RailTel Fixes Vulnerabilities Impacting Official Site, Email System

RailTel, the public sector enterprise that operates under the railway ministry and is known for providing Internet access at train stations, has fixed a list of serious vulnerabilities impacting its website. One of the issues could have allowed a hacker to reset a password of its email account holders, according to a security researcher. The RailTel site was also using an outdated version of the content management system Joomla that is impacted by a list of vulnerabilities, including the ones that can be exploited to let attackers gain root-level access or operate the site as an administrator.

Security researcher Sunny Nehra discovered various flaws impacting the RailTel site in early May. He informed Gadgets 360 that one of the issues could have allowed hackers to gain access to the email accounts of RailTel employees by resetting their passwords.

The researcher said that a bad actor could hack the email accounts since the organisation was not using a no-rate limit for the one-time password (OTP) mechanism available on its email password reset page. The limit is meant to restrict attackers from using various password combinations to eventually find the correct one.

In addition to the absence of the no-rate limit, the email system could allegedly be attacked using the response manipulation technique that attackers could leverage to bypass authentication.

"RailTel's mailing system was made in a very insecure way," Nehra told Gadgets 360. "Currently, it has turned the password reset page down."

The RailTel site was also using the Joomla version 3.4.2 that was released back in 2015. That particular release has been impacted by several known vulnerabilities.

Nehra said the site was impacted by a vulnerability that is tracked as CVE-2015-8562 and was exploited by some attackers in December 2015.

"The flaw leads to root access or complete hacking of the vulnerable server," he said, adding that other critical flaws of the outdated Joomla version also impacted the site.

To explain the flaws, Nehra shared three proof-of-concept (PoC) videos with Gadgets 360.

Shortly after spotting the issues, the researcher disclosed the vulnerabilities to RailTel and informed India's Computer Emergency Response Team (CERT-In) and National Critical Information Infrastructure Protection Centre (NCIIPC) on May 6. The CERT-In and NCIIPC last week confirmed to the researcher that the issues were patched by the enterprise.

RailTel also separately confirmed the fixes to Gadgets 360.

"RailTel's website runs behind a Web application firewall and is loaded with host-based antivirus and hence cyber attackers cannot exploit vulnerabilities, if any, and cannot upload shells to our website," the organisation said in a prepared statement emailed to Gadgets 360. "We would like to stress upon the fact that there has been NO INCIDENT of any data breach reported."

It also confirmed that its site was currently running on the latest stable release of Joomla platform.

"Also, currently we are not facing any issue related to the email account (railtelindia.com domain) compromise," it said.

RailTel runs a service called RailWire to offer free Wi-Fi access at railway stations in the country. It partnered with Google in 2016 to kick off a public Wi-Fi initiative called Google Station. The partnership, though, ended in May 2020. RailTel has, however, continued to provide free Wi-Fi service at hundreds of railway stations.

In 2017, the RailWire service was named as the worst affected service provider by the WannaCry ransomware by antivirus company eScan.

Aside from providing Internet access, RailTel in the recent past introduced technologies including an artificial intelligence (AI) based attendance system for government schools in Assam.