An issue was discovered in Lantronix EDS3000PS 3.1.0.0R2. The host parameter of the TFTP client in the Filesystem Browser page is not properly sanitized. This can be exploited to escape from the original command and execute an arbitrary one with root privileges.
The vulnerability results from improper sanitization of the TFTP client host parameter available on the Filesystem Browser page in the device management interface. An attacker can provide a crafted parameter value that allows escaping from the originally intended command and injection of their own arbitrary system command. The injected command is executed with root privileges, giving full control over the device. The flaw is compounded by missing authentication mechanism (CWE-288) and improper verification of authentication credentials (CWE-620).
An attacker without any privileges can remotely execute arbitrary system commands with root level access over the network, which means complete takeover of the device, ability to read and modify configuration, and potential use of the device as an entry point to the further network.
Patches available from the manufacturer should be applied according to the references. It is also recommended to restrict access to the device management interface only to trusted hosts or management networks and, until the patch is installed, to disable or restrict access to the Filesystem Browser functionality. Detailed recommendations are available in the ICS-CERT message: ICSA-26-069-02.
Lantronix EDS3016PS1NS Firmware, Lantronix EDS3008PS1NS Firmware and corresponding hardware devices; vulnerability confirmed in firmware version 3.1.0.0R2
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HLantronix Eds3008ps1ns
HWLantronixwszystkie wersjeLantronix Eds3008ps1ns Firmware
OSLantronix3.1.0.0r2Lantronix Eds3016ps1ns
HWLantronixwszystkie wersjeLantronix Eds3016ps1ns Firmware
OSLantronix3.1.0.0r2
Related vulnerabilities
Pominięcie uwierzytelnienia w urządzeniach Lantronix EDS3000PS
RCE i ujawnienie danych w Lantronix EDS3000PS via ltrx_evo
Command injection w Lantronix EDS5000 – wykonanie poleceń jako root
OS command injection w Lantronix EDS5000 — wykonanie kodu jako root
An OS command injection vulnerability exists in the Web Manager Diagnostics: Traceroute functionality of Lantr...