Nortek has announced a critical vulnerabilities in Linear eMerge E3-Series. The vulnerabilities exists because the affected product fails to sanitize HTTP request parameter values, which can be used to construct a shell commands. This allows an attacker to execute arbitrary commands on the affected system as a root.
Below CVE id’s has been assigned to track these vulnerabilities.
CVE-2019-7252 – Default Credentials
CVE-2019-7253 – Unauthenticated Directory Traversal
CVE-2019-7254 – Unauthenticated File Inclusion
CVE-2019-7255 – Cross-Site Scripting
CVE-2019-7256 – Unauthenticated Command Injection
CVE-2019-7257 – Unrestricted File Upload
CVE-2019-7258 – Privilege Escalation
CVE-2019-7259 – Authorization Bypass with Information Disclosure
CVE-2019-7260 – Cleartext Credentials in a Database
CVE-2019-7261 – Hard-coded Credentials
CVE-2019-7262 – Cross-Site Request Forgery (CSRF)
CVE-2019-7263 – Version Control Failure
CVE-2019-7264 – Stack-based Buffer Overflow
CVE-2019-7265 – Remote Code Execution (root access over SSH)
Affected systems: Linear eMerge E3 <=1.00-06
Exploitation:
An attacker sends a crafted request to fetch id and password and store it in side test.txt and then read the contents of file.
An attacker sends another crafted request to get contents of /etc/passwd file and store it inside test.txt
Conclusion:
No patch has been released by vendor till now. Customers can scan their network with QID :48077,13679 to identify assets remotely. Additionally, customers can review their Linear eMerge devices to ensure that device is not exposed to untrusted network traffic.
References & Sources:
- https://applied-risk.com/resources/ar-2019-005