CVE-2024-11659
📋 TL;DR
This CVE describes a critical command injection vulnerability in EnGenius networking devices that allows remote attackers to execute arbitrary commands on affected systems. The vulnerability exists in the /admin/network/diag_iperf file where the 'iperf' argument can be manipulated to inject malicious commands. Organizations using EnGenius ENH1350EXT, ENS500-AC, and ENS620EXT devices up to November 18, 2024 are affected.
💻 Affected Systems
- EnGenius ENH1350EXT
- EnGenius ENS500-AC
- EnGenius ENS620EXT
📦 What is this software?
Enh1350ext Firmware by Engeniustech
Ens500 Ac Firmware by Engeniustech
Ens620ext Firmware by Engeniustech
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to gain root access, install persistent backdoors, pivot to internal networks, and exfiltrate sensitive data.
Likely Case
Attackers gain shell access to execute commands, potentially installing cryptocurrency miners, creating backdoors, or disrupting network services.
If Mitigated
Limited impact due to network segmentation, proper access controls, and monitoring that detects and blocks exploitation attempts.
🎯 Exploit Status
Exploit details have been publicly disclosed. Attack requires access to the admin interface but may be combined with other vulnerabilities or default credentials.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: None available
Restart Required: Yes
Instructions:
1. Check EnGenius website for firmware updates
2. Download latest firmware for your device model
3. Backup current configuration
4. Upload and install new firmware via web interface
5. Restart device
6. Restore configuration if needed
🔧 Temporary Workarounds
Network Access Restriction
linuxRestrict access to the admin interface to trusted IP addresses only
iptables -A INPUT -p tcp --dport 80 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP
Disable Vulnerable Endpoint
linuxBlock access to the vulnerable /admin/network/diag_iperf endpoint
iptables -A INPUT -p tcp --dport 80 -m string --string "/admin/network/diag_iperf" --algo bm -j DROP
iptables -A INPUT -p tcp --dport 443 -m string --string "/admin/network/diag_iperf" --algo bm -j DROP
🧯 If You Can't Patch
- Isolate affected devices in separate VLAN with strict firewall rules
- Implement network monitoring and IDS/IPS to detect exploitation attempts
🔍 How to Verify
Check if Vulnerable:
Check device firmware version via web interface at System > Firmware or via SSH with 'cat /etc/version'Check Version:
ssh admin@device_ip 'cat /etc/version' or check web interface System > FirmwareVerify Fix Applied:
Verify firmware version is newer than 20241118 and test the /admin/network/diag_iperf endpoint with safe payloads📡 Detection & Monitoring
Log Indicators:
- Unusual commands in system logs
- Multiple failed authentication attempts followed by successful access to /admin/network/diag_iperf
- Suspicious process execution
Network Indicators:
- HTTP POST requests to /admin/network/diag_iperf with shell metacharacters
- Outbound connections from device to unusual destinations
SIEM Query:
source="device_logs" AND (url="/admin/network/diag_iperf" OR cmd="*;*" OR cmd="*|*" OR cmd="*`*" OR cmd="*$(*")