SBA Security Advisory – Teltonika RUT9XX – Missing Access Control to UART Root Terminal (CVE-2018-17534)
Vulnerability Overview
Teltonika RUT9XX routers with firmware before 00.04.233 provide a root terminal on a serial interface without proper access control. This allows attackers with physical access to execute arbitrary commands with root privileges.
- Type of Vulnerability: Incorrect Access Control
- Fixed in Version: RUT9XX_R_00.04.233
- CVE ID: CVE-2018-17534
- CVSSv3 Vector: AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- CVSSv3 Base Score: 6.8 (Medium)
Recommended Countermeasure
We recommend to update Teltonika RUT9XX routers to version RUT9XX_R_00.04.233 or later. For further details, see the full security advisory.
Links
Credits
- David Lisa Gnedt (SBA Research)