Full Report
A high-severity flaw impacting select Four-Faith routers has come under active exploitation in the wild, according to new findings from VulnCheck. The vulnerability, tracked as CVE-2024-12856 (CVSS score: 7.2), has been described as an operating system (OS) command injection bug affecting router models F3x24 and F3x36. The severity of the shortcoming is lower due to the fact that it only works
Analysis Summary
# Vulnerability: Unauthenticated Command Injection in Four-Faith Routers via Default Credentials
## CVE Details
- CVE ID: CVE-2024-12856
- CVSS Score: 7.2 (High)
- CWE: OS Command Injection (Inferred from description)
## Affected Systems
- Products: Four-Faith Routers
- Versions: Models F3x24 and F3x36
- Configurations: Vulnerable when the attacker can successfully authenticate. Unauthenticated exploitation is possible if default credentials have not been changed.
## Vulnerability Description
The vulnerability is an Operating System (OS) command injection flaw impacting Four-Faith router models F3x24 and F3x36. The flaw resides in the `/apply.cgi` endpoint when modifying the device's system time using `submit_type=adjust_sys_time`. Specifically, the injection occurs in the `adj_time_year` parameter, allowing a remote attacker to execute arbitrary OS commands.
## Exploitation
- Status: Exploited in the wild
- Complexity: Medium (Requires successful authentication, or uses default credentials for unauthenticated exploitation)
- Attack Vector: Network
## Impact
- Confidentiality: High (Implied by remote shell execution)
- Integrity: High (Implied by remote shell execution)
- Availability: High (Implied by remote shell execution)
## Remediation
### Patches
- Specific patch details or version numbers were not provided in the source text. Users should check Four-Faith vendor advisories for updated firmware.
### Workarounds
- **Crucially, change all default credentials** on the affected routers immediately. This mitigates the path to unauthenticated exploitation.
## Detection
- **Indicators of Compromise (IoCs):**
- Reverse shell activity originating from the router.
- Connections originating from known malicious IP addresses (e.g., `178.215.238.91` has been linked to past exploitation attempts on Four-Faith devices).
- **Detection Methods and Tools:**
- Network monitoring for unusual outbound connections (like reverse shells) from the router management interfaces.
- IDS/IPS systems should be configured to look for attempts to inject commands via the `/apply.cgi` endpoint, specifically targeting the `adj_time_year` parameter POSTed with `submit_type=adjust_sys_time`.
## References
- Vendor advisories (Not explicitly linked, users must search for Four-Faith security updates for CVE-2024-12856)
- VulnCheck report: vulncheck.com/blog/four-faith-cve-2024-12856 (Defanged)
- Censys search data regarding affected devices (Defanged): search.censys.io/search?resource=hosts...