Elsight Halo – Remote Code Execution
Introduction
Elsight Halo is a sophisticated chipset embedded within drones used by governmental services such as the military and police. This advanced technology ensures reliable and secure communication channels for drones operating in critical and often challenging environments. By integrating multiple network connections, Elsight Halo provides robust and continuous connectivity, which is essential for real-time data transmission and remote control of drones. The chipset’s ability to maintain stable communication links, even in areas with poor network coverage, makes it an invaluable tool for defense, public safety, and various other governmental applications.
In 2022, our security team discovered a critical vulnerability in Elsight Halo, leading to the assignment of CVE-2022-36784. This vulnerability allows for Remote Code Execution (RCE) due to an open management interface with default credentials.
The discovery of this vulnerability began with routine security assessments. During one of these assessments, we noticed that the Elsight Halo management interface was accessible from the internet without any network restrictions. This interface used default credentials, which is a significant security oversight.
Discovering and Exploiting CVE-2022-36784
Gaining access to the management interface using the default username and password.
we began examining the available parameters and functionalities. We discovered that one of the parameters was susceptible to RCE. Specifically, when adding a semicolon (;) followed by a command to this parameter, the server executed the command and returned its output.
Here’s an example of how the exploitation works:
1. Access the management interface using the default credentials.
2. Locate the vulnerable parameter.
3. Inject the payload “;<command>”
4. The server executes the command and provides the output.
This allows attackers to execute arbitrary commands on the server, leading to a full compromise of the affected system.
Impact
The impact of this vulnerability is severe. An attacker exploiting this vulnerability can:
1.Execute arbitrary commands on the server.
2. Access sensitive information.
3. Modify or delete data.
4. Compromise the entire network infrastructure connected to the vulnerable server.
Given the critical nature of this vulnerability, we immediately reported it to the Elsight security team, who acknowledged the issue and worked on a patch to address it.
Lessons Learned
The discovery of CVE-2022-36784 provided several key takeaways for enhancing security practices:1. Never leave systems with default usernames and passwords. Always ensure unique and strong credentials are used for all interfaces.
2. Limit access to management interfaces by implementing network restrictions, such as IP whitelisting, and using VPNs for remote management.
3. Conduct regular security assessments and audits to identify and mitigate vulnerabilities before they can be exploited by attackers.
4. Educate and train staff about security best practices and the importance of following them to prevent similar issues.