Published by Chris Watts, Security Testing and Assurance on 18 October 2024
Zero-Day RCE in NetComm NTC-221 Industrial IoT M2M LTE/4G Router
Unauthenticated Remote Code Execution (RCE)
CyberCX uncovered a critical unauthenticated Remote Code Execution (RCE) vulnerability in the NetComm NTC-221 Industrial IoT M2M LTE/4G Router (NTC-221 Router). This vulnerability, accessible via the router’s web interface, enables a remote adversary to execute arbitrary code on the device without requiring authentication.
The NTC-221 router is widely deployed across various industries, particularly in rugged or remote industrial environments. It functions as a key element in industrial systems, connecting equipment to the internet via 4G networks. These routers are often used for point-to-point and point-to-multi-point communication in applications like:
- Connected elevators and escalators
- Smart building systems
- Vending and ticketing machines
- Digital signage
- Access control systems
- Surveillance cameras
- Traffic light control
- Vehicle tracking and monitoring
CVE ID: CVE-2024-26519
Credit: Chris Watts – CyberCX
CVSSv3.1 Base: 10.0
CVSSv3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
What We found
Our analysis revealed that the router’s firmware did not adequately sanitise user input in some web interface fields. This flaw allows an attacker to send a specially crafted HTTP request containing a malicious payload, which exploits the input validation weakness. The payload can execute system commands with root privileges, leading to complete system compromise.
In accordance with responsible disclosure practices, we are withholding the full technical details of the vulnerability.
Impact
Exploiting this vulnerability would allow an adversary to gain remote control over the router, leading to significant consequences. The adversary could eavesdrop on network traffic, intercepting, altering, or monitoring messages sent to and from connected devices. Additionally, the router could be used as a launch point for installing malware, facilitating further attacks on other systems. The compromised device could also participate in Distributed Denial of Service (DDoS) attacks, overwhelming services with traffic and potentially causing outages. Furthermore, malicious software could propagate to other connected devices, turning the router into part of a broader, more harmful attack.
Disclosure and Current – Firmware Release Status
CyberCX disclosed this vulnerability to Casa Systems, the current owner of NetComm (acquired in 2019) and raised a CVE (CVE-2024-26519). CyberCX collaborated with the vendor to retest the patched firmware and ensure thorough remediation.
Version 2.0.99.0 – Released 16/06/2020
This vulnerability was confirmed in Version 2.0.99.0 and affects all firmware versions prior to this release.
Version 2.1.22.0 – Released 4/07/2023
Although this version introduced authentication mechanisms, it did not resolve the RCE vulnerability, which could still be exploited via an authenticated session.
Version 2.1.36.0 – Released 31/07/2024
The RCE vulnerability has been fully addressed in Version 2.1.36.0, released on 31/07/2024. This update introduces user input sanitation controls, which fully remediated the remote code execution vulnerability.
We advise all NTC-221 router users to update to Version 2.1.36.0 to ensure their systems are secure from this critical vulnerability. CyberCX commends Casa Systems for their efforts in remediating this issue and releasing the necessary patch.
As part of our mission to secure our communities, CyberCX’s Security testing and Assurance (STA) team regularly examines popular hardware products for vulnerabilities and potential exploits. Where these are discovered we raise Common Vulnerabilities and Exposures (CVE) and work with the vendor to patch these as soon as possible.