Hotel Internet Gateways Patched Against Remote Exploit

A critical vulnerability in a popular hotel and convention center Internet gateway from AntLabs called InnGate has been patched. The flaw allows attackers read and write access to the devices from the Internet.

ANTLabs today is expected to roll out patches for a vulnerability in its InnGate Internet gateways that are popular in hospitality and convention locations.

The gateways provide temporary Internet access to hotel guests or conference attendees using kiosks, for example.

The vulnerability (CVE-2015-0932), discovered by security company Cylance, gives an attacker remote read and write access to the device’s file system.

“Remote access is obtained through an unauthenticated rsync daemon running on TCP 873. Once the attacker has connected to the rsync daemon, they are then able to read and write to the file system of the Linux based operating system without restriction,” wrote researcher Brian Wallace in an advisory published today.

Full read and write access can be leveraged for remote code execution and enable a hacker to backdoor the device or add an executable or a new authenticated root-level user, Cylance said.

“Once full file system access is obtained, the endpoint is at the mercy of the attacker,” Wallace wrote.

The exposed rsync command is trivial to abuse, Wallace said, using a few commonly known Linux or UNIX commands to find available rsync shares and list files in the root. There are also rsync commands for uploading and downloading files. Rsync is a utility on Linux and UNIX machines that is used for file synchronization and file transfers either locally or between remote computers.

While the risk with such a vulnerability is generally limited to crimes such as fraud and identity theft, a research report last November from Kaspersky Lab on the DarkHotel APT group shows that targeted attacks against business hotel Wi-Fi networks is not out of the question.

DarkHotel operates in Asia primarily compromising said Wi-Fi networks, infecting users as they connect with a phony software update such as Adobe Flash, which instead pushed a digitally signed piece of malware that includes a keylogger and other data-stealing capabilities that is sent via a backdoor to the attackers.

The DarkHotel campaign also was able to access other systems on hotel networks such as machines running registration information. This capability allowed the APT group to infect only specific guests with the phony update installer.

Cylance said its vulnerability is severe and requires little sophistication to exploit.

“An attacker exploiting the vulnerability in CVE-2015-0932 would have the access to launch DarkHotel-esque attacks against guests on the affected hotel’s WiFi. Targets could be infected with malware using any method from modifying files being downloaded by the victim or by directly launching attacks against the now accessible systems,” Wallace said. “Given the level of access that this vulnerability offers to attackers, there is seemingly no limit to what they could do.”

Cylance said it scanned the Internet’s IPv4 space for the ANTLabs devices and found 277 that could be compromised from the Internet, most of those in North America, but some in Asia, the Middle East and Europe.

In addition to applying the patch upon its release, Cylance said locations running the vulnerable devices could block unauthenticated rsync processes via a TCP-DENY command on port 873.

Suggested articles

2021 Attacker Dwell Time Trends and Best Defenses

The time that attackers stay hidden inside an organization’s networks is shifting, putting pressure on defenders and upping the need to detect and respond to threats in real-time.