Siklu EtherHaul Series - Unauthenticated Arbitrary File Upload

Published on 5 min read

Executive Summary

Following the initial disclosure of the unauthenticated RCE vulnerability in Siklu EtherHaul devices (CVE-PENDING), further investigation revealed that the same vulnerable rfpiped service on TCP port 555 can be exploited for arbitrary file uploads without authentication. This critical security flaw allows remote attackers to upload files to any writable location on the device, enabling persistent backdoors and system compromise.

Severity: Critical
CVSS Score: Pending
CVE ID: Pending
Affected Versions: Firmware 7.4.0 - 10.7.3 (likely all versions since 7.4.0)

Vulnerability Details

Description

The vulnerability allows unauthenticated file uploads through the rfpiped service. File upload packets use a hybrid encryption scheme where only metadata is encrypted while file contents are transmitted in cleartext. Combined with unrestricted path access, this enables attackers to write arbitrary files to persistent storage locations.

Impact

  • Arbitrary File Upload: Write files to any writable location on the device
  • Persistent Access: Upload scripts and configurations that survive reboots
  • No Authentication Required: Exploitation requires no credentials or prior access
  • Cleartext Exposure: File contents visible in network traffic

Technical Root Cause

The vulnerability exists due to:

  • No authentication mechanism for file upload operations
  • Unrestricted file path validation
  • Static encryption keys hardcoded in the binary

Investigation Timeline

Background

During analysis of the device management interface following the RCE discovery, packet captures revealed that file upload operations also utilize the vulnerable rfpiped service on TCP port 555.

Technical Analysis

  1. File Upload Packet Structure Analysis revealed a concerning hybrid structure of encrypted and cleartext: 
    Offset  Size    Description                 Encryption
0x00    16      Header                      Encrypted
0x10    32      Target filepath #1          Encrypted
0x30    32      Padding (zeros)             Encrypted
0x50    32      Target filepath #2          Encrypted
0x70    32      Padding (zeros)             Encrypted
0x90    var     File contents               CLEARTEXT
  2. Filesystem Analysis The device uses overlay filesystems enabling persistence: 
    /dev/root on / type squashfs (ro,relatime)                              # Root filesystem is READ-ONLY
tmpfs on /tmp type tmpfs (rw,relatime)                                  # Volatile storage
ubi0:conf on /var type ubifs (rw,relatime)                              # Persistent storage
none on /etc type overlay (rw,relatime,lowerdir=/etc,upperdir=/var/etc) # Overlay on /etc enabling RW persistent storage
  3. Exploitation Paths Key writable locations for persistence:
    • /var/etc/init.d/ - Init scripts that survive reboots
    • /tmp/.rastamp - Root Access Stamp (enable root login via SSH)

Affected Products

Confirmed Vulnerable

  • Product: Ceragon/Siklu EtherHaul Series devices (Tested on 8010 and 1200)
  • Versions: 10.6.2, 10.7.3 (tested)
  • Likely Affected: All EtherHaul series devices running firmware 7.4.0 or later

Patch Status

No patch available at the time of this disclosure.

Mitigation Recommendations

Immediate Actions

  1. Network Isolation: Isolate affected devices from untrusted networks
  2. Firewall Rules: Block TCP port 555 traffic to/from EtherHaul devices
  3. Monitor Network Traffic: Watch for suspicious patterns on port 555

Long-term Recommendations

  1. Device Replacement: Consider replacing affected devices until patches are available
  2. Network Segmentation: Implement proper network segmentation for critical infrastructure
  3. Monitoring: Enable logging and monitor for suspicious activities on port 555

Responsible Disclosure Timeline

  • Initial Discovery: 2025-04-12
  • Vendor Notification: 2025-04-16
  • 90-Day Disclosure Notice: 2025-04-28
  • Extension Offer: 2025-05-28 (No response received)
  • Public Disclosure: 2025-08-03

Vendor Response

When asked for an estimated patch timeline, the vendor stated:

Although we cannot estimate an ETA at this stage, the topic is already under review as part of our continuous improvement approach, and steps toward enhancing it are being considered.

Operational Context

Under typical deployment scenarios, detection is complicated by:

  • Limited File System Access: No visibility through normal administrative interfaces
  • Forensic Limitations: Investigation requires physical access (eg. UART) or vendor cooperation

These constraints mean compromises may go undetected indefinitely.

Proof of Concept

Due to the critical nature of this vulnerability and the lack of available patches, full technical details and exploit code are being withheld at this time.

References

Disclaimer: This disclosure is provided for educational and defensive purposes. The author is not responsible for any misuse of this information.

research   cve   security   siklu   ceragon   etherhaul   vulnerability   file-upload   disclosure