Title: Cypress Solutions CTM-200 2.7.1 Root Remote OS Command Injection Advisory ID: ZSL-2021-5687 Type: Local/Remote Impact: System Access, DoS Risk: (4/5) Release Date: 10.10.2021 Summary: CTM-200 is an industrial cellular wireless gateway for fixed and mobile applications. There is a Linux based platform powered by ARM Cortex-A8 800 MHz superscalar processor. Its on-board standard features make the CTM-200 ideal for mobile fleet applications or fixed site office and SCADA communications. Description: The CTM-200 wireless gateway suffers from an authenticated semi-blind OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands as the root user through the 'ctm-config-upgrade.sh' script leveraging the 'fw_url' POST parameter used in the cmd upgradefw as argument, called by ctm.sys() as pointer to execv() and make_wget_url() function to the wget command in /usr/bin/cmà Donna ELF binary. Vendor: Cypress Solutions Inc. - Affected Version: 2.7.1.5659, 2.0.5.3356-184 Tested On: GNU/Linux 2.6.32.25 (arm4tl), BusyBox v1.15.3 Vendor Status: [21.09.2021] Vulnerability discovered. [23.09.2021] Vendor contacted. [09.10.2021] No response from the vendor. [10.10.2021] Public security advisory released. Poc: cypress_rce.txt Credits: Vulnerability discovered by Gjoko Krstic - References: [1] [2] [3] [4] [5] Changelog: [10.10.2021] - Initial release, [13.10.2021] - Added reference [2], [3], [4] and [5] Contact: - Zero Science Lab - Web: mail: