Claroty's Team82 uncovers Teltonika IIoT router critical vulnerabilities

Claroty has announced that its Team82 research team and OTORIO have discovered three unique attack vectors in relation to 4G routers’ cloud management platforms supplied by Teltonika Networks that could allow attackers to remotely take control over devices and gain access to companies’ internal IIoT/IoT networks.

Teltonika Networks specialises in manufacturing and developing networking devices, including routers, modems and industrial networking equipment. The company has a global sales presence, including in Australia.

In the IoT, the challenge starts with the need to scale up; most solutions need to support a huge fleet of 4G routers, enabling system administrators to configure, monitor and maintain all of their devices. This is where cloud management platforms are introduced, allowing control over the devices remotely, through the internet.

The Teltonika Remote Management System (RMS) product is a cloud-based or on-premises platform that enables users to monitor and manage their connected devices from anywhere. The RMS platform provides real-time monitoring and control, making it easier for organisations to track the status and performance of their devices and network. The platform also offers advanced features such as device management, software and firmware updates, GPS tracking and data visualisation. The RMS platform is designed to be scalable and secure, ensuring that businesses of all sizes can benefit from the platform’s capabilities.

Teltonika offers a wide range of network solutions and devices. The team focused on the company’s RUT241 and RUT955 devices in particular. These devices are part of the company’s industrial cellular routers product line and offer 4G LTE, Wi-Fi and Ethernet communication designed specifically for industrial environments and commercial applications. The RUT241 and RUT955 routers are equipped with advanced network routing and firewall capabilities, and various VPN protocols, allowing users to securely connect to their private networks. These routers are also easy to configure and manage, making them suitable for use by businesses of all sizes.

While hundreds of thousands of Teltonika devices are deployed worldwide, a search on internet-scanning engines such as Shodan and Censys also reveals thousands of internet-facing devices, with their management ports externally exposed to the internet.

The research focused on three threat scenarios in which remote attackers are able to compromise the Teltonika cloud-management solution and take full control over unregistered and registered devices. Different techniques and methods were used, including direct exploitation as well as remote and cloud capabilities to manipulate remote users into compromising their accounts and devices. When exploited, these vulnerabilities could allow attackers full control over Teltonika 4G routers. Attackers could use it as a pivot point to companies’ internal networks, giving access to internal IoT and industrial devices that were never meant to be exposed, putting them at risk.

AS a result of the research, a total of seven CVE risks were defined:

• CVE-2023-2586: Teltonika’s Remote Management System versions 4.14.0 is vulnerable to an unauthorised attacker registering previously unregistered devices through the RMS platform.
• CVE-2023-32347: Teltonika’s Remote Management System versions prior to 4.10.0 use device serial numbers and MAC addresses to identify devices from the user perspective for device claiming and from the device perspective for authentication. If an attacker obtained the serial number and MAC address of a device, they could authenticate as that device and steal communication credentials of the device.
• CVE-2023-32346: Teltonika’s Remote Management System versions prior to 4.10.0 contain a function that allows users to claim their devices. Due to the information returned, an attacker could exploit this to create a list of the serial numbers and MAC addresses of all devices cloud-connected to the Remote Management System.
• CVE-2023-32349: Versions 00.07.00 through 00.07.03.4 of Teltonika’s RUT router firmware contain a packet dump utility in which variables for validation checks are stored in an external configuration file. An authenticated attacker could use an exposed UCI configuration utility to change these variables and enable malicious parameters in the dump utility, which could result in arbitrary code execution.
• CVE-2023-2587: Teltonika’s Remote Management System versions prior to 4.10.0 contain a cross-site scripting (XSS) vulnerability in the main page of the web interface.
• CVE-2023-2588: Teltonika’s Remote Management System versions prior to 4.10.0 have a feature allowing users to access managed devices’ local secure shell (SSH)/web management services over the cloud proxy. The generated URL could be shared with others without Remote Management System authentication.
• CVE-2023-32348: Teltonika’s Remote Management System versions prior to 4.10.0 contain a virtual private network (VPN) hub feature for cross-device communication that uses OpenVPN. It connects new devices in a manner that allows the new device to communicate with all Teltonika devices connected to the VPN. An attacker could route a connection to a remote server through the OpenVPN server, enabling them to scan and access data from other Teltonika devices connected to the VPN.

All discovered vulnerabilities were disclosed to Teltonika, which addressed and provided security fixes to them all.

A detailed explanation of the exploits can be found here.

Image: iStockPhoto.com/Vertigo3d