October 16, 2023 at 08:24AM
Chinese IoT and video surveillance product maker Milesight’s industrial cellular routers have a vulnerability that exposes system log files with passwords for administrators and users. Although the flaw has likely been patched for years, there have been some small-scale exploitation attempts observed. These routers are used in various sectors such as industrial automation, self-service kiosks, and medical equipment.
Key takeaways from the meeting notes are as follows:
1. Vulnerability: There is a vulnerability (CVE-2023-43261) affecting some industrial routers made by the Chinese IoT and video surveillance product maker, Milesight. The vulnerability exposes system log files, potentially allowing unauthorized access to the device.
2. Exploitation: Researchers have identified potential exploit attempts on vulnerable devices. An IP address originating from France, Lithuania, and Norway attempted to log into six systems, succeeding in some cases. The attacker did not make changes to the compromised systems but conducted reconnaissance.
3. Patched Versions: Analysis by VulnCheck suggests that the vulnerability may have already been patched in various firmware versions for years. This is supported by the fact that only a small percentage of internet-exposed Milesight devices are running vulnerable firmware.
4. Credentials Exposure: The attacker was able to extract cleartext credentials from certain VPN servers configured on the compromised systems. This could give the attacker the ability to pivot into the ICS network.
5. Impacted Industries: The UR-series routers affected by the vulnerability are used in various fields, including industrial automation, self-service kiosks, traffic lighting, smart grid assets, medical equipment, and retail.
6. Vendor Response: The researcher who disclosed the vulnerability informed Milesight, but the vendor claimed to be already aware of the flaw and had released patches prior to being contacted by the researcher.
It is recommended to take immediate action to apply any necessary patches and enhance security measures to protect against potential exploitation of the vulnerability. Additionally, monitoring systems for any unusual activity and conducting a thorough review of log files is advised.