Horizon Alert
Summary of the vulnerability and why it matters
This advisory details a critical vulnerability in 9Router software that allows unauthenticated remote attackers to execute arbitrary operating system commands. The issue stems from improper handling of a password field in an API request, which can be manipulated to inject and run malicious commands when certain conditions are met. This could lead to a complete compromise of affected devices.
- Command injection in an unauthenticated API.
- Impacts internet-facing edge networking devices.
- Confirm relevance and exposure of affected systems.
Attack Path
How an attacker could exploit the issue
An unauthenticated attacker can send a specially crafted POST request to the `/api/tunnel/tailscale-install` endpoint. This request's `sudoPassword` field is fed directly into a shell process. If the system is configured such that `sudo` doesn't require a password, the attacker's input is interpreted as shell commands, enabling arbitrary OS command execution on the device.
- No authentication is required.
- POST to `/api/tunnel/tailscale-install`.
- Allows arbitrary OS command execution.
Live Threat
Current exploitation, exposure, and threat context
A remote, unauthenticated attacker could execute arbitrary operating system commands on the affected system when certain conditions allow the `sudoPassword` field to be interpreted as shell commands. This could occur when the system runs as root, NOPASSWD is configured, or a recent sudo timestamp cache exists, enabling the attacker to bypass the need for a password prompt.
- System commands could be executed.
- Via unauthenticated API endpoint.
- Compromise of system integrity.
Operational Fix
Recommended remediation, mitigation, and detection steps
This OS command injection vulnerability in 9Router affects unauthenticated API endpoints, meaning system owners or infrastructure teams managing network edge devices are likely responsible for remediation. The first practical step is to identify all instances of the affected router, determine their network exposure, and ascertain if they are business-critical to prioritize mitigation efforts.
- Verify router exposure and criticality.
- Identify accountable router owners.
- Plan and execute remediation actions.