Vulnerability Spotlight: Vulnerabilities in metal detector peripheral could allow attackers to manipulate security devices

Matt Wiseman of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw. 

Cisco Talos recently discovered multiple vulnerabilities in a device from Garrett Metal Detectors that could allow remote attackers to bypass authentication requirements, manipulate metal detector configurations, and even execute arbitrary code on the device.  

The vulnerabilities specifically exist in the Garrett iC module, which provides network connectivity to the Garrett PD 6500i or Garrett MZ 6100 walk-through metal detectors commonly used at security checkpoints. An attacker could manipulate this module to remotely monitor statistics on the metal detector, such as whether the alarm has been triggered or how many visitors have walked through. They could also make configuration changes, such as altering the sensitivity level of a device, which potentially poses a security risk to users who rely on these metal detectors.

TALOS-2021-1353 (CVE-2021-21901), TALOS-2021-1355 (CVE-2021-21903) and TALOS-2021-1357 (CVE-2021-21905 and CVE-2021-21906) are stack-based buffer overflow vulnerabilities that an attacker could trigger by sending a specially crafted packet to the device. All these vulnerabilities may result in remote code execution, with TALOS-2021-1353 and TALOS-2021-1355 occurring prior to any authentication. 

TALOS-2021-1356 (CVE-2021-21904), TALOS-2021-1358 (CVE-2021-21907) and TALOS-2021-1359 (CVE-2021-21908 and CVE-2021-21909) are directory traversal vulnerabilities that allow an authenticated attacker to conditionally read, write and delete files on the device 

Lastly, we found TALOS-2021-1354 (CVE-2021-21902), a race condition in the authentication phase of a command-line utility exposed over the network. Successfully abusing this race condition would allow an attacker to hijack an authenticated user’s session. The adversary could then interact with the command-line interface with all the privileges of the hijacked user. 

Cisco Talos worked with Garrett to ensure that these issues are resolved and an update is available for affected customers, all in adherence to Cisco’s vulnerability disclosure policy

Talos tested and confirmed that the Garrett Metal Detectors iC Module CMA, version 5.0, could be exploited by these vulnerabilities. Users should update to the latest version of the firmware as soon as possible. 

The following SNORTⓇ rule will detect exploitation attempts against these vulnerabilities: 58013 - 58017. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Cisco Secure Firewall Management Center or Snort.org. 

0 Comments