Remy

In ServerCo getssl version 2.49 and prior, the ACME challenge token returned to the client was not strictly validated against RFC 8555 before being used in challenge-file handling, allowing a maliciously crafted token to influence local path/filename usage during validation. An attacker who can supply ACME challenge responses to getssl (for example, a malicious or compromised CA endpoint, or an on-path adversary able to tamper with that response path) could exploit this to achieve unauthorized file write/path traversal effects, usually with elevated privileges, ultimately allowing for remote command injection. This issue appears related in spirit to CVE-2023-38198, and is an instance of CWE-73, "External control of file name or path." Other ACME shell script handlers may be affected by similar issues.

**Name of the Vulnerable Software and Affected Versions** Firewalla Box Software versions prior to 1.979 **Description** A weak credential issue exists, allowing a physically close attacker to use the license UUID for authentication and provision SSH credentials over the Bluetooth Low-Energy (BTLE) interface. Once an attacker gains access to the LAN, they could log into the SSH interface using the provisioned credentials. The license UUID can be acquired through plain-text Bluetooth sniffing, reading the QR code on the bottom of the device, or brute-forcing the UUID. **Recommendations** For versions prior to 1.979, update to version 1.979 or later to resolve the issue. As a temporary workaround, consider disabling the Bluetooth Low-Energy (BTLE) interface until a patch is available. Restrict access to the SSH interface to minimize the risk of exploitation. Avoid using the provisioned SSH credentials in the affected interface until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Firewalla Box Software versions before 1.979 **Description** Multiple authenticated operating system (OS) command injection vulnerabilities exist in the software. A physically close attacker that is authenticated to the Bluetooth Low-Energy (BTLE) interface can use the network configuration service to inject commands in various configuration parameters, including `networkConfig.Interface.Phy.Eth0.Extra.PingTestIP`, `networkConfig.Interface.Phy.Eth0.Extra.DNSTestDomain`, and `networkConfig.Interface.Phy.Eth0.Gateway6`. Additionally, because the configuration can be synced to the Firewalla cloud, the attacker may be able to persist access even after hardware resets and firmware re-flashes. **Recommendations** For versions before 1.979, update to version 1.979 or later to resolve the issue. As a temporary workaround, consider restricting access to the network configuration service and the BTLE interface to minimize the risk of exploitation. Avoid using the vulnerable configuration parameters, such as `networkConfig.Interface.Phy.Eth0.Extra.PingTestIP`, `networkConfig.Interface.Phy.Eth0.Extra.DNSTestDomain`, and `networkConfig.Interface.Phy.Eth0.Gateway6`, until the issue is resolved.