Category: IT|Dec 4, 2024 | Author: Admin

Japan warns of IO-Data zero-day router flaws exploited in attacks

Share on

Japan's CERT is warning that hackers are exploiting zero-day vulnerabilities in I-O Data router devices to modify device settings, execute commands, or even turn off the firewall.

Japan warns of IO-Data zero-day router flaws exploited in attacks

The vendor has acknowledged the flaws in a security bulletin published on its website. However, the fixes are expected to land on December 18, 2024, so users will be exposed to risks until then unless mitigations are enabled.

 

The vulnerabilities


The three flaws that were identified on November 13, 2024, are information disclosure, remote arbitrary OS command execution, and the ability to disable firewalls.

The issues are summarized as follows:

 

CVE-2024-45841: Permissions on sensitive resources are misconfigured, allowing users with low-level privileges to access critical files. For example, a third party who knows the guest account credentials may access files containing authentication information.

 

CVE-2024-47133: Allows authenticated administrative users to inject and execute arbitrary operating system commands on the device, exploiting insufficient input validation in configuration management.

 

CVE-2024-52564: Undocumented features or backdoors in the firmware allow remote attackers to turn off the device firewall and modify settings without authentication.

 

The three issues impact UD-LT1, a hybrid LTE router designed for versatile connectivity solutions, and its industrial-grade version, UD-LT1/EX.

 

The latest available firmware version, v2.1.9, addresses only CVE-2024-52564, and I-O Data states that fixes for the other two vulnerabilities will be made available in v2.2.0, scheduled for release on December 18, 2024.

 

As the vendor confirmed in the bulletin, customers have already reported that the flaws are already exploited in attacks.

 

"Recently, we received inquiries from customers using our hybrid LTE routers' UD-LT1' and 'UD-LT1/EX', where access to the configuration interface was allowed from the internet without VPN," reads the I-O data security advisory.

 

"These customers reported potential unauthorized access from external sources."

 

Until the security updates are made available, the vendor suggests that users implement the following mitigation measures:

 

  • Disable the Remote Management feature for all internet connection methods, including WAN Port, Modem, and VPN settings.

  • Restrict access to only VPN-connected networks to prevent unauthorized external access.

  • Change the default "guest" user's password to a more complex one with over 10 characters.

  • Regularly monitor and verify device settings to detect unauthorized changes early, and reset the device to factory defaults and re-configure if a compromise is detected.

 

The I-O DATA UD-LT1 and UD-LT1/EX LTE routers are primarily marketed and sold within Japan, designed to support multiple carriers like NTT Docomo and KDDI, and are compatible with major MVNO SIM cards in the country.

Sponsored Ads:

Comments:


TikTok-19-01-25.png

TikTok shuts down in the US as Trump throws the company a lifeline

Category: IT|Jan 19, 2025 | Author: Admin
Discord-18-01-25.png

Malicious PyPi package steals Discord auth tokens from devs

Category: IT|Jan 18, 2025 | Author: Admin
China_matrix-17-01-25.png

GDPR complaints filed against TikTok, Temu for sending user data to China

Category: IT|Jan 17, 2025 | Author: Admin
Fortinet-16-01-25.png

Hackers leak configs and VPN credentials for 15,000 FortiGate devices

Category: General|Jan 16, 2025 | Author: Admin
windows-blue-background-15-01-25.png

January Windows updates may fail if Citrix SRA is installed

Category: Microsoft|Jan 15, 2025 | Author: Admin
nominet-14-01-25.png

UK domain registry Nominet confirms breach via Ivanti zero-day

Category: IT|Jan 14, 2025 | Author: Admin
back-13-01-25.png

Phishing texts trick Apple iMessage users into disabling protection

Category: Apple|Jan 13, 2025 | Author: Admin
church-12-01-25.png

Pastor who saw crypto project in his "dream" indicted for fraud

Category: IT|Jan 12, 2025 | Author: Admin
LDAPNightmare-11-01-25.png

Fake LDAPNightmware exploit on GitHub spreads infostealer malware

Category: IT|Jan 11, 2025 | Author: Admin
Outlook-for-Windows-10-01-25.png

Microsoft to force install new Outlook on Windows 10 PCs in February

Category: Microsoft|Jan 10, 2025 | Author: Admin
proton-mail-header-09-01-25.png

Proton Mail still down as Proton recovers from worldwide outage

Category: IT|Jan 9, 2025 | Author: Admin
backdoror-web-shells-08-01-25.png

Over 4,000 backdoors hijacked by registering expired domains

Category: IT|Jan 8, 2025 | Author: Admin
cryptocurrency.png

Cryptocurrency wallet drainers stole $494 million in 2024

Category: IT|Jan 7, 2025 | Author: Admin
google-06-01-25.png

Google Chrome is making it easier to share specific parts of long PDFs

Category: Google|Jan 6, 2025 | Author: Admin
email-server-05-01-25.png

Over 3 million mail servers without encryption exposed to sniffing attacks

Category: IT|Jan 5, 2025 | Author: Admin
more