CVE-2020-17406

Name of the Vulnerable Software and Affected Versions Microhard Bullet-LTE versions prior to 1.2.0-r1112

Description This issue allows remote attackers to execute arbitrary code on affected installations. Authentication is required to exploit this issue. The flaw exists within the handling of the ping parameter provided to tools.sh, resulting from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this issue to execute code in the context of root.

Recommendations For versions prior to 1.2.0-r1112, update to version 1.2.0-r1112 or later to resolve the issue. As a temporary workaround, consider restricting access to the tools.sh script and validating all user-supplied input to minimize the risk of exploitation. Avoid using the ping parameter in the affected tools.sh script until the issue is resolved.