SB2026052123 - Two vulnerabilities in Four-Faith F3x36

Description

This security bulletin contains information about 2 vulnerabilities.

1) Missing Authentication for Critical Function (CVE-ID: CVE-2024-9644)

CWE-ID: CWE-306 - Missing Authentication for Critical Function

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to missing authentication check in the administrative web server. A remote attacker can use the "bapply.cgi" endpoint instead of the normal "apply.cgi" endpoint to modify device settings, which can lead to remote code execution when chained with another vulnerability. 

2) Use of hard-coded credentials (CVE-ID: CVE-2024-9643)

CWE-ID: CWE-798 - Use of Hard-coded Credentials

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Red

The vulnerability allows a remote attacker to gain full access to vulnerable system.

The vulnerability exists due to presence of hard-coded credentials in the administrative web server. A remote unauthenticated attacker can gain administrative access to the system via a crafted HTTP request.

Remediation

Cybersecurity Help is not aware of any official remediation provided by the vendor.

References

• https://vulncheck.com/advisories/four-faith-hidden-api
• https://vulncheck.com/advisories/four-faith-hard-coded-creds