CVE-2024-7120
📋 TL;DR
This critical vulnerability allows remote attackers to execute arbitrary operating system commands on affected Raisecom gateway devices by manipulating the 'template' parameter in the web interface. Attackers can gain full control of vulnerable devices without authentication. All organizations using Raisecom MSG1200, MSG2100E, MSG2200, and MSG2300 devices with version 3.90 are affected.
💻 Affected Systems
- Raisecom MSG1200
- Raisecom MSG2100E
- Raisecom MSG2200
- Raisecom MSG2300
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete device compromise allowing attackers to pivot to internal networks, deploy ransomware, steal credentials, or establish persistent backdoors.
Likely Case
Device takeover leading to network disruption, data exfiltration, or use as a foothold for lateral movement.
If Mitigated
Limited impact if devices are isolated in separate VLANs with strict network segmentation and egress filtering.
🎯 Exploit Status
Exploit details have been publicly disclosed and require minimal technical skill to execute. The attack can be initiated remotely without authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: Not available at time of analysis
Restart Required: No
Instructions:
1. Monitor Raisecom vendor website for security advisories. 2. Apply any available firmware updates immediately. 3. If no patch is available, implement workarounds and monitor for updates.
🔧 Temporary Workarounds
Disable Web Interface
allDisable the vulnerable web interface component if not required for operations
# Access device CLI and disable web interface
# Configuration commands vary by device model
Network Access Control
linuxRestrict access to device web interface using firewall rules
# Example iptables rule to restrict web interface access
iptables -A INPUT -p tcp --dport 80 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
🧯 If You Can't Patch
- Isolate affected devices in separate VLAN with strict egress filtering
- Implement network-based intrusion detection rules to detect exploitation attempts
🔍 How to Verify
Check if Vulnerable:
Check device firmware version via web interface or CLI. If version is 3.90 on affected models, device is vulnerable.Check Version:
# Via CLI: show version | include Software
# Via web: Navigate to System Information pageVerify Fix Applied:
Verify firmware version has been updated to a version later than 3.90, or that web interface is disabled/restricted.📡 Detection & Monitoring
Log Indicators:
- Unusual command execution in system logs
- Multiple failed login attempts followed by successful access
- Web interface access from unexpected IP addresses
Network Indicators:
- HTTP requests to list_base_config.php with suspicious template parameters
- Outbound connections from gateway devices to unexpected destinations
SIEM Query:
source="gateway_logs" AND (uri="*list_base_config.php*" AND param="*template=*" AND (param="*;*" OR param="*|*" OR param="*`*"))🔗 References
- https://netsecfish.notion.site/Command-Injection-Vulnerability-in-RAISECOM-Gateway-Devices-673bc7d2f8db499f9de7182d4706c707?pvs=4
- https://vuldb.com/?ctiid.272451
- https://vuldb.com/?id.272451
- https://vuldb.com/?submit.380167
- https://netsecfish.notion.site/Command-Injection-Vulnerability-in-RAISECOM-Gateway-Devices-673bc7d2f8db499f9de7182d4706c707?pvs=4
- https://vuldb.com/?ctiid.272451
- https://vuldb.com/?id.272451
- https://vuldb.com/?submit.380167
