Cisco Talos reveals 11 critical vulnerabilities in Yifan YF325 industrial router, used across critical infrastructure
Researchers from Cisco Talos recently disclosed 11 vulnerabilities, 10 of which are zero-days without a patch in the Yifan YF325, an industrial cellular router. Attackers could exploit the vulnerabilities in the router to carry out a variety of attacks, in some cases gaining the ability to execute arbitrary shell commands on the targeted device.
In the last two weeks, Talos has disclosed only one other security issue, which involves a use-after-free vulnerability in an open-source port of WebKit, a content rendering engine utilized by web browsers, such as Apple Safari.
“For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website,” Jonathan Munshaw, an executive with the Cisco Talos Intelligence Group, identified in a Wednesday blog post.
The Yifan YF325 is a cellular terminal device that offers Wi-Fi and ethernet connectivity capabilities to a network. It adopts a high-powered industrial 32-bit CPU and embedded real-time operating system, which supports RS232 (or RS485/RS422), Ethernet, and WIFI ports. It has been used in M2M fields, including the self-service terminal industry, intelligent transportation, smart grid, industrial automation, telemetry, finance, POS, water supply, environment protection, post, and weather.
Munshaw outlined that Talos recently discovered 10 vulnerabilities in this device that an adversary could exploit to carry out a variety of malicious actions, including TALOS-2023-1767 (CVE-2023-32632), which could allow an attacker to execute arbitrary shell commands on the targeted device.
“TALOS-2023-1762 (CVE-2023-24479) is perhaps the most serious of the set of vulnerabilities with a CVSS severity score of 9.8 out of 10. An attacker could exploit this vulnerability to change the admin credentials of the device and obtain root access,” according to Munshaw. “TALOS-2023-1752 (CVE-2023-32645) is also an authentication bypass vulnerability, but in this case, an attacker could simply use leftover debug credentials to log in as an administrator.”
The remaining vulnerabilities Talos disclosed in this product this week are buffer overflow vulnerabilities triggered by specially crafted network requests, including TALOS-2023-1761 (CVE-2023-35055 and CVE-2023-35056); TALOS-2023-1763 (CVE-2023-34365); TALOS-2023-1764 (CVE-2023-34346); TALOS-2023-1765 (CVE-2023-31272); TALOS-2023-1766 (CVE-2023-34426); TALOS-2023-1787 (CVE-2023-35965 and CVE-2023-35966); and TALOS-2023-1788 (CVE-2023-35967 and CVE-2023-35968).
According to Munshaw, all these vulnerabilities also have a severity score of 9.8. Also, Talos is disclosing these vulnerabilities despite no official patch from Yifan, all in adherence to Cisco’s third-party vendor vulnerability disclosure policy, he added.
Talos has recently unveiled a critical use-after-free vulnerability affecting the MediaRecorder API within WebKitGTK, which is an open-source, feature-rich implementation of the WebKit rendering engine.
The security issue, identified as TALOS-2023-1831 (CVE-2023-39928), has the potential to result in remote code execution. To exploit this vulnerability, an attacker must entice the targeted user to visit a malevolent web page using an application that employs the vulnerable version of WebKitGTK.
Last month, Cisco Talos data identified a new malware family that it calls ‘HTTPSnoop’ being deployed against telecommunications providers in the Middle East. They also discovered a sister implant to HTTPSnoop,’ that they are naming ‘PipeSnoop,’ which can accept arbitrary shellcode from a named pipe and execute it on the infected endpoint. Based on these findings, the researchers assess with high confidence that both implants belong to a new intrusion set that it named ‘ShroudedSnooper.’
A complimentary guide to the who`s who in industrial cybersecurity tech & solutions
Free DownloadRelated
