Patch Issued for Flaw in Sunhillo SureLine Surveillance AppResearchers at NCC Group Describe the Risks
Researchers discovered an unauthenticated operating system command injection vulnerability in the Sunhillo SureLine surveillance application that allows an attacker to execute arbitrary commands with root privileges. The flaw has since been patched.
The vulnerability, tracked as CVE-2021-36380, allows a threat actor to establish an interactive channel, taking control of the target system and possibility complete system compromise, according to researchers at the security firm NCC Group.
"With the threat actor in full control of the device they could have caused a denial of service or utilized the device for persistence on the network," the researchers report.
The vulnerable version is SureLine: 8.7.0. Researchers from NCC Group recommend immediately updating to the patched version, Sunhillo SureLine version 184.108.40.206.1.
Sunhillo provides technology for the Federal Aviation Administration, U.S. military and civil aviation authorities worldwide.
A spokesperson for Sunhillo was not immediately available to comment.
OS Command Injection
The vulnerability directly incorporated user-controllable parameters within a shell command, which allowed an attacker to manipulate the resulting command by injecting valid OS command input, the researchers say.
"The following POST request injects a new command that instructs the server to establish a reverse TCP connection to another system, allowing the establishment of an interactive remote shell session. The script did appear to validate user input and blocked most techniques for OS command injection," says Liam Glanfield of NCC Group.
The vulnerability exists due to improper input validation in the "ipAddr" and "dnsAddr" parameters in the script, NCC Group reports. The researchers also found the creation of a reverse connection to an attacker’s host, leading to the establishment of a covert channel allowing an attacker to execute commands on the server.
NCC Group says it reported the flaw to Sunhillo on June 21, and the software firm released a patch July 22.