CVE-2024-24301

Vulnerability

The 4ipnet EAP-767 device, running firmware version 3.42.00, contains an OS command injection vulnerability (CWE-78) within the web interface's ping diagnostic utility. The /getPing.egi endpoint accepts a url parameter used to construct a shell command without proper sanitization. The device is also affected by an access control weakness (CWE-284) where the session cookie remains unchanged for the lifetime of the credential, enabling credential fixation. The login page is exposed to the internet, and default credentials are well-documented [1].

Exploitation

An attacker must have valid credentials to the device's web interface. Using the unchanged session cookie, the attacker can craft an HTTP request to /getPing.egi?url= appended with a shell command injection payload (e.g., using ; or |). The backend executes the crafted command with root privileges. No additional user interaction is required beyond the initial authenticated request [1].

Impact

Successful exploitation allows an attacker to execute arbitrary shell commands on the device as root. This results in full compromise of the device, including unauthorized access to sensitive data, modification of system configuration, and potential use of the device as a pivot point for lateral movement within the network [1].

Mitigation

The developer (4ipnet) disbanded in October 2020, and no firmware updates or patches will be provided. Administrators should immediately discontinue use of the EAP-767 device and switch to alternative products. If continued use is necessary, mitigate exposure by disabling internet access to the management interface, changing default credentials, and restricting network access via firewall rules [1].