Patch Now! Tecno 4G Portable WiFi TR118 Firmware Flaw Exposes Devices

In today’s hyperconnected world, portable hotspots have become indispensable tools for staying connected on the go. However, these devices are not immune to security vulnerabilities, and one such vulnerability has been discovered in the Tecno 4G Portable WiFi TR118.

The Vulnerability

The vulnerability, designated as CVE-2023-6304, resides in the ping feature of the network diagnostic tools of the Tecno 4G Portable WiFi TR118 firmware version TR118-M30E-RR-DEnFrArSwHaPo-OP-V008-20220830. This vulnerability allows an authenticated remote attacker on the LAN to execute arbitrary code on the device.

Exploiting the Vulnerability

An attacker can exploit this vulnerability by crafting a request that includes system commands enclosed in backticks. These commands will be executed by the device, potentially granting the attacker complete control over the device.

The vulnerability’s exploitation is further facilitated by the availability of a publicly disclosed proof-of-concept exploit, making it easier for attackers to exploit the flaw. The exploit demonstrates how an attacker can utilize tools like BurpSuite to intercept and alter requests, allowing them to execute arbitrary commands on the device.

Impact of the Vulnerability

This vulnerability poses a significant risk to the security of the Tecno 4G Portable WiFi TR118. An attacker could exploit this vulnerability to:

• Gain unauthorized access to the device and steal sensitive data
• Install malware or ransomware on the device
• Disrupt or disable the device’s functionality

Remediation

As of now, there is no official patch available to address the CVE-2023-6304 vulnerability. However, users can take some steps to mitigate the risk:

• Update the device’s firmware to the latest version as soon as a patch is available
• Consider using an alternative portable hotspot device