“New firmware - bug fixed!”
Jay tests a new firmware for the RUT-240
Followup regarding CVE-2023-31728 and the RUT-240
This page is a follow-up to the following material previously published by Exotic Silicon:
Shortly after we discovered the issue, we made contact with the security team at Teltonika and provided detailed instructions to reproduce it.
They confirmed the bug, and a few days later it was fixed in firmware version 07.04.2.
We promptly downloaded the new firmware and installed it on one of our RUT-240 devices for testing.
The bug has indeed been fixed. After removing the extra firewall rules that we had created as a work-around to mitigate it with the previous version of the firmware, we re-tested the same method of remote access but the connection was correctly rejected.
The new firmware was in use and running without issues on our RUT-240 routers, which are configured in bridge mode, for 28 days starting from 20230421.
At this point we updated them to the newly released firmware 07.04.3, which we are still evaluating as of the time of writing on 20230519.
The first time we tried upgrading each router from firmware 07.04.1 to 07.04.2 whilst preserving the existing configuration, the upgrade appeared to complete correctly.
However, packets from the connected device were not routed out to the internet. Since nothing was obviously mis-configured, we decided to reset the device to factory settings, (whilst keeping the most recent firmware version 07.04.2). After the factory reset and subsequent re-configuration as described in the original article, the RUT-240 worked as expected and correctly routed data from the connected device to the cellular interface.
This happened exactly once with each router we upgraded, but after performing the factory reset we have not been able to reproduce the issue again, (despite testing various combinations of old firmwares).