Security

Experts warn of critical flaws in Flexlan devices that provide WiFi on airplanes

Researchers discovered two critical vulnerabilities (CVE–2022–36158 and CVE–2022–36159) in Flexlan devices that provide WiFi on airplanes.

Researchers from Necrum Security Labs discovered a couple of critical vulnerabilities, tracked as CVE–2022–36158 and CVE–2022–36159, impacting the Contec Flexlan FXA3000 and FXA2000 series LAN devices.

The FXA3000 and FXA2000 Series are access points that are manufactured by Japan-based firm Contec that conform to IEEE 802.11n/a/b/g wireless.

These devices are installed in airplanes to offer internet connectivity to the passengers, the above vulnerabilities can be exploited by an attacker to compromise the inflight entertainment system and potentially conduct other malicious activities.

“It is found that our wireless products, FLEXLAN FX3000/2000 series, have a firmware vulnerability.
There are possibilities of data plagiarism, falsification, and system destruction with malicious programs if
this vulnerability was exploited by malicious attackers.” reads the advisory published by Contec. “we have a private webpage for developers to execute system commands, which is not linked to any other web setting pages. There are possibilities of data plagiarism, falsification, system destruction, and malicious program execution if this vulnerability was exploited by malicious attackers who can access to this private webpage (with passwords information).”

The issues impacts Contec FLEXLAN FXA3000 Series devices from version 1.15.00 and under and
FLEXLAN FXA2000 Series devices from version 1.38.00 and under.

The CVE–2022–36158 flaw is a hidden system command web page that was discovered performing reverse engineering of the firmware used by the device. The page wasn’t listed in the Wireless LAN Manager interface, it can allow executing Linux commands on the device with root privileges, access all system files, and open the telnet port.

“[CVE-2022-36158] – Hidden system command web page.
After performing a reverse engineering of the firmware we discovered that a hidden page not listed in the Wireless LAN Manager interface allows to execute Linux commands on the device with root privileges. From here we had access to all the system files but also be able to open the telnet port and have full access on the device.” reads the post published by the Necrum Security Labs.

The second vulnerability (CVE–2022–36159) ties the use of hard-coded, weak cryptographic keys and backdoor accounts. The experts discovered a shadow file containing the hash of root and user users.

“[CVE-2022-36159] – Use of weak Hard-coded Cryptographic Keys and backdoor account. During our investigation we also found that the /etc/shadow file contains the hash of two users (root and user) which only took us few minutes to recover by a brute-force attack.” continues the researchers. “The problem is that the owner of the device is only able to change the password for the account user from the web administration interface, because the root account is reserved for Contec, probably for maintenance purposes. This means an attacker with the root hard coded password can access all FXA2000 series and FXA3000 series devices.”

The post published by the experts demonstrates how to exploit the flaws, it also includes recommendations to address them.

Researchers recommend changing the account’s user password from the web admin interface and removing the hidden engineering web page from devices in production.

The experts recommend to randomly generate a different password for each device.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Log4Shell)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco warns of password-spraying attacks targeting Secure Firewall devices

Cisco warns customers of password-spraying attacks that have been targeting Remote Access VPN (RAVPN) services…

2 hours ago

American fast-fashion firm Hot Topic hit by credential stuffing attacks

Hot Topic suffered credential stuffing attacks that exposed customers' personal information and partial payment data.…

5 hours ago

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

19 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

1 day ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

2 days ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

2 days ago

This website uses cookies.