CVE-2022-36556 The Seiko SkyBridge MB-A100/A110 v4.2.0 and below had a command injection vulnerability via the ipAddress parameter.

Within the affected devices, a request would be received to the command injection site to ping the value of “80”. The request would be processed and sent to the target server where an “OK” response would be received. The command injection site would then close the connection. An attacker would be able to send commands to the device via the “OK” response. The following is a list of commands that can be sent to the device. - shutdown - enable - disable - reboot - sig_send - wps_pin - wps_pass - wps_key - wps_ver - wps_sps - wps_url - wps_file - wps_reg - wps_reghd - wps_reghw - wps_reghs - wps_reghl - wps_reght - wps_reghj - wps_reghk - wps_reghj - wps_reghl - wps_reght - wps_reghj - wps_reghk - wps_reghj - wps_reghl - wps_reght - wps_reghj - wps_reghk - wps_reghj - wps_reghl - wps_reght - wps_reghj - wps_regh

Vulnerable / tested firmware version

The affected devices have all the same firmware version.

wps_reg Command

The following is a list of commands that can be sent to the device. - shutdown - enable - disable - reboot - sig_send - wps_pin - wps_pass - wps_key - wps_ver - wps_sps - wps_url - wps_file

Timeline

Published on: 08/29/2022 23:15:00 UTC
Last modified on: 09/02/2022 18:59:00 UTC

References

• https://gist.github.com/Nwqda/88232102fed50b54c43871e88e993b54
• https://www.seiko-sol.co.jp/products/skybridge/lineup/mb-a100/
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-36556