Vulnerabilities recently addressed by CUJO AI in the CUJO Smart Firewall could be exploited to take over the device, Cisco Talos security researchers reveal.
Based on a Linux-based operating system running a kernel with PaX patches, the Smart Firewall was designed to protect home networks against attacks such as malware, phishing websites, and hacking attempts, and may be deployed in sensitive locations within the network.
Talos discovered 11 vulnerabilities in the device, including two chains that could be used to execute code remotely without authentication.
The first roots in the Webroot BrightCloud SDK, which CUJO uses as part of their safe browsing protection. Tracked as CVE-2018-4012, the security bug allows an unauthenticated attacker to impersonate BrightCloud’s services and execute code on the device as the root user.
Because the BrightCloud SDK also defaults to using HTTP connections (CVE-2018-4015) to communicate with the remote BrightCloud services, exploitation is trivial if the attacker can intercept the traffic.
One other issue steams in CUJO’s use of the Lunatik Lua engine to execute Lua scripts from within the kernel context. A script injection vulnerability (CVE-2018-4031) allows an unauthenticated user in the local network to execute Lua scripts in the kernel.
Another bug (CVE-2018-4030) could be abused to trick CUJO into extracting and analyzing any arbitrary hostname and an attacker could chain these vulnerabilities together to trigger the Lua injection and effectively execute code in the kernel. The flaws can also be targeted from the local network, Talos says.
One other issue resides in the fact that CUJO users can download a mobile app to configure their device, with CUJO acting as a router and serving DHCP requests. The application can be used to set up static DHCP entries, and a vulnerability (CVE-2018-3963) in the way DHCP hostnames are handled can be leveraged to execute arbitrary operating system commands as the root user.
CUJO uses Das U-Boot's open-source primary boot loader "Verified Boot," and also permanently protects the first 16MB of CUJO's eMMC to prevent modifications to the system's bootloaders, but Talos also discovered two vulnerabilities that bypass these protections.
The first (CVE-2018-3968) resides in Das U-Boot and affects versions 2013.07-rc1 to 2014.07-rc2 (inclusive). Because U-Boot FIT images’ signatures are not enforced, making it possible to boot from legacy unsigned images, an attacker can replace a signed FIT image with a legacy, unsigned image, the researchers say.
Because the U-Boot bootloader is unmodifiable, the vulnerability cannot be fixed in CUJO. The issue, however, is not as severe in isolation.
It is also possible to execute arbitrary commands as root at device boot by modifying the `dhcpd.conf` file and making the DHCP server execute shell commands (CVE-2018-3969). The file persists across reboots, and the code would be executed at each boot.
The device is also impacted by a vulnerability that could be abused to bypass safe browsing, potentially allowing malicious websites to serve malware even in presence of CUJO's filtering.
Two other code execution vulnerabilities were found in the parsing of mDNS messages, but, because CUJO constrains the affected `mdnscap` process in a low-privileged chroot-ed environment, an attacker would need to escalate privileges to fully compromise the device (CVE-2018-3985 and CVE-2018-4003).
The security researchers also discovered two denial-of-service vulnerabilities (CVE-2018-4002 and CVE-2018-4011) in the CUJO Smart Firewall.
CUJO AI has already released security patches for these vulnerabilities and users should make sure their devices have been updated as soon as possible.
Related: Cisco Aware of Attacks Exploiting Critical Firewall Flaw
Related: Experts Find 10 Flaws in Linksys Smart Wi-Fi Routers