CVES

Common Vulnerabilities and Exposures
CVE MITRE: CVE-2023-31446

 ____          _            _   _            _    
/ ___|_      _(_)_ __ _   _| | | | __ _  ___| | __
\___ \ \ /\ / / | '__| | | | |_| |/ _` |/ __| |/ /
 ___) \ V  V /| | |  | |_| |  _  | (_| | (__|   < 
|____/ \_/\_/ |_|_|   \__,_|_| |_|\__,_|\___|_|\_\

CVE-2023-31446-Remote-Code-Execution

Repository contains description for CVE-2023-31446 discovered by Dodge Industrial Team for Dodge OPTIFY platfrom.

CVE ID: CVE-2023-31446
Vendor: Cassia Networks
Product: Cassia Gateway Firmware
Version: <2.1.1.230309*

Vulnerability: Remote Code Execution/Remote Code Injection
Affected: gateways
Decription: queueUrl parameter in /bypass/config is not sanitized.
This leads to injecting bash code and executing it with root privileges on device startup.
Status: Confirmed by vendor, Fixed
Version Patched: 2.1.1.230720*

Details

Cassia has implemented in the past function that allows Gateways to push bluetooth scan data to the SQS Amazon Services.
The settings for mentioned functionality could be set by API endpoint:

http:///bypass/config?type=sqs&keyId=<"keyId">&key=<"keysecret">&queueUrl=<"queueServiceUrl">

Based on the investigation the SQS feature starts the service on the boot time of the device.
Service loads configuration file, where mentioned endpoint overwrite the settings.
Service after loading specified URL runs nslookup from root bash perspective what allows to run any command embeded into URL parameter.
The access to the endpoint is not authenticated by default. More of that the feature was not described in the official Cassia documentation.

Exploitation

Attacker can embed bash command ${id} into queueUrl parameter:
query

After rebooting device, gateway will run the command with root privileges (look A,AAA query):
capture

Note that gateway used linux device as gateway for easier capturing network flow and evidences

Gateway -> Default Gateway (Linux) -> Internet

Remediation