Experts warn of critical flaws in Flexlan devices that provide WiFi on planesSecurity Affairs

Researchers have discovered two critical vulnerabilities (CVE-2022-36158 and CVE-2022-36159) in Flexlan devices that provide WiFi on airplanes.

Necrum Security Labs researchers have discovered a few critical vulnerabilities, tracked as CVE-2022-36158 and CVE-2022-36159, affecting Contec Flexlan FXA3000 and FXA2000 series LAN devices.

The FXA3000 and FXA2000 series are access points manufactured by the Japanese company Contec and comply with the IEEE 802.11n/a/b/g wireless standard.

These devices are installed in aircraft to provide internet connectivity to passengers, the above vulnerabilities can be exploited by an attacker to compromise the in-flight entertainment system and potentially conduct other malicious activities.

“Our wireless products, the FLEXLAN FX3000/2000 series, have been found to have a firmware vulnerability.
There are possibilities of data plagiarism, tampering and destroying the system with malicious programs if
this vulnerability has been exploited by malicious attackers. reads the notice published by Contec. “We have a private web page for developers to run system commands, which is not linked to any other web configuration page. There are possibilities for data plagiarism, tampering, system destruction and malware execution if this vulnerability is exploited by malicious attackers who can access this private web page (with password information) .

The issues affect Contec FLEXLAN FXA3000 series devices from version 1.15.00 and below and
FLEXLAN FXA2000 series devices from version 1.38.00 and below.

Flexlan Contec fxa2000_cover_rgb_96dpi_500x500

The CVE-2022-36158 flaw is a hidden system command web page that was discovered by reverse engineering the firmware used by the device. The page was not listed in the Wireless LAN Manager interface, it can allow running Linux commands on the device with root privileges, accessing all system files and opening the telnet port.

“[CVE-2022-36158] – Hidden system command web page.
After reverse engineering the firmware, we discovered that a hidden, unlisted page in the Wireless LAN Manager interface allows running Linux commands on the device with root privileges. From there we had access to all system files, but we could also open the telnet port and have full access to the device. reads the message posted by Necrum Security Labs.

The second vulnerability (CVE-2022-36159) is related to the use of hardcoded weak cryptographic keys and backdoor accounts. Experts have discovered a shadow file containing the hash of root and user users.

“[CVE-2022-36159] – Use of weak hardcoded cryptographic keys and backdoor account. During our investigation, we also discovered that the /etc/shadow file contains the hash of two users (root and user) which only took us a few minutes to retrieve through a brute force attack. continues the researchers. “The problem is that the device owner can only change the account user’s password from the web admin interface, because the root account is reserved for Contec, probably for purposes of maintenance. This means that an attacker with the hard-coded root password can access all FXA2000 and FXA3000 series devices.

The post published by the experts shows how to exploit the flaws, it also includes recommendations to fix them.

The researchers recommend changing the account user password from the web administration interface and removing the hidden engineering web page from devices in production.

Experts recommend randomly generating a different password for each device.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(Security cases hacking, Log4Shell)

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button