A newly discovered high-severity vulnerability in specific Four-Faith Routers models is actively exploited in the wild. Researchers at VulnCheck uncovered this flaw, tracked as CVE-2024-12856, which poses a significant risk to users of these devices. In this article, we will explore the details of the vulnerability, its implications, and what affected users can do to protect themselves.
Understanding CVE-2024-12856
CVE-2024-12856 is an operating system (OS) command injection vulnerability with a CVSS score 7.2. This score indicates a high severity level, although certain mitigating factors slightly reduce its impact. The flaw affects Four-Faith router models F3x24 and F3x36 and requires attackers to authenticate themselves before exploitation. However, if the router’s default credentials have not been changed, attackers could bypass authentication and execute OS commands remotely.
The vulnerability stems from improper input handling in the adj_time_year parameter when modifying the system time via the /apply.cgi endpoint. This allows attackers to inject and execute arbitrary commands on the device.
The Active Exploitation Campaign on Four-Faith Routers
According to VulnCheck, threat actors are actively exploiting CVE-2024-12856. The attackers leverage default credentials to authenticate and then use the vulnerability to gain persistent remote access through a reverse shell. The exploitation was traced back to the IP address 178.215.238.91, previously associated with malicious activities targeting Four-Faith routers.
The same IP address was implicated in attacks exploiting CVE-2019-12168, another remote code execution vulnerability in Four-Faith routers. GreyNoise, a threat intelligence company, observed attempts to exploit CVE-2019-12168 as recently as December 19, 2024. This suggests that the attackers are adept at weaponizing known vulnerabilities to compromise these devices.
Technical Breakdown of the Exploitation
The exploitation process involves sending a crafted HTTP request to the router’s/apply—cgi endpoint. By modifying the adj_time_year parameter, attackers can inject OS commands that the router inadvertently executes. Once thriving, the attackers establish a reverse shell, giving them complete control over the compromised device.
Jacob Baines, a researcher at VulnCheck, provided additional insights into the attack method. He noted that the flaw can be exploited remotely over HTTP and described how the vulnerability could be triggered by adjusting the router’s system time through a specific submission type (submit_type=adjust_sys_time). This technical detail underscores the sophistication of the attack vector.
The scale of the Threat
Data from Censys indicates that over 15,000 internet-facing devices are potentially vulnerable to exploitation. This extensive attack surface heightens the urgency of addressing the issue. Evidence suggests that the exploitation campaign began as early as November 2024, meaning many devices may have already been compromised.
No Patches Yet: What It Means for Users
No official patches have been released to address CVE-2024-12856 as of now. Following responsible disclosure protocols, VulnCheck reported the flaw to Four-Faith on December 20, 2024. The lack of immediate patches leaves users in a precarious position, exposing them to potential exploitation.
Hacker News has contacted Four-Faith for a response but has not yet received a comment. It is unclear when or if a firmware update will be available to fix this critical issue.
Steps to Mitigate the Risk
While waiting for an official patch, affected users can take the following steps to mitigate the risk of exploitation:
Change Default Credentials
One of the primary methods attackers use to exploit this vulnerability is leveraging the router’s default credentials. Changing these credentials to a strong, unique password is a critical first step in securing your device.
Restrict Access to the Router
Restrict access to your router’s administrative interface by configuring it only to allow connections from trusted IP addresses. Disable remote access if it is not necessary.
Monitor Network Traffic
Keep an eye on your network traffic for any unusual activity. If you notice unknown IP addresses attempting to connect to your router, this could indicate an exploitation attempt.
Use a Firewall
Configure a firewall to block unauthorized access to your router. A properly configured firewall can help mitigate the risk of exploitation by filtering out malicious requests.
Check for Updates Regularly
Stay informed about updates and patches from Four-Faith. Regularly check the manufacturer’s website or contact their support Team for any announcements regarding security fixes.
Disconnect Vulnerable Devices
If you suspect your router has been compromised, disconnect it from the internet and reset it to factory settings. Reconfigure it with secure settings before reconnecting it.
Broader Implications for IoT Security
This incident highlights a recurring issue in the Internet of Things (IoT) landscape: the reliance on default credentials and the lack of timely patching. IoT devices, including routers, are often deployed with minimal security measures, making them attractive targets for attackers.
Manufacturers must prioritize security by implementing measures such as:
- Requiring users to set unique credentials during initial setup.
- Providing timely patches and updates for identified vulnerabilities.
- Enhancing input validation to prevent command injection and similar attacks.
Conclusion
The exploitation of CVE-2024-12856 is a stark reminder of the importance of securing internet-connected devices. For users of Four-Faith routers, immediate action is necessary to mitigate the risk of compromise. Changing default credentials, restricting access, and monitoring network activity are essential to protect against this active Threat.
As we await patches from Four-Faith, the broader cybersecurity community must continue to advocate for stronger security practices in the IoT space. Awareness and proactive measures can significantly reduce the impact of such vulnerabilities, safeguarding both individual users and the broader Internet ecosystem.
For More:
https://thehackernews.com/2024/12/15000-four-faith-routers-exposed-to-new.html
