← Advisories

Ricon Industrial Cellular Router S9922XL Remote Command Execution

High
Advisory ID
ZSL-2021-5653
Release Date
04 July 2021
Vendor
Ricon Mobile Inc. - https://www.riconmobile.com
Affected Version
Model: S9922XL and S9922L, Firmware: 16.10.3
CVE
CVE-2022-0365
Tested On
GNU/Linux 2.6.36 (mips), WEB-ROUTER
Summary

S9922L series LTE router is designed and manufactured by Ricon Mobile Inc., it based on 3G/LTE cellular network technology with industrial class quality. With its embedded cellular module, it widely used in multiple case like ATM connection, remote office security connection, data collection, etc.

The S9922XL-LTE is a mobile network router based on 4G/4.5G, WiFi and VPN technologies. Powerful 64-bit Processor and integrated real-time operating system specially developed by Ricon Mobile. S9922XL is widely used in many areas such as intelligent transportation, scada, POS, industrial automation, telemetry, finance, environmental protection.

Description

The router suffers from an authenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands as the admin (root) user via the 'ping_server_ip' POST parameter. Also vulnerable to Heartbleed.

Proof of Concept
ricon_cmdinj.pyTXT
Disclosure Timeline
02.07.2021Vulnerability discovered.
02.07.2021Vendor contacted.
03.07.2021No response from the vendor.
04.07.2021Public security advisory released.
07.03.2022Vendor releases version 16.10.3 (4360) to address this issue.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]https://www.exploit-db.com/exploits/50096
[2]https://packetstormsecurity.com/files/163390/
[3]https://cxsecurity.com/issue/WLB-2021070038
[4]https://exchange.xforce.ibmcloud.com/vulnerabilities/204901
[5]https://www.cisa.gov/uscert/ics/advisories/icsa-22-032-01
[6]https://nvd.nist.gov/vuln/detail/CVE-2022-0365
[7]https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0365
[8]https://riconmobile.com/blog/new-firmware-release-notification
[9]https://jvn.jp/vu/JVNVU93682644/
[10]https://www.isssource.com/hole-in-ricon-mobile-industrial-cellular-router/
Changelog
04.07.2021Initial release
07.07.2021Added reference [1], [2], [3] and [4]
01.02.2022Added reference [5], [6] and [7]
07.03.2022Added vendor status and reference [8] and [9]
08.09.2022Added reference [10]