Japan’s CERT is warning that hackers are exploiting zero-day vulnerabilities in I-O Information router gadgets to switch system settings, execute instructions, and even flip off the firewall.
The seller has acknowledged the issues in a safety bulletin revealed on its web site. Nonetheless, the fixes are anticipated to land on December 18, 2024, so customers might be uncovered to dangers till then until mitigations are enabled.
The vulnerabilities
The three flaws that have been recognized on November 13, 2024, are data disclosure, distant arbitrary OS command execution, and the power to disable firewalls.
The problems are summarized as follows:
- CVE-2024-45841: Permissions on delicate assets are misconfigured, permitting customers with low-level privileges to entry crucial information. For instance, a 3rd occasion who is aware of the visitor account credentials could entry information containing authentication data.
- CVE-2024-47133: Permits authenticated administrative customers to inject and execute arbitrary working system instructions on the system, exploiting inadequate enter validation in configuration administration.
- CVE-2024-52564: Undocumented options or backdoors within the firmware enable distant attackers to show off the system firewall and modify settings with out authentication.
The three points impression UD-LT1, a hybrid LTE router designed for versatile connectivity options, and its industrial-grade model, UD-LT1/EX.
The newest obtainable firmware model, v2.1.9, addresses solely CVE-2024-52564, and I-O Information states that fixes for the opposite two vulnerabilities might be made obtainable in v2.2.0, scheduled for launch on December 18, 2024.
As the seller confirmed within the bulletin, clients have already reported that the issues are already exploited in assaults.
“Recently, we received inquiries from customers using our hybrid LTE routers’ UD-LT1′ and ‘UD-LT1/EX’, where access to the configuration interface was allowed from the internet without VPN,” reads the I-O knowledge safety advisory.
“These customers reported potential unauthorized access from external sources.”
Till the safety updates are made obtainable, the seller means that customers implement the next mitigation measures:
- Disable the Distant Administration characteristic for all web connection strategies, together with WAN Port, Modem, and VPN settings.
- Limit entry to solely VPN-connected networks to stop unauthorized exterior entry.
- Change the default “guest” consumer’s password to a extra complicated one with over 10 characters.
- Recurrently monitor and confirm system settings to detect unauthorized adjustments early, and reset the system to manufacturing facility defaults and re-configure if a compromise is detected.
The I-O DATA UD-LT1 and UD-LT1/EX LTE routers are primarily marketed and offered inside Japan, designed to assist a number of carriers like NTT Docomo and KDDI, and are suitable with main MVNO SIM playing cards within the nation.
