Host of Flaws Found in CUJO Smart Firewall

conceptual design with firewall and security of data on the web

Some of the flaws would allow remote code-execution.

Multiple vulnerabilities have been uncovered in the CUJO Smart Firewall, which is a security hardware device aimed at protecting home networks against malware, phishing websites and hacking attempts.

CUJO is widely available, including on Amazon where it has racked up 1,000+ customer reviews. The firewall reportedly contains vulnerabilities that researchers at Cisco Talos said could allow attackers to potentially take complete control of the device, opening the door to monitoring home network traffic and stealing sensitive information.

Two types of exploits are possible, the researchers said. One is executing arbitrary code in the context of the root account. And the second is uploading and executing unsigned kernels on affected systems.

CUJO AI said that it has started the process to automatically update the devices with firmware.

“We identified two chains that could be used to execute code remotely without authentication,” the researchers said in a Tuesday posting.

In one, a vulnerability in the Webroot BrightCloud SDK (CVE-2018-4012), which CUJO uses as part of its safe browsing protection, would allow an unauthenticated attacker to impersonate BrightCloud’s services and execute code on the device as the root user.

“The BrightCloud SDK defaults to using HTTP connections to communicate with the remote BrightCloud services, making the exploitation of [the bug] trivial if an attacker is able to intercept traffic between CUJO and BrightCloud,” according to the advisory.

In the second, a script-injection vulnerability (CVE-2018-4031) in the Lunatik Lua engine, which CUJO uses to analyze network traffic as part of its safe-browsing protection, allows any unauthenticated user in the local network to execute Lua scripts in the kernel by specifying an arbitrary “Host” header in HTTP requests.

“Since Lunatik permits the use of the unsafe `load()` Lua function, this allows an attacker to execute arbitrary code in the kernel,” researchers explained. “Additionally, [another vulnerability] describes an issue that can be used to trick CUJO into extracting and analyzing any arbitrary hostname.”

As a result, a “malicious website could chain both vulnerabilities together in order to force any client machine in CUJO’s network to perform a POST request via JavaScript, triggering the Lua injection and effectively executing code in the kernel.”

These can also be further chained together with a verified boot bypass flaw in the Das U-Boot software that CUJO uses in order to permanently compromise the device – this is somewhat mitigated however by the fact that the attacker would need to be local.

Here, a flaw in the Das U-Boot (CVE-2018-3968) allows an attacker with local or physical access to execute an unsigned kernel embedded in a legacy image format if they are able to supply a boot image to the device.

“This vulnerability exists due to the fact that the version of Das U-Boot used by the devices lacks proper FIT signature enforcement during the boot process,” said researchers.

The version used by the CUJO Smart Firewall is vulnerable to this bypass (CVE-2018-3969); successful exploitation could allow an attacker to execute arbitrary system commands during the system boot process. By embedding system commands into the `/config/dhcpd.conf` file, an attacker can force those commands to be executed each time the system is rebooted.

In all, Cisco Talos researchers said they found 11 flaws in the device.

Don’t miss our free live Threatpost webinar, “Exploring the Top 15 Most Common Vulnerabilities with HackerOne and GitHub,” on Wed., Mar 20, at 2:00 p.m. ET.

Vulnerability experts Michiel Prins, co-founder of webinar sponsor HackerOne, and Greg Ose, GitHub’s application security engineering manager, will join Threatpost editor Tom Spring to discuss what vulnerability types are most common in today’s software, and what kind of impact they would have on organizations if exploited.

 

 

 

Suggested articles