[<prev] [next>] [day] [month] [year] [list]
Message-ID: <25faaaa2-cea7-4ddc-a161-619aa9b1291a@sba-research.org>
Date: Thu, 11 Oct 2018 15:57:20 +0200
From: SBA Research Advisory <advisory@...-research.org>
To: <fulldisclosure@...lists.org>
Subject: [FD] [SBA-ADV-20180319-02] CVE-2018-17534: Teltonika RUT9XX Missing
Access Control to UART Root Terminal
# Teltonika RUT9XX Missing Access Control to UART Root Terminal #
Link: https://github.com/sbaresearch/advisories/tree/public/2018/SBA-ADV-20180319-02_Teltonika_Incorrect_Access_Control
## Vulnerability Overview ##
Teltonika RUT9XX routers with firmware before 00.04.233 provide a root
terminal on a serial interface without proper access control. This
allows attackers with physical access to execute arbitrary commands
with root privileges.
* **Identifier** : SBA-ADV-20180319-02
* **Type of Vulnerability** : Incorrect Access Control
* **Software/Product Name** : [Teltonika RUT955](https://teltonika.lt/product/rut955/)
* **Vendor** : [Teltonika](https://teltonika.lt/)
* **Affected Versions** : Firmware RUT9XX_R_00.04.199 and probably prior,
newer firmware versions if settings were not cleared
* **Fixed in Version** : RUT9XX_R_00.04.233
* **CVE ID** : CVE-2018-17534
* **CVSSv3 Vector** : CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
* **CVSSv3 Base Score** : 6.8 (Medium)
## Vendor Description ##
> RUT955 is a highly reliable and secure LTE router with I/O, GNSS and
> RS232/RS485 for professional applications. Router delivers high
> performance, mission-critical cellular communication and GPS location
> capabilities.
Source: <https://teltonika.lt/product/rut955/>
## Impact ##
An attacker with physical access can fully compromise the device, by
exploiting the vulnerabilities documented in this advisory. Sensitive
data stored or transmitted via the device might get exposed through
this attack.
We recommend upgrading to version RUT9XX_R_00.04.233 or newer, which
includes fixes for the vulnerability described in this advisory.
It is important to clear all settings during upgrade, for example, by
disabling the "Keep all settings" checkbox while upgrading via the
webinterface. Otherwise, newer firmware versions remain vulnerable.
## Vulnerability Description ##
RUT9XX routers provide a UART/serial interface on two pins of an
internal card-edge connector.
* RX: Pin 1 - Rectangle-like pin on the top-side (CPU side)
* TX: Pin 8 - Rectangle-like pin on the bottom-side
The UART interface uses TTL-level and a baud rate of 115200. It
provides log output and a root terminal without proper access control.
## Proof-of-Concept ##
Our test device with firmware RUT9XX_R_00.04.172 provided the following
log output during boot and after hitting the ENTER key:
```text
***************************************
* U-Boot 3.0.1 2017-02-15 *
***************************************
BOARD: Teltonika RUT9XX
RAM: 128 MB DDR2 32-bit CL3-4-4-10
FLASH: 16 MB Winbond W25Q128
CLOCKS: CPU/RAM/AHB/SPI/REF
550/400/200/ 25/ 40 MHz
Hit any key to stop booting: 0
Booting image from 0x9F040000...
Vendor/image name: Teltonika RUT9xx
Hardware ID: 0x35000001
Whole image size: 15.5 MB (16252928 bytes)
Kernel size: 1.1 MB (1191732 bytes)
Rootfs size: 9.7 MB (10170504 bytes)
Kernel load address: 0x80060000
Kernel entry point: 0x80060000
Header CRC... skipped
Data CRC... skipped
Stopping network... OK!
Uncompressing Kernel... OK!
Starting kernel...
[ 0.000000] Linux version 3.18.44 (simonas@...tonika-I3) (gcc version 4.8.3 (OpenWrt/Linaro GCC 4.8-2014.04 r40569) ) #1 Tue Apr 10 15:23:49 EEST 2018
[ 0.000000] bootconsole [early0] enabled
[ 0.000000] CPU0 revision is: 0001974c (MIPS 74Kc)
[ 0.000000] SoC: Atheros AR9344 rev 3
[ 0.000000] Determined physical RAM map:
[ 0.000000] memory: 08000000 @ 00000000 (usable)
procd: Console is alive
procd: - watchdog -
procd: - preinit -
procd: - early -
procd: - watchdog -
procd: - ubus -
procd: - init -
Please press Enter to activate this console.
[ 20.140000] usb 1-1.3: new high-speed USB device number 4 using ehci-platform
[ 20.280000] option 1-1.3:1.0: GSM modem (1-port) converter detected
[ 20.280000] usb 1-1.3: GSM modem (1-port) converter now attached to ttyUSB1
[ 20.290000] option 1-1.3:1.1: GSM modem (1-port) converter detected
[ 20.300000] usb 1-1.3: GSM modem (1-port) converter now attached to ttyUSB2
[ 20.310000] option 1-1.3:1.2: GSM modem (1-port) converter detected
[ 20.310000] usb 1-1.3: GSM modem (1-port) converter now attached to ttyUSB3
[ 20.320000] option 1-1.3:1.3: GSM modem (1-port) converter detected
[ 20.330000] usb 1-1.3: GSM modem (1-port) converter now attached to ttyUSB4
[ 20.360000] qmi_wwan 1-1.3:1.4: cdc-wdm0: USB WDM device
[ 20.360000] qmi_wwan 1-1.3:1.4: Quectel EC21&EC25&EC20 R2.0 work on RawIP mode
[ 20.370000] qmi_wwan 1-1.3:1.4 wwan0: register 'qmi_wwan' at usb-ehci-platform-1.3, WWAN/QMI device, xx:xx:xx:xx:xx:xx
[ 22.280000] jffs2: notice: (1498) jffs2_build_xattr_subsystem: complete building xattr subsystem, 0 of xdatum (0 unchecked, 0 orphan) and 0 of xref (0 dead, 0 orphan) found.
[ 26.220000] device eth0 entered promiscuous mode
[ 28.520000] eth0: link up (1000Mbps/Full duplex)
[ 28.520000] br-lan: port 1(eth0) entered forwarding state
[ 28.530000] br-lan: port 1(eth0) entered forwarding state
[ 30.530000] br-lan: port 1(eth0) entered forwarding state
[ 33.220000] Ports leds ON
procd: - init complete -
BusyBox v1.24.2 () built-in shell (ash)
____ _ ___ ____ _(_)_
| _ \ _ _| |_ / _ \/ ___| (_)@(_)
| |_) | | | | __| | | \___ \ /(_)
| _ <| |_| | |_| |_| |___) | \|/
|_| \_\\__,_|\__|\___/|____/ \|/
Teltonika RUT9XX 2014 - 2018
root@...ter:/# id
uid=0(root) gid=0(root)
root@...ter:/#
```
## Timeline ##
* `2018-03-19` identification of vulnerability in version RUT9XX_R_00.04.84
* `2018-04-10` re-test of version RUT9XX_R_00.04.161
* `2018-04-16` re-test of version RUT9XX_R_00.04.172
* `2018-04-16` initial vendor contact through public address
* `2018-04-18` vendor response with security contact
* `2018-04-19` disclosed vulnerability to vendor security contact
* `2018-04-26` vendor released fix in version RUT9XX_R_00.04.233
* `2018-07-09` notify vendor about incomplete fix
* `2018-07-25` notify vendor about incomplete fix
* `2018-09-25` request CVE from MITRE
* `2018-09-26` MITRE assigned CVE-2018-17534
* `2018-09-26` notify vendor about incomplete fix
* `2018-10-03` vendor stated that clearing of settings is required
* `2018-10-10` re-test of version RUT9XX_R_00.04.233
* `2018-10-11` public disclosure
## References ##
* Firmware Changelog: <https://wiki.teltonika.lt/index.php?title=RUT9xx_Firmware>
## Credits ##
* David Gnedt ([SBA Research](https://www.sba-research.org/))
Download attachment "0xFBB8862F58F775B2.asc" of type "application/pgp-keys" (3544 bytes)
Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists