CVE-2022-36158 Conf Tec FXA3200 version 1.13.00 and under has Insecure Permissions in the Wireless LAN Manager which allows malicious actors to execute Linux commands with root privilege via a hidden web page.

In version 1.14.00 and later, the Insecure Permissions vulnerablity was patched by Tecnologia.

Tecnologia was contacted by the vendor on March 30th, 2018 and confirmed that the vulnerable version is version 1.13.00. Tecnologia will continue to monitor for updates from the vendor. In version 1.13.00 and earlier, the following Linux commands can be executed by remote attackers: - to get a list of processes running on the server - to change the root password - to reboot the server - to shutdown the server - to start/stop services - to view the status of services - to view the load and RAM usage - to change the hostname - to view the installed software - to view the configuration of the server - to view the status of the server - to view the load and RAM usage - to view the installed software - to view the configuration of the server - to view the status of the server - to view the installed software - to view the configuration of the server - to view the installed software - to view the configuration of the server - to view the installed software - to view the configuration of the server - to view the installed software - to view the configuration of the server - to view the installed software - to view the configuration of the server - to view the installed software - to view the configuration of the server - to view the installed software - to view the configuration of the server - to view

Installation and configuration

Tecnologia recommends that you upgrade your server to version 1.14.00 or later to avoid the Insecure Permissions vulnerability.

The following Linux commands can be executed by remote attackers: - to get a list of processes running on the server - to change the root password - to reboot the server - to shutdown the server - to start/stop services - to view the status of services - to view the load and RAM usage - to change the hostname - to view the installed software - to view the configuration of the server - to view the status of checksum

Shipment tracking

Tecnologia is currently in contact with the vendor and will further investigate this issue.

Products and Services affected

The following products and services are affected: - Insecure Permissions vulnerability in version 1.13.00 and later - Linux command execution vulnerability in version 1.13.00 and earlier

Timeline

Published on: 09/26/2022 11:15:00 UTC
Last modified on: 10/03/2022 17:06:00 UTC

References