CVE-2018-20487

Name of the Vulnerable Software and Affected Versions: Inteno IOPSYS versions 1.0 through 3.16

Description: An issue was discovered in the firewall3 component. The attacker must make a JSON-RPC method call to add a firewall rule as an "include" and point the path argument to a malicious script or binary. This gets executed as root when the firewall changes are committed.

Recommendations: For Inteno IOPSYS versions 1.0 through 3.16, consider restricting access to the JSON-RPC method to add firewall rules until a patch is available. As a temporary workaround, avoid using the path argument to point to external scripts or binaries.