Table of Contents
Vulnerability Affecting Milesight Industrial Routers
The vulnerability affecting the Milesight Industrial Routers has been identified and is being tracked under the reference CVE-2023-4326. This vulnerability has caught the attention of the cybersecurity community worldwide as it has the potential to be exploited for data breaches and cyber-attacks. The weakness lies in how the routers handle and store network logs, thereby jeopardizing sensitive information.
Tracked as CVE-2023-4326
CVE-2023-4326 is a vulnerability identified within Milesight Industrial Routers. The Common Vulnerabilities and Exposures (CVE) system provides a reference method for publicly known cybersecurity vulnerabilities. The documented flaw in the router system, known by this specific reference, draws worldwide attention due to its severity and potential for exploitation.
Affected logs
The vulnerability largely affects the processing and storage of the router's network logs. Logs are often a hot target for attackers as they hold a compendium of important information about network activity, including aspects related to traffic, system alerts, and error messages among others. If successfully exploited, this vulnerability could permit unauthorized access to these logs.
Information exposed and its use by attackers
The information that is potentially exposed as part of this vulnerability encompasses sensitive network activity data from the compromised routers. If accessed by attackers, this information can offer deep insights into network patterns, traffic trends, and system alerts. Cybercriminals could then leverage these data insights for malicious intent, like studying network weak spots to launch more sophisticated, tailored attacks, or selling sensitive data on the dark web.
Role of Researcher Bipin Jitiya
Bipin Jitiya, a renowned cybersecurity researcher, played a pivotal role in the discovery and disclosure of this vulnerability. Recognizing the potential threat, Jitiya's detailed investigation and reporting helped bring this information to light, demonstrating the existing vulnerability within the Milesight Industrial Routers. His continued efforts in the cybersecurity realm contribute significantly towards enhancing network security measures and promoting an understanding of emerging vulnerabilities.
Patching Status of the Vulnerability
In response to the discovered vulnerability, the vendor has revealed that they were aware of the issue and had taken proactive steps towards its resolution. They claimed to have released patches to fix CVE-2023-4326. Despite these assertions, cybersecurity community and researchers have had reason to probe further into the extent of the vulnerability and the efficacy of the deployed patches.
Vendor’s Response and Released Patches
The manufacturer of Milesight Industrial routers stated that they had prior knowledge of the vulnerability and had subsequently issued patches to address it. Their aim was to mitigate the potential risk and prevent malicious exploitation. These patches are meant to provide an immediate protective layer against any potential data breach or unauthorized access to sensitive information.
Analysis Conducted by VulnCheck
Despite the vendor's claims, a thorough investigation was further carried out by VulnCheck. This cybersecurity firm conducted an in-depth analysis of the vulnerability and the provided patches. Its investigators reviewed the routers' firmware, scrutinizing the claimed fortifications by comparing the before and after patch implementations. This external verification process is critical in cybersecurity, ensuring that any vulnerabilities have been effectively addressed.
Internet-exposed Milesight Devices and Vulnerable Firmware
While the vendor has released patches to address the vulnerability, the bigger challenge remains the extent of potentially vulnerable devices. The total number of internet-facing Milesight devices is substantial, and a certain percentage of these are still running on the vulnerable firmware. Consequently, these devices are subject to potential exploitation by malicious actors who may exploit this flaw to gain sensitive data or command control over these networks. Urgent firmware updates are thus crucial to safeguard these at-risk networks.
Observed Exploitation of the Vulnerability
Despite various efforts to diminish the possible impact of the identified router vulnerability, there have been episodes of potential small-scale exploitation. These incidents showcase the manner in which cyber attackers can subtly infiltrate systems, demonstrating the latent potency of such vulnerabilities when left unattended or insufficiently patched.
Description of Potential Small-Scale Exploitation
An instance of potential exploitation was observed where an IP address was seen attempting to log into six different systems. Although the locations of affected systems dispersed - from France to Lithuania and Norway - the activities showed a distinct pattern. In most cases, the attacker managed to authenticate on the first attempt. Despite not mass exploitation, the orchestrated attack maneuver represents a directed and selective targeting strategy, indicative of small-scale, but potentially significant, exploitation.
Details on Attacker Actions Post-Authentication
Once authenticated, the attackers exhibited a pattern of exploring various settings and status pages such as SMS Inbox, OpenVPN servers, user data, DDNS configuration and others, without making changes. This behaviour could be attributed to reconnaissance activities, where attackers skim through vital settings and configurations to map out the system's infrastructure and identify potential weak points for future exploitations. It appears that the goal was to familiarize themselves with the system's landscape rather than to overtly disrupt it immediately.
Potential for Pivoting into the ICS Network
In the course of these potential attacks, it was also noted that, in some cases, VPN servers were configured on victim systems. By gaining access to clear text credentials through the vulnerability, attackers might have enough foothold to pivot further into the Industrial Control System (ICS) network. If successful, this could pose a significant threat as ICS networks often control key operational processes within industrial setups. Unauthorized access to these networks could lead to severe disruptions and catastrophic consequences depending on the industry sector.
Use of Vulnerable UR-series Routers and Security Recommendations
The UR-series routers, which include the affected models such as UR5X, UR32L, UR32, UR35, UR41 are primarily used in industrial settings due to their rugged design and durability. It's the vulnerability within these routers that has raised security concerns. Following these developments, several security recommendations and information sharing have been underlined to mitigate the risk.
Fields of Utilization for UR-Series Routers
Milesight's UR-series of industrial routers are frequently used across a wide array of sectors due to their reliable structure and capabilities. They are primarily seen in urban infrastructure systems, industrial control systems (ICS), transportation systems and other harsh or outdoor environments. Given the key roles these fields play, a breach via an exploited vulnerability could have significant operational and safety implications. Consequently, securing these devices against recognized vulnerabilities like CVE-2023-4326 is of paramount importance.
