www.belgium.be Logo of the federal government

Warning: Multiple vulnerabilities in Teltonika RUT/RMS, Patch Immediately!

Reference: 
Advisory #2023-56
Version: 
1.0
Affected software: 
Remote Management System (RMS): Versions prior to 4.14.0
RUT model routers: Version 00.07.00 through 00.07.03.4
Type: 
Multiple Improper authentication, XSS, SSRF and command injection vulnerabilities
CVE/CVSS: 

CVE-2023-32346: CVSS 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVE-2023-32347: CVSS 10 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
CVE-2023-32348: CVSS 9.3 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N)
CVE-2023-2586: CVSS 9.0 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)
CVE-2023-2587: CVSS 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
CVE-2023-2588: CVSS 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
CVE-2023-32349: CVSS 8.0 (AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
CVE-2023-32350: CVSS 8.8 (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Sources

https://wiki.teltonika-networks.com/

 

Risks

There are multiple critical vulnerabilities present in the Remote Management System and RUT model routers of Teltonika.  The combination of a low attack complexity, remote exploitability and no privileges required makes these vulnerabilities highly critical for any exposed device.
Successful exploitation of these vulnerabilities could expose sensitive device information and device credentials, enable remote code execution, expose connected devices managed on the network, and allow impersonation of legitimate devices. The impact on Confidentiality, Integrity and Availability is high.

Description

Most critical vulnerabilities affecting RMS

CVE-2023-32346 is a Observable Response Discrepancy vulnerability that allows the attacker to get a list of the serial numbers and MAC addresses of all devices cloud-connected to the Remote Management System. Using this as a starting point, the obtained Information can be used In subsequent exploits.

CVE-2023-32347 is an Improper authentication vulnerability that allows an attacker to enable arbitrary command execution as root by utilizing management options within the newly registered devices. An attacker only needs the serial number and MAC address of a device for authentication

CVE-2023-32348 Is an SSRF vulnerability that allows an attacker to route a connection to a remote server through the OpenVPN feature present In the RMS. This enables the attacker o scan and access data from other Teltonika devices connected to the VPN

CVE-2023-2586 Is a Improper authentication vulnerability that allows an unauthorized attacker registering previously unregistered devices through the RMS platform. This could enable the attacker to perform different operations on the user's devices, including remote code execution with 'root' privileges.

Most critical vulnerabilities affect RUT routers

CVE-2023-32350 Is an OS command Injection vulnerability present In the Lua service. An attacker could exploit a parameter in the vulnerable function that calls a user-provided package name by instead providing a package with a malicious name that contains an OS command injection payload.

The attack vector Is adjacent, but considering the vulnerabilities present In the RMS, an attacker could easily pivot towards the RUT routers.

 

Recommended Actions

The Centre for Cyber Security Belgium strongly recommends Windows system administrators to take the following actions:

  • Apply the latest patches as instructed by the vendor: https://wiki.teltonika-networks.com/view/MainPage
  • Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
  • Locate control system networks and remote devices behind firewalls and isolate them from business networks.
  • When remote access is required, use secure methods, such as virtual private networks (VPNs).

 

More Information

Affected Software breakdown:

  • Remote Management System (RMS): Versions prior to 4.10.0 (affected by CVE-2023-32346, CVE-2023-32347, CVE-2023-32348, CVE-2023-2587, CVE-2023-2588)
  • Remote Management System (RMS): Versions prior to 4.14.0 (affected by CVE-2023-2586)
  • RUT model routers: Version 00.07.00 through 00.07.03.4 (affected by CVE-2023-32349)
  • RUT model routers: Version 00.07.00 through 00.07.03 (affected by CVE-2023-32350)

 

References

Teltonika Remote Management System and RUT Model Routers | CISA