Vulnerability Discovered in EE 4GEE Mini Modem Poses Serious Security Risk
A critical vulnerability has been identified in the 4GEE Mini modem, a product offered by the mobile operator EE in the UK. This security flaw could enable attackers to execute malicious software on Windows computers that have connected to the modem, effectively granting them the highest level of access within the system.
The vulnerability, unearthed by Osanda Malith, a 20-year-old security researcher from Sri Lanka associated with ZeroDayLab, can be manipulated by users with low privilege accounts. Specifically, any Windows device that has previously connected to the 4GEE Mini modem via USB is at risk of exploitation. The implications of this vulnerability are severe; attackers could seize complete control of the targeted machines, facilitating activities such as installing malware, rootkits, or keyloggers, and even stealing sensitive personal data.
The flaw, designated as CVE-2018-14327, resides in the driver files installed by the EE modem. It arises from improper folder permissions, allowing low-privileged user accounts the ability to read, write, execute, and modify files within the designated folders and their subdirectories. An attacker can simply replace the legitimate “ServiceManager.exe” with a malicious copy, prompting the vulnerable driver to execute it with elevated SYSTEM privileges upon reboot.
In a demonstration video, Malith illustrated the method by which this attack could lead to privilege escalation, enabling the attacker to set up a reverse shell from a compromised account. The attack relies on the system restarting, at which point the malicious service would launch under the “NT AUTHORITY\SYSTEM” account, affording the attacker full access.
The discovery was reported to EE and manufacturer Alcatel in July, who subsequently acknowledged the issue and released a firmware patch earlier this month. Users of the 4GEE Mini modem are urged to apply this update to safeguard against potential exploits. The latest firmware version, EE40_00_02.00_45, should replace any earlier, vulnerable iterations of the software.
In light of this incident, it is imperative for stakeholders in the tech industry, particularly business owners, to assess their cybersecurity protocols and remain vigilant against vulnerabilities like this one. This type of local privilege escalation attack aligns with MITRE ATT&CK frameworks, highlighting tactics such as initial access, persistence, and privilege escalation that adversaries may use when exploiting vulnerabilities in software.
Business owners should ensure that their systems are updated and monitor for any irregular activity that could signify an attempted breach. Awareness of vulnerabilities like CVE-2018-14327 is crucial, not just for individual users, but for organizations relying on secure connectivity for network operations. For further insights into the vulnerability, readers may consult both Malith’s blog and additional advisories issued by ZeroDayLab.