Siklu Communications Etherhaul Series Unauthenticated Remote Command Execution Vulnerability

A remote command execution vulnerability has been identified in Siklu Communications Etherhaul 8010TX and 1200FX devices, running Firmware 7.4.0 prior to 10.7.3, and possibly other earlier versions. The issue resides in the 'rfpiped' service, which listens on TCP port 555 and employs static AES encryption keys hardcoded into the binary. These keys are uniform across all devices, enabling attackers to create encrypted packets that execute arbitrary commands without authentication. This vulnerability is a result of a failed patch for CVE-2017-7318 and may also impact other Etherhaul series devices with similar firmware.

Impact

Exploitation of this vulnerability allows for unauthenticated remote command execution on the affected devices. This could lead to a complete compromise of the device, with potential access to protected networks, as the devices could serve as entry points into these networks.

Reproduction

The vulnerability can be reproduced by sending crafted encrypted packets to the 'rfpiped' service on TCP port 555. The static encryption keys, which are the same across all affected devices, can be used to encrypt the payloads. Once the packets are decrypted by the service, the embedded commands are executed with elevated privileges.

Remediation

At the time of this disclosure, no patch is available. However, it is recommended to isolate affected devices from untrusted networks, block TCP port 555 traffic to and from Etherhaul devices, implement strict access control lists to limit device communication, and consider replacing affected devices once a patch is available.