Misconfiguration Exposes Hotel Routers to Risk
Hospitality network equipment vendor ANTlabs issued a public advisory on March 26 about a vulnerability (identified as CVE-2015-0932) in its systems. The vulnerability is the configuration of the rsync service, which is a common synchronization utility found on Linux and Unix systems. ANTlabs InnGate gateways were running an rsync service in a manner that is not secure.
"An incorrect rsync configuration on certain models of our gateway products allows an external system to obtain unrestricted remote read/write file access," ANTlabs warns in its advisory. "A remote unauthenticated user with unrestricted access to the rsync port to affected gateway products may be allowed full read/write access to the file system."
ANTlabs has already issued a patch for its impacted gateway devices, and for ANTlab users that for some reason are unable to deploy the patch, the United States Computer Emergency Readiness Team (US-CERT) offers a workaround in its advisory for the issue.
"Administrators may block unrestricted access to the rsync TCP port 873 on the affected network," US-CERT advised.
Security researchers at Cylance were the first to discover and report the CVE-2015-0932 flaw. In a detailed blog post, the firm details the potential impact and damage that the unpatched flaw could have caused. If exploited, an attacker could have potentially intercepted hotel guest traffic or injected some form of malware on the network.
Even though ANTlabs gateways are found within hotels, Cylance found them to be remotely accessible.
"After scanning all public addresses on IPv4 for vulnerable devices, we identified 277 devices which could be directly exploited from the Internet," Cylance stated.
To be clear, this is not a Linux or Unix vulnerability. This is a misconfiguration issue that could have exposed hotel guests to risk. It's unclear whether this issue was the simple result of an oversight or whether it was just a trust boundary issue. In many "out-of-the-box" types of operating system installations (Linux or otherwise) local users and local services are trusted.
The simple reality of the modern network is that all services, local or otherwise, need to be locked down. Every service should be configured with the principle of least privilege—meaning that each service only gets the access it needs to function.
For hotel guests, this latest security warning is just another wake-up call to always be vigilant. A hotel network might be benign and non-hostile, or it could have a lurking vulnerability like CVE-2015-0932. Users should always assume the network is hostile, and if possible when connecting at a hotel or at a coffee shop, it's always prudent to connect over a VPN.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.