Question

Hi,

Received an email from newsletter@teltonika-iot.com.au today linking to this article (on your site); the article says:

Two independent research groups, OTORIO and Claroty, identified a total of six vulnerabilities in our Remote Management System (RMS) and two vulnerabilities in the firmware of RUT series devices. These vulnerabilities exposed potential attack vectors, including unauthorized access, remote code execution, denial of service, and potential device takeover via RMS.

and

The RMS vulnerabilities were resolved with version 4.14.0, which was released on April 26th, 2023; and the RutOS vulnerabilities were resolved with version 7.03.04, which was released on February 9th, 2023. We highly recommend our clients to update the firmware of their Teltonika Networks devices.

The article provides no specifics with regards to the vulnerabilities and the release notes for the firmware in question (on the RUT955 at least) does not appear to address security issues (nothing specific is mentioned):

RUT9_R_00.07.03.4 | 2023.02.09

• Fix
  • Network
    • Changed generic modem restart method
    • Fixed mobile page VoLTE switching issues
  • Services
    • Sanitized tcpdump storage location
    • Fixed RS485 issue on devices from batch > 110
    • Removed OPOST stty output setting with legacy Over IP mode
  • System
    • Fixed legacy backup upload
    • Fixed upgrade from legacy FW issue with keep settings

Can you please provide sufficient details (ideally within the article) to make this actionable? Applying firmware updates to remote devices is somewhat risky (your updates have broken things in the past!), and time consuming, so it's important to understand the potential impact of the identified issues (providing CVE's as you do with RUT9_R_00.07.04 would be a good start).

Thanks,
Matt

Answer 1

Hello,

Detailed description of vulnerabilities can be found in the Cybersecurity and Infrastructure Security Agency (CISA) advisory here.

I would like to inform though that RMS and firmware vulnerabilities have been fixed before their publication in this advisory. Today RMS is running on the newest version that includes these fixes.

While Teltonika always strongly recommend following newest firmware releases and updating the firmware whenever viable to manage security risks, it is our opinion, that reported vulnerabilities do not pose serious risk for these reasons:

1. they require access to router’s WebUI, which by default is enabled only on local area network side;
2. they require access authorization to access the WebUI;
3. neither vulnerability in itself provides means to access the WebUI;
4. we’ve been proactively ensuring that basic security measures are always followed by introducing each device with unique WebUI password and a mandatory password change once device is operational.

The point "Sanitized tcpdump storage location" does address one of the vulnerabilities, simply not in a very direct way. In general, firmware updates usually include more updates and fixes, than end up in the final published changelog list.

Best regards,

Comments

Thanks very much - it would be great if that link could be added to the newsroom article. There does also appear to be a conflict between the article ("were resolved with version 7.03.04") and advisory ("RUT model routers: Version 00.07.00 through 00.07.03.4 (affected by CVE-2023-32349)").

The main point of raising this question is to request that you include sufficient detail in any communications re security vulnerabilities. Due to my environment these issues are not a huge concern (and definitely not worth the risk of pushing out an update) but that was not obvious from the info provided (which was very generic and came across as marketing...).