proper sanitization of input arguments, allowing arbitrary commands to be executed. This issue is present in various Quantenna Wi-Fi product families, including QT6300 AX3, QT62000 AX2, QSR10G and QSR5G AX, QSR1000 and QSR2000, and QHS710.

Impact

Exploitation of this vulnerability allows for arbitrary command execution as root. This could be used to enable the telnet service, potentially leading to unauthorized remote access and control over the affected device.

Reproduction

The vulnerability can be reproduced by using the qcsapi rpc service to execute the run_script command with the set_tx_pow script as the target. The first argument can be replaced with any command, which will be executed with root privileges. For example, injecting a command to spawn a telnet service would demonstrate the exploitation of this vulnerability.

Remediation

ON Semiconductor has published a best practices guide for securing products that use the Quantenna Wi-Fi chipset. This guide includes recommendations for disabling the qcsapi rpc service, changing default passwords, and configuring security options before production releases.