Advantech WISE-4000 Series Unauthenticated Firmware Upload Vulnerability Allowing Privilege Escalation

A vulnerability exists in the Advantech WISE-4060LAN and other WISE-4000 series devices, allowing unauthenticated attackers to upload firmware through a public update page. This exploitation could lead to the installation of a backdoor or unauthorized privilege escalation. The vulnerability arises from the absence of cryptographic signature verification on firmware updates, coupled with the availability of a web endpoint that allows firmware uploads without authentication.

Impact

Exploitation of this vulnerability could result in unauthorized firmware installation, potentially allowing for backdoor access or privilege escalation on the affected device.

Reproduction

The vulnerability can be reproduced by accessing the '/__dnldpage' endpoint, which is available to unauthenticated users. This action sets a global variable that allows subsequent POST requests to the '/file_xfer' endpoint to upload firmware files. Once the firmware is uploaded, the device will install it if the file is valid and not tampered with. However, if the firmware is modified to bypass authentication checks, any uploaded firmware can be used to gain administrative privileges.

Remediation

Users and administrators are advised to update to the latest firmware version A2.02 B00, which addresses this vulnerability by enabling security features that restrict access to unsecured web interfaces and disable unnecessary services. After updating, users should enable the Security Mode feature to further reduce the attack surface.