漏洞标题
通过u-blox TOBY-L2的串行接口执行命令
漏洞描述信息
TOBY-L2中的输入验证漏洞允许用户使用特定设计的AT命令执行任意操作系统命令。这个漏洞需要对模块的串行接口进行物理访问,或者具有修改系统或软件的能力,使其使用其串行接口发送恶意的AT命令。
利用漏洞将给攻击者提供完全的管理(root)权限,使其能够在TOBY-L2上执行任何操作系统命令,这可能导致模块本身以及与之关联的组件的行为发生变化(取决于其他连接系统的权限)。它还可以提供读取系统级别文件的能力,并影响模块的可用性。
这个漏洞会影响TOBY-L2系列:TOBY-L200, TOBY-L201, TOBY-L210, TOBY-L220, TOBY-L280。
CVSS信息
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
漏洞类别
OS命令中使用的特殊元素转义处理不恰当(OS命令注入)
漏洞标题
Command Execution through Serial Interface of u-blox TOBY-L2
漏洞描述信息
A flaw in the input validation in TOBY-L2 allows a user to execute arbitrary operating system commands using specifically crafted AT commands. This vulnerability requires physical access to the serial interface of the module or the ability to modify the system or software which uses its serial interface to send malicious AT commands.
Exploitation of the vulnerability gives full administrative (root) privileges to the attacker to execute any operating system command on TOBY-L2 which can lead to modification of the behavior of the module itself as well as the components connected with it (depending on its rights on other connected systems). It can further provide the ability to read system level files and hamper the availability of the module as well..
This issue affects TOBY-L2 series: TOBY-L200, TOBY-L201, TOBY-L210, TOBY-L220, TOBY-L280.
CVSS信息
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
漏洞类别
输入验证不恰当