Two critical vulnerabilities were found in wireless LAN devices that are allegedly used to provide internet connectivity on airplanes.
Thomas Knudsen and Samy Younsi from Necrum Security Labs first discovered the flaws, which were found to have affected the Flexlan FX3000 and FX2000 series wireless LAN devices made by Contec.
An advisory, referring to the vulnerability tracked as CVE-2022-36158, noted: “After performing reverse engineering of the firmware, we discovered that a hidden page not listed in the Wireless LAN Manager interface allows to execute Linux commands on the device with root privileges.”
“From here, we had access to all the system files but also be able to open the telnet port and have full access to the device.”
A second vulnerability was also described in the advisory (tracked as CVE-2022-36159). This code refers to the use of weak hard-coded cryptographic keys and backdoor accounts.
The advisory listed: “During our investigation, we also found that the /etc/shadow file contains the hash of two users (root and user), which only took us a few minutes to recover by a brute–force attack.”
The issue is that the device owner can only change the account user’s password from the web administration interface because the root account is reserved fro Contec.
“This means an attacker with the root hard–coded password can access all FXA2000 series and FXA3000 series devices.”
To fix the first vulnerability, the researchers said that the hidden engineering web page should be removed from the devices in production since the default password is weak.
“This weak default password makes it very easy for any attacker to inject a backdoor on the device through this page.”
Necrum also added that, for the second flaw, Contec should generate a different password for each device during the manufacturing process.
