Executive Summary:
- On April 2, 2024, a PoC was published for a critical unauthenticated remote code execution vulnerability (tracked as CVE-2024-29269) in South Korean Telesquare TLR-2005Ksh routers. Versions 1.0.0 and 1.1.4 are affected. At the time of writing, this CVE is still awaiting analysis and does not yet have a CVSS score.
- Affected Products: TLR-2005Ksh is an LTE router from Telesquare, a South Korean telecommunications company.
- Impact: An unauthenticated attacker could leverage this vulnerability to execute arbitrary system commands, potentially leading to complete device compromise. This poses a severe risk to an organization’s network, as further possible actions after compromise could potentially include data breaches, ransomware deployment, network reconnaissance, or lateral movement on the network.
- Exploitation Status: While no active exploitation has been reported yet, proof-of-concept code is publicly available, likely decreasing the barrier to entry for threat actors.
- Censys’s Perspective: As of May 28, 2024, Censys has identified 3,338 hosts exposing the Telesquare TLR-2005Ksh login interface – although not all of these are necessarily vulnerable to CVE-2024-29269.
- According to a report from Criminal IP, vulnerable routers can be identified by returning a content length header of 5745 bytes. Censys has found 69 routers matching this description that are potentially vulnerable. However, without further evidence to support the validity of this fingerprinting technique, it is still recommended to verify your router version locally.
- Recommendations for Remediation: Telesquare has not yet released a patch or remediation guidance for CVE-2024-29269. It’s recommended to immediately restrict access to the Telesquare TLR-2005Ksh management interface from the public internet.
- Detection:
Background
On April 2, 2024, a PoC was released for CVE-2024-29269, an unauthenticated remote code execution vulnerability affecting Telesquare TLR-2005Ksh versions 1.0.0 and 1.1.4. This vulnerability stems from improper input validation, allowing attackers to execute arbitrary system commands via the Cmd parameter without any authentication. Telesquare TLR-2005Ksh is a line of LTE routers manufactured by Telesquare, a South Korean telecommunications company.
Potential Consequences of Successful Exploitation:
The ability to execute arbitrary commands without authentication poses a critical risk to affected systems. Successful exploitation could lead to complete server compromise, enabling threat actors to potentially steal sensitive data, deploy ransomware, perform network traffic reconnaissance, or gain a foothold for further network intrusion.
Censys’s Perspective
On May 28, 2024, Censys observed 3,338 distinct hosts exposing a Telesquare TLR-2005Ksh management interface on the public internet. While not all of these instances are necessarily vulnerable, any system running versions 1.0.0 or 1.1.4 is likely at high risk of exploitation.
According to Criminal IP, Telesquare routers vulnerable to CVE-2024-29269 can be identified based on the length of their HTTP server response content header. Firmware versions 1.0.0 and 1.1.4 are reported to have a unique content length header of 5745 bytes. Censys observes 69 distinct hosts matching this indicator.
While the exact logic behind this connection is not clearly explained, it could be a potential indicator that security researchers and defenders could leverage to narrow down vulnerable devices. However, it’s important to note that further verification of the firmware version would still be necessary to confirm exploitability.
The exposures are concentrated solely in South Korea. The top autonomous system with the most exposed instances is SKTELECOM-NET-AS (AS9644), belonging to SK Telecom, a South Korean telecommunications giant.
Recommendations for Remediation
Until an official patch is released, it’s recommended to restrict access to the Telesquare TLR-2005Ksh management interface to only allow connections from a few trusted users (such as network admins) or through a VPN.
References:
