CVE-2024-52564

Inclusion of undocumented features or chicken bits issue exists in UD-LT1 firmware Ver.2.1.8 and earlier and UD-LT1/EX firmware Ver.2.1.8 and earlier. A remote attacker may disable the firewall function of the affected products. As a result, an arbitrary OS command may be executed and/or configuration settings of the device may be altered.

Weakness

The device includes chicken bits or undocumented features that can create entry points for unauthorized actors.

Extended Description

A common design practice is to use undocumented bits on a device that can be used to disable certain functional security features. These bits are commonly referred to as “chicken bits”. They can facilitate quick identification and isolation of faulty components, features that negatively affect performance, or features that do not provide the required controllability for debug and test. Another way to achieve this is through implementation of undocumented features. An attacker might exploit these interfaces for unauthorized access.

Potential Mitigations

• The implementation of chicken bits in a released product is highly discouraged. If implemented at all, ensure that they are disabled in production devices. All interfaces to a device should be documented.

Related Attack Patterns

• https://cwe.mitre.org/data/definitions/212.html
• https://cwe.mitre.org/data/definitions/36.html

References

• https://jvn.jp/en/jp/JVN46615026/
• https://www.iodata.jp/support/information/2024/11_ud-lt1/