KKM-798736 - Remote File Inclusion in usr/getform.html

The 1.x and 2.x firmware is vulnerable to remote file inclusion (RFI) due to allow_url_fopen being enabled and arguments are not being checked prior to being used in file operations. Since the 3.x firmware uses a redesigned WebUI it is not affected by this vulnerability.

References:

Solutions and Workarounds:

  • upgrade to the latest 3.x firmware if applicable
  • switch allow_url_fopen off manually in /etc/php.ini
  • apply the below patch which will switch allow_url_fopen off

If you decide to do neither of the above make sure the device is not accessible from untrusted networks (such as the internet) or for untrusted users. Alternatively prevent the device from accessing untrusted networks.

This vulnerability applies to the following models:

1U4200XXX, 1U4500, 1U4600, M3800, N2200XXX, N3200, N3200PRO, N3200XXX, N4100PRO, N4200, N4200Eco, N4200PRO, N5200, N5200PRO, N5200XXX, N5500, N7700, N7700+, N7700PRO, N7700SAS, N8200XXX, N8800, N8800+, N8800PRO, N8800SAS

Attachments

AttachmentSize
[file] Fix-KKM-798736.bin
Thecus FW update to fix the RFI vulnerability reported as KKM-798736. The file has to be applied the same way as a regular firmware update.
MD5: 3959ddce4020239d1d324685c2f28f55
632 bytes