Attack Chain

1. An unauthenticated attacker identifies a Synway SMG Gateway Management Software instance exposed to the network.
2. The attacker crafts a malicious POST request targeting the /en/9-2radius.php endpoint.
3. The POST request includes parameters such as radius_address, radius_address2, shared_secret2, source_ip, timeout, or retry along with save=1 and enable_radius=1.
4. The radius_address parameter contains an OS command injection payload.
5. The application improperly sanitizes the radius_address parameter and incorporates it into a sed command.
6. The injected command is executed by the operating system, granting the attacker arbitrary code execution privileges.
7. The attacker establishes a reverse shell to maintain persistence and expand their foothold.
8. The attacker pivots within the network, gaining access to sensitive data or systems, and potentially establishing a long-term presence.

Impact

Successful exploitation of this vulnerability allows an unauthenticated attacker to execute arbitrary commands on the Synway SMG Gateway. This could lead to complete system compromise, data theft, disruption of services, and further propagation of attacks within the network. Given the high CVSS score (9.8), this vulnerability represents a critical threat. The number of affected systems and organizations is currently unknown.

Recommendation

• Deploy the Sigma rule “Synway SMG Gateway Radius Command Injection Attempt” to your SIEM to detect exploitation attempts based on suspicious POST requests to the vulnerable endpoint.
• Apply input validation and sanitization to the radius_address, radius_address2, shared_secret2, source_ip, timeout, and retry parameters in the RADIUS configuration endpoint.
• Monitor web server logs for POST requests to /en/9-2radius.php containing suspicious characters or command sequences indicative of command injection attacks to activate the “Synway SMG Gateway Radius Command Injection Attempt” rule.