Aon’s Cyber Solutions discovered multiple command injection vulnerabilities affecting a number of Snap One Araknis Networks® switches and access points. The list of affected products and firmware versions can be found below. The vulnerabilities were discovered by Aon’s Cyber Solutions team member Howard McGreehan.
Aon would like to thank Snap One for working with us as part of our coordinated disclosure process.
Timeline:
03/21/21 – Initial disclosure to Security@SnapAV.com
06/01/21 – Issues confirmed by Snap One, firmware upgrade release dates set
10/05/21 – Patches released
06/07/22 – Aon advisory released
Vulnerability Listing / Credits:
- CVE-2021-40144: Howard McGreehan – Command Injection in datajson.cgi
- CVE-2021-40844: Howard McGreehan – Command Injection in OpenWRT LuCI
- CVE-2021-42661: Howard McGreehan – Command Injection in OpenWRT LuCI
Affected Products:
According to the vendor, the following products and firmware versions are affected:
| Product | Firmware Version | CVE ID |
|---|---|---|
| Araknis Networks AN-210 Network Switches | < 1.3.10 | CVE-2021-40144 |
| Araknis Networks AN-810 Access Points | < 2.1.02 | CVE-2021-40844 |
| Araknis Networks AN-700-O Access Points | < 2.1.02 | CVE-2021-42661 |
Command Injection in Multiple Snap One Araknis Networks Products
Overview
Multiple Snap One Araknis Networks products are vulnerable to authenticated command injection attacks within their administrative panels. This vulnerability can be triggered by sending specially crafted HTTP requests to affected models’ onboard, web-based networking tools. Exploiting these vulnerabilities allows the attacker to fully takeover the devices as the root user and may be leveraged via Cross-Site Request Forgery (CSRF).
Remediation
Firmware updates may be obtained through Snap One Partners or from the Snap One Product Support section.
Vendor Thanks:
https://www.control4.com/company/privacy-and-security/thank-you-white-hats
Author: Howard McGreehan
June 7, 2022
©Aon plc 2022
