Vulnerabilities in Goodmill Systems w24e and w24h routers

Three privilege escalation vulnerabilities have been found from the firmware on Goodmill Systems w24e and w24h routers. A logged in user could unauthorizedly expand the user privileges in routers affected by the vulnerabilities. Goodmill Systems has released a new version of the firmware addressing the vulnerabilities.

An user account for administrative purposes has been removed from the firmware. The "remote_user" account used hardcoded credentials. Goodmill Systems is a Finnish company whose connectivity products are used for example in vehicles. Please contact the vendor for more information about the update process.

Vulnerability coordination:

The vulnerability was found by Antti Tönkyrä, Mika Järvinen, Mikko Kenttälä and Ossi Salmi. NCSC-FI would like to thank the finders and the vendor for participating in the coordination.

Target of vulnerability

w24e SW versions 4.0.3.x, 4.0.4, 4.0.5.x , 4.0.6.x before the version 4.0.6.4
w24h SW versions before version 1.2.0.3

What is this about?

The vendor recommends customers to upgrade the software in their routers to the following versions in order to patch these vulnerabilities and to be at the latest software levels:

4.0.6.4 (routers w24e/w24e-S/w24)
1.2.0.3 (routers w24h-S/w24h-I).

What can I do?

Contact Information

NCSC-FI Vulnerability Coordination can be contacted as follows:

Email: vulncoord@ficora.fi

Please quote the advisory reference [FICORA #1038870] in the subject line.

Telephone:

+358 295 390 230

Monday - Friday 08:00 – 16:15 (EET: UTC+3)

Post:

Vulnerability Coordination

FICORA / NCSC-FI

P.O. Box 313

FI-00561 Helsinki

FINLAND

NCSC-FI encourages those who wish to communicate via email to make use of our PGP key. The PGP key as well as the vulnerability coordination principles of NCSC-FI are available at:

Network devices

Network devices mean such devices that ordinary users usually cannot see, such as routers, switches and firewalls. These devices and the related software transmit or filter network traffic.

Remote

A remotely performed attack can be implemented via an information network connection or similar without accessing the targeted system.

Locally

A locally performed attack can be implemented only by accessing the device under attack and using it locally. A local attack is not possible via a network connection.

Security bypass

Security bypass means that by exploiting a vulnerability, the protection intended for restricting the use of the system is bypassed, for example, by directing traffic pass the firewall to a protected network.

Expansion of access rights

Expansion of access rights enables the use of the system, for example, as a main user, i.e. the access rights are more extended compared to those of an ordinary user.

Software update patch

Normally, hardware or software manufacturers publish a new version or a partial update for a software or operating system soon after the vulnerability has become public. The update can be available at the same time as the vulnerability is published, but often the users have to wait for the update.

Restriction of the problem

Although an actual vulnerability patch is not always available, the vulnerability's effects can usually be limited, for example, by temporarily refraining from the use of a certain feature or by restricting the network traffic to the target system in a suitable manner.