{"document":{"acknowledgments":[{"urls":["https://kb.cert.org/vuls/id/123336#acknowledgements"]}],"category":"CERT/CC Vulnerability Note","csaf_version":"2.0","notes":[{"category":"summary","text":"### Overview\r\nA command injection vulnerability has been identified in the Wi-Fi Test Suite, a tool developed by the WiFi Alliance, which has been found deployed on Arcadyan routers. This flaw allows an unauthenticated local attacker to exploit the Wi-Fi Test Suite by sending specially crafted packets, enabling the execution of arbitrary commands with root privileges on the affected routers.\r\n\r\n### Description\r\nThe Wi-Fi Test Suite, as described by its developer, was originally created by the Wi-Fi Alliance—a global non-profit industry association responsible for Wi-Fi standards—to support the development of certification programs and device certification. This software was not designed for use in production environments. However, it has been discovered in commercial router deployments, exposing a vulnerbility in the test code in production. The Wi-Fi Test Suite contains vulnerable code that is susceptible to command injection attacks. An attacker can exploit this vulnerability by sending specially crafted packets to a device running the Wi-Fi Test Suite, allowing them to execute commands with administrative (root) privileges.\r\n\r\n**CVE-2024-41992**\r\nIt is possible for an unauthenticated local attacker to use specially crafted packets to execute commands as root.\r\n\r\n### Impact\r\nAn attacker who successfully exploits this vulnerability can gain full administrative control over the affected device. With this access, the attacker can modify system settings, disrupt critical network services, or reset the device entirely. These actions can result in service interruptions, compromise of network data, and potential loss of service for all users dependent on the affected network.\r\n\r\n### Solution\r\nThe CERT/CC recommends that vendors, who have included the Wi-Fi Test Suite, to update it to version >=9.0 or remove it entirely from production devices to reduce the risk of exploitation.\r\n\r\n### Acknowledgements\r\nThanks to the reporter Noam Rathaus from SSD Disclosure. This document was written by Timur Snoke.","title":"Summary"},{"category":"legal_disclaimer","text":"THIS DOCUMENT IS PROVIDED ON AN 'AS IS' BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. ","title":"Legal Disclaimer"},{"category":"other","text":"CERT/CC Vulnerability Note is a limited advisory. It primarily identifies vendors impacted by the advisory and not specific products. We only support \"known_affected\" and \"known_not_affected\" status. Please consult the vendor's statements and advisory URL if provided by the vendor for more details ","title":"Limitations of Advisory"},{"category":"other","text":"Affected parties are Wi-Fi Alliance member companies that ship wfa_dut, which is intended for development and certification testing purposes, with their final products. The code at https://github.com/Wi-FiTestSuite/Wi-FiTestSuite-Linux-DUT was made open source as sample code. Shipping this code (as binary executable) as part of a commercial product requires the individual vendor to perform its own security review and implementation. Following this report, Wi-Fi Alliance has made fixes in input sanitization to protect against command injection in the Wi-Fi Test Suite/wfa_dut project, currently available to Wi-Fi Alliance members. The updates will be reflected in the open-source project by 2024-06-30. Wi-Fi Alliance is also reiterating two advisories to its members: (1) Wi-Fi Test Suite is only required for development and certification testing purposes. (2) Wi-Fi Alliance advises against enabling wfa_dut on any interface other than the LAN interface used by the automation system to control and monitor device behavior.\r\n\r\nWi-Fi Alliance would like to express its gratitude to the reporter for this vulnerability report. If interested, we can also share the patch for review and discussion before we apply it to the open-source repository.","title":"Vendor statment from Wi-Fi Alliance"},{"category":"other","text":"The National Cybersecurity Agency of France (ANSSI) has coordinated this vulnerability with Bouygues Telecom and confirmed that they have deployed a fix on all of their equipment.","title":"CERT/CC comment on Bouygues Telecom notes"}],"publisher":{"category":"coordinator","contact_details":"Email: cert@cert.org, Phone: +1412 268 5800","issuing_authority":"CERT/CC under DHS/CISA https://www.cisa.gov/cybersecurity also see https://kb.cert.org/ ","name":"CERT/CC","namespace":"https://kb.cert.org/"},"references":[{"url":"https://certcc.github.io/certcc_disclosure_policy","summary":"CERT/CC vulnerability disclosure policy"},{"summary":"CERT/CC document released","category":"self","url":"https://kb.cert.org/vuls/id/123336"},{"url":"https://kb.cert.org/vuls/id/123336","summary":"https://kb.cert.org/vuls/id/123336"},{"url":"https://github.com/Wi-FiTestSuite/Wi-FiTestSuite-Linux-DUT","summary":"https://github.com/Wi-FiTestSuite/Wi-FiTestSuite-Linux-DUT"},{"url":"https://www.wi-fi.org/certification/wi-fi-test-tools","summary":"https://www.wi-fi.org/certification/wi-fi-test-tools"},{"url":"https://ssd-disclosure.com/","summary":"https://ssd-disclosure.com/"},{"url":"https://ssd-disclosure.com/ssd-advisory-arcadyan-fmimg51ax000j-wifi-alliance-rce/","summary":"https://ssd-disclosure.com/ssd-advisory-arcadyan-fmimg51ax000j-wifi-alliance-rce/"},{"url":"https://fj016.fr/blog/cve-2024-41992","summary":"https://fj016.fr/blog/cve-2024-41992"}],"title":"Vulnerable WiFi Alliance example code found in Arcadyan FMIMG51AX000J","tracking":{"current_release_date":"2024-10-23T17:28:33+00:00","generator":{"engine":{"name":"VINCE","version":"3.0.35"}},"id":"VU#123336","initial_release_date":"2024-08-19 00:00:00+00:00","revision_history":[{"date":"2024-10-23T17:28:33+00:00","number":"1.20241023172833.1","summary":"Released on 2024-10-23T17:28:33+00:00"}],"status":"final","version":"1.20241023172833.1"}},"vulnerabilities":[{"title":"It is possible for an unauthenticated local attacker to use specially crafted packets to execute commands as root.","notes":[{"category":"summary","text":"It is possible for an unauthenticated local attacker to use specially crafted packets to execute commands as root."}],"cve":"CVE-2024-41992","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#123336"}],"product_status":{"known_affected":["CSAFPID-7435a9f2-34f1-11f1-8422-122e2785dc9f","CSAFPID-7435e304-34f1-11f1-8422-122e2785dc9f"]}}],"product_tree":{"branches":[{"category":"vendor","name":"Wi-Fi Alliance","product":{"name":"Wi-Fi Alliance Products","product_id":"CSAFPID-7435a9f2-34f1-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Bouygues Telecom","product":{"name":"Bouygues Telecom Products","product_id":"CSAFPID-7435e304-34f1-11f1-8422-122e2785dc9f"}}]}}