CVE-2023-31446

Vulnerability

queueUrl parameter in the /bypass/config endpoint is not sanitized before being used on device startup in Cassia Gateway firmware versions XC1000_2.1.1.2303082218 and XC2000_2.1.1.2303090947 (and any version below 2.1.1.230309*). The endpoint is designed to configure Amazon SQS settings for pushing Bluetooth scan data; the service loads a configuration file at boot and runs nslookup from a root bash context using the provided queueUrl, allowing injection of arbitrary bash commands. Access to the endpoint is unauthenticated by default, and the feature was not described in official documentation. [1][2][3]

Exploitation

An attacker can craft a request such as http:///bypass/config?type=sqs&keyId=&key=&queueUrl=, embedding a bash command inside the queueUrl parameter (e.g., ${id}). When the gateway is rebooted, the injected command executes as root. No authentication is required to reach the endpoint, and no user interaction beyond a reboot is needed for the payload to trigger. [2][3]

Impact

Successful exploitation allows arbitrary remote code execution with root privileges on the gateway at startup. The attacker gains full control over the affected device, potentially leading to complete confidentiality, integrity, and availability compromise of the gateway and any connected Bluetooth IoT infrastructure. [2][3]

Mitigation

Cassia has confirmed the vulnerability and released a fix in firmware version 2.1.1.230720* [2][3]. Users should update to the latest patched version available from Cassia Networks. Until upgrading, enabling API authentication (if supported by the deployed version) and monitoring traffic to the /bypass/config endpoint can reduce risk. Devices running versions below the fix remain exposed. [2][3]