On July 26th, NCC Group reported an unauthenticated operating system (OS) command injection vulnerability in the Sunhillo SureLine application that could allow an attacker to execute arbitrary commands with root privileges. Sunhillo is a company that creates products for aerial surveillance and tracking, used by the Federal Aviation Administration, as well as military and civil authorities globally. The SureLine application is Sunhillo’s core software solution that powers all of the surveillance products.
Threat actors can exploit this vulnerability, identified as CVE-2021-36380, to gain full control of a device and cause a denial of service or establish persistence on the network. If successful, this could result in a complete system compromise.
CVE-2021-36380 was found in the /cgi/networkDiag.cgi script which NCC Group says “directly incorporated user-controllable parameters within a shell command, allowing an attacker to manipulate the resulting command by injecting valid OS command input.” Threat actors were able to achieve access to an interactive remote shell session by utilizing a POST request that injects a new command to instruct the server to establish a reverse TCP connection to another system. “For example the attacker could add a SSH public key into /home/root/.ssh/authorized_keys and gain access as the root user,” NCC Group says.
NCC Group reported the vulnerability to Sunhillo on June 21st, and a patch was released on July 22nd. It is recommended that all users update Sunhillo SureLine to the patched version 18.104.22.168.1 as soon as possible. Companies that develop software should be aware that external 3rd party researchers may discover vulnerabilities in their products and provide a quick and easy way for researchers to responsibly report concerns to the manufacturer. Having a clear channel of communication helps companies to be aware of problems and issue patches quickly, just as Sunhillo demonstrated with the one-day response to issue an update.