Experts warn of critical flaws in Flexlan devices that provide WiFi on airplanes Security Affairs

Researchers discovered two critical vulnerabilities (CVE–2022–36158 and CVE–2022–36159) in Flexlan devices that provide WiFi on airplanes.

Researchers from Necrum Security Labs discovered a couple of critical vulnerabilities, tracked as CVE–2022–36158 and CVE–2022–36159, affecting the Contec Flexlan FXA3000 and FXA2000 series LAN devices.

The FXA3000 and FXA2000 Series are access points that are manufactured by Japan-based firm Contec that conform to IEEE 802.11n/a/b/g wireless.

These devices are installed in airplanes to offer internet connectivity to the passengers, the above vulnerabilities can be exploited by an attacker to compromise the inflight entertainment system and potentially conduct other malicious activities.

“It is found that our wireless products, FLEXLAN FX3000/2000 series, have a firmware vulnerability.
There are possibilities of data plagiarism, falsification, and system destruction with malicious programs if
this vulnerability was exploited by malicious attackers.” reads the advisory published by Contec. “we have a private webpage for developers to execute system commands, which is not linked to any other web setting pages. There are possibilities of data plagiarism, falsification, system destruction, and malicious program execution if this vulnerability was exploited by malicious attackers who can access this private webpage (with passwords information).”

The issues impacts Contec FLEXLAN FXA3000 Series devices from version 1.15.00 and under and
FLEXLAN FXA2000 Series devices from version 1.38.00 and below.

Flexlan Contec fxa2000_cover_rgb_96dpi_500x500

The CVE–2022–36158 flaw is a hidden system command web page that was discovered performing reverse engineering of the firmware used by the device. The page was not listed in the Wireless LAN Manager interface, it can allow executing Linux commands on the device with root privileges, access all system files, and open the telnet port.

“[CVE-2022-36158] – Hidden system command web page.
After performing a reverse engineering of the firmware we discovered that a hidden page not listed in the Wireless LAN Manager interface allows to execute Linux commands on the device with root privileges. From here we had access to all the system files but also be able to open the telnet port and have full access on the device.” reads the post published by the Necrum Security Labs.

The second vulnerability (CVE–2022–36159) ties the use of hard-coded, weak cryptographic keys and backdoor accounts. The experts discovered a shadow file containing the hash of root and user users.

“[CVE-2022-36159] – Use of weak Hard-coded Cryptographic Keys and backdoor accounts. During our investigation we also found that the /etc/shadow file contains the hash of two users (root and user) which only took us a few minutes to recover by a brute-force attack.” continues the researchers. “The problem is that the owner of the device is only able to change the password for the user account from the web administration interface, because the root account is reserved for Contec, probably for maintenance purposes. This means an attacker with the root hard coded password can access all FXA2000 series and FXA3000 series devices.”

The post published by the experts demonstrates how to exploit the flaws, it also includes recommendations to address them.

Researchers recommend changing the account’s user password from the web admin interface and removing the hidden engineering web page from devices in production.

The experts recommend to randomly generate a different password for each device.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs hacking, Log4Shell)