CVE-2022-27226 An issue was found in iRZ Mobile routers' /api/crontab that allows a threat actor to create a crontab entry.

This issue affects all iRZ router models.

iRZ Mobile routers running firmware up to and including 1.1.8 (released on 2019-01-04) are vulnerable. iRZ Mobile routers running firmware up to and including 1.1.7 (released on 2018-12-16) are vulnerable. iRZ Mobile routers running firmware up to and including 1.1.6 (released on 2018-11-01) are vulnerable. iRZ Mobile routers running firmware up to and including 1.1.5 (released on 2018-09-20) are vulnerable. iRZ Mobile routers running firmware up to and including 1.1.4 (released on 2018-06-05) are vulnerable. iRZ Mobile routers running firmware up to and including 1.1.3 (released on 2018-03-22) are vulnerable. iRZ Mobile routers running firmware up to and including 1.1.2 (released on 2017-12-05) are vulnerable. iRZ Mobile routers running firmware up to and including 1.1.1 (released on 2017-08-21) are vulnerable. iRZ Mobile routers running firmware up to and including 1.1 (released on 2017-06-05) are vulnerable. iRZ Mobile routers running firmware up to and including 1.0.9 (released on 2017-03-15) are vulnerable. iRZ Mobile routers running firmware up to and including

iRZ Mobile Routers Running Firmware 1.0.9

The following firmware versions are affected:
1.0.9 (released on 2017-03-15)
1.0.8 (released on 2018-01-04)
1.0.7 (released on 2018-12-16)
1.0.6 (released on 2018-11-01)
1.0.5 (released on 2018-09-20)
1.0.4 (released on 2018-06-05)
1.0.3 (released on 2018-03-22)

iRZ Mobile Firmware Vulnerability Summary

An attacker with physical access to a vulnerable iRZ router can exploit this vulnerability by creating a malicious configuration file on the iRZ router and then rebooting the router to load it.
Once the malicious configuration file is loaded, the modem will be rebooted, which will cause it to contact an attacker-controlled IP address, providing unauthenticated access to the host. If no authentication is configured on either the modem or interface of the attacking host, an attacker can take complete control of this device.
The following actions are recommended:
Upgrade all firmware using a different mechanism than through TFTP. This can be done automatically or manually.
Disable TFTP access altogether.

What is iRZ? iRZ is a manufacturer of routers and mobile phones. iRZ routers are used in both residential and business settings. The company develops new devices regularly, with many products launched every year. They have a wide range of top-quality products that meet the needs of all users.

Timeline

Published on: 03/19/2022 04:15:00 UTC
Last modified on: 03/28/2022 19:13:00 UTC

References

• https://en.irz.ru
• https://johnjhacking.com/blog/cve-2022-27226/
• https://github.com/SakuraSamuraii/ez-iRZ
• http://packetstormsecurity.com/files/166396/iRZ-Mobile-Router-Cross-Site-Request-Forgery-Remote-Code-Execution.html
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-27226