CVE-2023-1097
📋 TL;DR
Baicells EG7035-M11 devices with vulnerable firmware allow remote attackers to execute arbitrary commands with root privileges via HTTP GET requests without authentication. This affects all devices running firmware BCE-ODU-1.0.8 and earlier. Attackers can fully compromise affected devices and potentially pivot to other network resources.
💻 Affected Systems
- Baicells EG7035-M11
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete device takeover leading to persistent backdoor installation, network pivoting to internal systems, data exfiltration, and use as botnet nodes for DDoS attacks.
Likely Case
Remote code execution leading to device compromise, credential theft, network reconnaissance, and potential lateral movement within the network.
If Mitigated
Limited impact if devices are behind firewalls with strict ingress filtering and network segmentation prevents lateral movement.
🎯 Exploit Status
Exploitation requires sending specially crafted HTTP GET requests. The vulnerability has been validated by third-party researchers, making weaponization likely.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: BaiCE_BM_2.5.26_NA.bin
Vendor Advisory: https://community.na.baicells.com/t/baice-bm-2-5-26-new-cpe-software-has-been-released/1756
Restart Required: Yes
Instructions:
1. Download firmware BaiCE_BM_2.5.26_NA.bin from vendor site. 2. Access device management interface. 3. Navigate to firmware update section. 4. Upload and apply the new firmware. 5. Reboot device after update completes.
🔧 Temporary Workarounds
Network Segmentation
allIsolate Baicells devices in separate VLANs with strict firewall rules limiting access to management interfaces.
Access Control Lists
allImplement network ACLs to restrict HTTP access to Baicells devices only from authorized management stations.
🧯 If You Can't Patch
- Immediately isolate affected devices from internet and restrict network access to only necessary management IPs
- Implement strict egress filtering to prevent compromised devices from communicating with external command and control servers
🔍 How to Verify
Check if Vulnerable:
Check firmware version via device web interface or SSH. If version is BCE-ODU-1.0.8 or earlier, device is vulnerable.Check Version:
ssh admin@device_ip 'cat /etc/version' or check via web interface at http://device_ip/statusVerify Fix Applied:
Verify firmware version shows BaiCE_BM_2.5.26 or later after update. Test HTTP GET command injection attempts should no longer execute.📡 Detection & Monitoring
Log Indicators:
- Unusual HTTP GET requests with command injection patterns
- Multiple failed authentication attempts followed by successful command execution
- Unexpected process creation or system modifications
Network Indicators:
- HTTP requests to device management interface containing shell metacharacters or command strings
- Outbound connections from devices to suspicious external IPs
SIEM Query:
source="baicells-device" AND (http_method="GET" AND (url="*;*" OR url="*|*" OR url="*`*" OR url="*$(*"))🔗 References
- https://community.na.baicells.com/t/baice-bm-2-5-26-new-cpe-software-has-been-released/1756
- https://img.baicells.com//Upload/20220524/FILE/BaiCE_BM_2.5.26_NA.bin.bin
- https://community.na.baicells.com/t/baice-bm-2-5-26-new-cpe-software-has-been-released/1756
- https://img.baicells.com//Upload/20220524/FILE/BaiCE_BM_2.5.26_NA.bin.bin
