Three security vulnerabilities have been found in Trend Micro’s Home Network Security systems, which can allow denial of service (DoS), privilege escalation, code execution and authentication bypass.
The Home Network Security Station is an all-in-one device that scans for vulnerabilities for connected devices, performs intrusion detection and allows consumers to control access settings for all devices on the network.
The bugs, discovered by Cisco Talos researchers, are two high-severity stack buffer overflows, both with CVSS scores of 7.8 out of 10 (CVE-2021-32457, CVE-2021-32458); and one hardcoded password issue, with a medium-severity CVSS score of 4.9 (CVE-2021-32459).
CVE-2021-32457, CVE-2021-32458: Stack Buffer Overflow Bugs
Both of these issues are privilege-escalation bugs would allow attackers who have already compromised the device to gain administrative access to the Station and be able to make changes to its settings, access permissions and more, Talos researchers said. They can also enable DoS and code-execution, according to the advisories.
They’re both exploitable via specially crafted input/output control (ioctl) requests. Ioctl is a system call for device-specific input/output operations that are created using a parameter that specifies a request code; the effect of a call depends completely on the request code.
In the case of CVE-2021-32457, the issue is caused by the lack of input validation on a user’s ioctl request from user land:
“The upper 16 bits from the ioctl request (AND with 0x3FFF, so 14 bits total) are blindly used as input to __memzero to a stack-based buffer in kernel space. The stack-based buffer is smaller than the maximum ioctl request copy size of 0x3FFF and thus overflows. A user can leverage this to write \x00 to a large portion of the kernel stack.”
This causes a kernel panic leading to DoS and which could be leveraged into privilege escalation.
The second flaw is also caused by the lack of input validation on a user’s ioctl request from user land, according to the vulnerability advisory – potentially leading to code execution, privilege escalation and device takeover:
“The upper 16 bits from the ioctl request (AND with 0x3FFF, so 14 bits total) are blindly used as input to __copy_from_user to a stack-based buffer in kernel space,” it read. “The stack-based buffer is smaller than the maximum ioctl request copy size of 0x3FFF and thus overflows. A user can carefully craft input such that they could get control over PC within due to this copy.”
CVE-2021-32459: Hard-Coded Home Security Password
Researchers from Talos also discovered a set of hardcoded credentials on the device, which an attacker could exploit to gain access to information collected by the Station. From there, an adversary could create files, change permissions on files and upload arbitrary data to an SFTP server, according to the advisory.
Specifically, the bug exists in Trend Micro Home Network Security’s log collection server feature (logs.trendmicro.com), which could be exploited for arbitrary authentication by sending a specially designed network request.
“The log server is utilized to dump all information that the device collects back to Trend Micro’s infrastructure, and can include identifiable information of the networks that the data originated from,” according to the advisory. “The username and password are hard-coded in the core binary of the HNS device as diamond:bahV6AtJqZt4K. On the SFTP server, these credentials can be used to create files, change permissions on files and upload arbitrary data to the server. This could result in the loss of the logs if files are overwritten, or data exfiltration could occur if it is possible to download data.”
Vulnerable Trend Micro Home Network Security Stations version 6.1.567 and below are vulnerable to the bugs; the security vendor has released patches to address all three issues.
Join Threatpost for “A Walk On The Dark Side: A Pipeline Cyber Crisis Simulation”– a LIVE interactive demo on Wed, June 9 at 2:00 PM EDT. Sponsored by Immersive Labs, find out whether you have the tools and skills to prevent a Colonial Pipeline-style attack on your organization. Questions and LIVE audience participation encouraged. Join the discussion and Register HERE for free.
