On July 26th, NCC Group reported an unauthenticated operating system (OS) command injection vulnerability in the Sunhillo SureLine application that could allow an attacker to execute arbitrary commands with root privileges. Sunhillo is a company that creates products for aerial surveillance and tracking, used by the Federal Aviation Administration, as well as military and civil authorities globally. The SureLine application is Sunhillo’s core software solution that powers all of the surveillance products.
Threat actors can exploit this vulnerability, identified as CVE-2021-36380, to gain full control of a device and cause a denial of service or establish persistence on the network. If successful, this could result in a complete system compromise.
CVE-2021-36380 was found in the /cgi/networkDiag.cgi script which NCC Group says “directly incorporated user-controllable parameters within a shell command, allowing an attacker to manipulate the resulting command by injecting valid OS command input.” Threat actors were able to achieve access to an interactive remote shell session by utilizing a POST request that injects a new command to instruct the server to establish a reverse TCP connection to another system. “For example the attacker could add a SSH public key into /home/root/.ssh/authorized_keys and gain access as the root user,” NCC Group says.