Multiple Critical Vulnerabilities Discovered in FutureNet Networking Devices

A series of critical vulnerabilities have been identified in FutureNet’s NXR, VXR, and WXR series networking devices, leaving thousands of users potentially exposed to cyberattacks. The Japan Computer Emergency Response Team (JPCERT/CC) has issued an urgent advisory detailing the flaws, that could allow remote attackers to gain unauthorized access, execute commands, and even cause denial-of-service conditions.

The vulnerabilities, tracked as CVE-2024-31070, CVE-2024-36475, CVE-2024-36491, and CVE-2020-10188, range in severity with CVSS scores reaching 9.8 (Critical). They stem from issues such as insecure default configurations, active debug code, and a buffer overflow in a legacy netkit-telnet component.

The impact of these vulnerabilities is far-reaching, potentially affecting a wide range of FutureNet devices, including routers, switches, and wireless access points. Successful exploitation could lead to:

• CVE-2024-31070 (CVSS 9.8): An unauthenticated attacker can access the telnet service without limitations.
• CVE-2024-36475 (CVSS 7.2): A knowledgeable user can utilize the debug function to execute arbitrary OS commands.
• CVE-2024-36491 (CVSS 9.8) and CVE-2020-10188 (CVSS 9.8): A remote attacker can execute arbitrary commands, access or modify sensitive data, and cause a DoS condition.

The vulnerabilities impact the following products and firmware versions:

• FutureNet NXR-1300 series: Firmware version 7.4.9 and earlier
• FutureNet NXR-650: Firmware version 21.16.1 and earlier
• FutureNet NXR-610X series: Firmware version 21.14.11 and earlier
• FutureNet NXR-530: Firmware version 21.11.13 and earlier
• FutureNet NXR-350/C: Firmware version 5.30.9 and earlier
• FutureNet NXR-230/C: Firmware version 5.30.12 and earlier
• FutureNet NXR-160/LW: Firmware version 21.8.3 and earlier
• FutureNet NXR-G200 series: Firmware version 9.12.15 and earlier
• FutureNet NXR-G180/L-CA: Firmware version 21.7.28B and earlier
• FutureNet NXR-G120 series: Firmware version 21.15.2 and earlier
• FutureNet NXR-G110 series: Firmware version 21.7.30C and earlier
• FutureNet NXR-G100 series: Firmware version 6.23.10 and earlier
• FutureNet NXR-G060 series: Firmware version 21.15.5 and earlier
• FutureNet NXR-G050 series: Firmware version 21.12.9 and earlier
• FutureNet VXR/x64: Firmware version 21.7.31 and earlier
• FutureNet VXR/x86: Firmware version 10.1.4 and earlier
• FutureNet NXR-1200: Firmware version 5.25.21 and earlier
• FutureNet NXR-130/C: Firmware version 5.13.21 and earlier
• FutureNet NXR-155/C series: Firmware version 5.22.5M and earlier
• FutureNet NXR-125/CX: Firmware version 5.25.7H and earlier
• FutureNet NXR-120/C: Firmware version 5.25.7H and earlier
• FutureNet WXR-250: Firmware version 1.4.7 and earlier

Century Systems Co., Ltd., the manufacturer of FutureNet devices, has released firmware updates to address these vulnerabilities for some models. However, for several older devices, there are no patches available, and the company recommends discontinuing their use and switching to alternatives.

If you are using any of the affected FutureNet devices, it is crucial to take immediate action:

1. Check Your Firmware Version: Determine if your device is running a vulnerable firmware version.
2. Apply Updates: If available, update the firmware to the latest version provided by Century Systems.
3. Disable Telnet: If your device is configured with default settings, disable telnet and enable SSH to enhance security.
4. Consider Alternatives: For unsupported devices, consider replacing them with newer, more secure models.