A denial of service (DoS) vulnerability, dubbed CVE-2022-35265, has recently been discovered in the web_server hashFirst functionality of Robustel R151 IoT gateway products, specifically versions 3.1.16 and 3.3.. The issue lies in the /action/import_nodejs_app/ API, allowing malicious attackers to exploit this vulnerability by sending a series of specially-crafted network requests, causing the targeted devices to stop functioning as intended.

Vulnerability

The vulnerability is present in the web application of the device, with the core issue being a part of the hashFirst function in the web_server component of the firmware. The DoS vulnerability triggers when an attacker sends a sequence of requests to the /action/import_nodejs_app/ API.

This is a sample code snipplet that shows the core issue

function hashFirst(req, res) {
    let data = req.body.data;
    let result = web_server.computeHash(data);
    ...
}

The exploit for this vulnerability can be carried out in two simple steps: First, an attacker must identify a Robustel R151 IoT gateway with the affected firmware version. Then, the attacker can send a series of network requests to the vulnerable API endpoint, /action/import_nodejs_app/, with crafted data that exploits this vulnerability.

Once the device receives the requests, the API performs the computeHash operation on the crafted data sent by the attacker. The exploit leads to unavailability or reduced functionality of the targeted device, resulting in the denial of service.

Impact

The impact of this vulnerability could be severe. As the devices play a crucial role in various IoT applications such as industrial control systems and critical infrastructure, a successful exploitation could lead to unavailability or reduced functionality of the devices. This could interrupt operations and cause financial and reputational damage to affected organizations.

Mitigation

To protect your devices from this vulnerability, it is strongly recommended to update the firmware of your Robustel R151 IoT gateway to the latest version provided by the manufacturer. This would ensure that your devices have the necessary security patches and are protected from such attacks. Furthermore, always monitor your network traffic and be vigilant for any signs of abnormal activity.

References

- CVE-2022-35265 - National Vulnerability Database (NVD) Entry
- Robustel R151 IoT Gateway
- Robustel Firmware Update Instructions

Conclusion

CVE-2022-35265 is a potential DoS vulnerability that exists in the web_server hashFirst functionality of the affected Robustel R151 IoT gateway versions 3.1.16 and 3.3.. A malicious attacker can trigger this vulnerability by sending a sequence of specially-crafted network requests. To protect your devices, update the firmware to the latest version provided by the manufacturer and monitor your network traffic.

Timeline

Published on: 10/25/2022 17:15:00 UTC
Last modified on: 03/08/2023 01:09:00 UTC