Two critical vulnerabilities were found in wireless LAN devices that are allegedly used to provide internet connectivity in airplanes.
The flaws were discovered by Thomas Knudsen and Samy Younsi of Necrum Security Labs and affected the Flexlan FX3000 and FX2000 series wireless LAN devices made by Contec.
“After performing reverse engineering of the firmware, we discovered that a hidden page not listed in the Wireless LAN Manager interface allows to execute Linux commands on the device with root privileges,” wrote the security researchers in an advisory, referring to the vulnerability tracked CVE–2022–36158.
“From here, we had access to all the system files but also be able to open the telnet port and have full access to the device.”
Knudsen and Younsi also described a second vulnerability in the advisory (tracked CVE–2022–36159), this one referring to the use of weak hard–coded cryptographic keys and backdoor accounts.
“During our investigation, we also found that the /etc/shadow file contains the hash of two users (root and user), which only took us a few minutes to recover by a brute–force attack,” Necrum Security Labs wrote.
According to the security experts, the issue here is that the device owner can only change the account user’s password from the web administration interface because the root account is reserved for Contec (probably for maintenance purposes).
“This means an attacker with the root hard–coded password can access all FXA2000 series and FXA3000 series devices,” explained Knudsen and Younsi.
To fix the first vulnerability, the researchers said the hidden engineering web page should be removed from the devices in production since the default password is very weak.
“This weak default password makes it very easy for any attacker to inject a backdoor on the device through this page,” wrote the security experts.
As for the second flaw, Necrum Security Labs said Contec should generate a different password for each device during the manufacturing process.
These are hardly the first vulnerabilities discovered in wireless devices over the last few months. Last week, for instance, Rapid7 disclosed flaws in two TCP/IP–enabled medical devices produced by Baxter Healthcare, one of which was a WiFi Battery.