Garrett Metal Detectors Can Be Manipulated Remotely By Executing Arbitrary Code

Multiple vulnerabilities were detected recently by the Cisco Talos in the two most used walk-through metal detectors of Garrett. 

All these vulnerabilities could allow an attacker to execute several attacks remotely and they are like:-

• Bypassing authentication requirements.
• Manipulate metal detector configurations.
• Execute arbitrary code on the device.

Hand-held and walk-through metal detectors are the devices that are used majorly manufactured by the Garrett, and they are mainly used in the following areas for security purposes and checkpoints:-

• Sports venues
• Airports
• Banks
• Museums
• Ministries
• Courthouses

In the iC module version 5.0 of Garrett devices, all the vulnerabilities were discovered, and the Garrett walk-through metal detectors like Garrett PD 6500i or Garrett MZ 6100 receive network connectivity from the vulnerable iC module.

Here at this point, a threat actor can remotely monitor statistics on the metal detector by manipulating the vulnerable iC module. And like this, they can also trigger several actions like:-

• Alarm
• Statistics of visitors have walked through
• Change configuration
• Altering the sensitivity level of a device

Vulnerable Models

Garrett metal detectors that are affected by these vulnerabilities are:-

• Garrett PD 6500i
• Garrett MZ 6100

Flaws Discovered

In total, the cybersecurity analysts at Cisco Talos have discovered nine vulnerabilities that are affecting the devices from Garrett. 

Here we have mentioned below all the security flaws discovered:-

• CVE-2021-21901: Stack-based buffer overflow vulnerabilities enable an unauthenticated threat actor to exploit a buffer overflow condition using a specially-crafted packet. CVSS v3: 9.8 (critical)
• CVE-2021-21903: Stack-based buffer overflow vulnerabilities enable an unauthenticated threat actor to exploit a buffer overflow condition using a specially-crafted packet. CVSS v3: 9.8 (critical)
• CVE-2021-21904: A directory traversal flaw in iC Module enabling an actor to send a specially-crafted command-line argument can lead to an arbitrary file overwrite. CVSS v3 score: 9.1 (critical)
• CVE-2021-21905: Two stack-based buffer overflow flaws that can be triggered by uploading a malicious file on the target device and forcing the system to call ‘readfile’. CVSS v3: 8.2 (high)
• CVE-2021-21906: Two stack-based buffer overflow flaws that can be triggered by uploading a malicious file on the target device and forcing the system to call ‘readfile’. CVSS v3: 8.2 (high)
• CVE-2021-21902: Authentication bypass vulnerability in the CMA run_server of the iC Module, enabling a threat actor to launch a properly-timed network connection through a sequence of requests, leading to session hijacking. CVSS v3 score: 7.5 (high)
• CVE-2021-21908: Directory traversal flaws, allowing a threat actor to delete files on the target device by sending specially-crafted command line arguments. CVSS v3 score: 6.0 (medium)
• CVE-2021-21909: Directory traversal flaws, allowing a threat actor to delete files on the target device by sending specially-crafted command line arguments. CVSS v3 score: 6.0 (medium)
• CVE-2021-21907: A directory traversal vulnerability leading to local file inclusion via a specially-crafted command-line argument. CVSS v3 score: 4.9 (medium)

Resolution

In compliance with the vulnerability disclosure policy of Cisco, Garrett has resolved these issues together with Cisco Talos and launched an update for all the affected customers.

Since iC Module CMA, version 5.0 of Garrett Metal Detectors are vulnerable and could be exploited by the threat actors, so, the security analysts at Cisco Talos have recommended users to immediately update the existing firmware to the latest version to mitigate such vulnerabilities.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.