CVE-2024-55547
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary commands on ORing IAP-420 devices through SNMP objects in NET-SNMP. Attackers can inject malicious commands into SNMP requests, potentially gaining full control of affected devices. This affects all ORing IAP-420 devices running firmware version 2.01e or earlier.
💻 Affected Systems
- ORing IAP-420
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete device compromise allowing attackers to install persistent backdoors, pivot to internal networks, disrupt industrial operations, or use devices as botnet nodes.
Likely Case
Remote code execution leading to device takeover, credential theft, network reconnaissance, and potential lateral movement within industrial networks.
If Mitigated
Limited impact if SNMP access is restricted to trusted networks and proper network segmentation is implemented.
🎯 Exploit Status
Detailed technical analysis and proof-of-concept code are publicly available in the referenced advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: Unknown
Restart Required: No
Instructions:
1. Contact ORing for firmware updates or security advisories. 2. Monitor vendor website for security patches. 3. Apply any available firmware updates immediately.
🔧 Temporary Workarounds
Disable SNMP Service
linuxCompletely disable SNMP service on affected devices if not required for operations.
ssh admin@device-ip
configure terminal
no snmp-server enable
Restrict SNMP Access
linuxConfigure firewall rules to restrict SNMP access to trusted management networks only.
iptables -A INPUT -p udp --dport 161 -s trusted-network -j ACCEPT
iptables -A INPUT -p udp --dport 161 -j DROP
🧯 If You Can't Patch
- Isolate affected devices in separate VLAN with strict firewall rules blocking all unnecessary inbound traffic.
- Implement network monitoring and intrusion detection specifically for SNMP traffic to/from these devices.
🔍 How to Verify
Check if Vulnerable:
Check device firmware version via web interface or SSH: System > Firmware Information. If version is 2.01e or earlier, device is vulnerable.Check Version:
ssh admin@device-ip 'cat /etc/version' or check web interface at System > Firmware InformationVerify Fix Applied:
Verify SNMP service is disabled or firmware version is updated beyond 2.01e. Test with SNMP walk commands from unauthorized networks should fail.📡 Detection & Monitoring
Log Indicators:
- Unusual SNMP requests from unexpected sources
- Failed authentication attempts on SNMP service
- System command execution logs from SNMP processes
Network Indicators:
- SNMP traffic from external IP addresses
- Unusual SNMP OID requests
- SNMP packets containing shell metacharacters
SIEM Query:
source_port=161 AND (payload CONTAINS ";" OR payload CONTAINS "|" OR payload CONTAINS "`" OR payload CONTAINS "$")