lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <861538b1-36bc-42eb-a935-117f291540f7@sec-consult.com>
Date: Thu, 17 Oct 2024 05:46:06 +0000
From: SEC Consult Vulnerability Lab via Fulldisclosure
 <fulldisclosure@...lists.org>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] SEC Consult SA-20241015-0 :: Multiple Vulnerabilities in
 Rittal IoT Interface & CMC III Processing Unit (CVE-2024-47943,
 CVE-2024-47944, CVE-2024-47945)

SEC Consult Vulnerability Lab Security Advisory < 20241015-0 >
=======================================================================
               title: Multiple Vulnerabilities
             product: Rittal IoT Interface & CMC III Processing Unit
  vulnerable version: <6.21.00.2
       fixed version: 6.21.00.2
          CVE number: CVE-2024-47943, CVE-2024-47944, CVE-2024-47945
              impact: high/critical
            homepage: https://www.rittal.com
               found: 2024-06-03
                  by: Johannes Kruchem (Office Vienna)
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Eviden business
                      Europe | Asia

                      https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
"Innovative strength has been woven into the Rittal DNA since its foundation.
In 1961, Rudolf Loh Elektrogerätebau was founded in Rittershausen by the
entrepreneur Rudolf Loh, with one simple guiding principle: “Enclosures
off the shelf, immediately.” In its founding year it launched the world’s
first standard enclosure on the market. In 1969, the company was renamed
Rittal, in honour of its roots in Rittershausen in Dietzhölztal. Within
just a few years, Rittal enclosures had become established as a global
standard, and have remained so to this day."

Source: https://www.rittal.com/com-en/Company


Business recommendation:
------------------------
The vendor provides a patch which should be installed immediately on the affected
devices.

SEC Consult highly recommends to perform a thorough security review of the product
conducted by security professionals to identify and resolve potential further
security issues.


Vulnerability overview/description:
-----------------------------------
1) Improper signature verification of firmware upgrade files (CVE-2024-47943)
The firmware upgrade function in the admin web interface checks if the
patch files are signed before executing the containing run.sh script.
The signing process is kind of an HMAC with a long string as key
which is hard-coded in the firmware and is freely available for download.
This allows crafting malicious "signed" .patch files in order to compromise
the device and execute arbitrary code.


2) Missing Protection Mechanism for Alternate Hardware Interface (CVE-2024-47944)
The device directly executes .patch files on a USB stick without any authentication.
This leads to an unauthenticated code execution in combination with 1).


3) Predictable Session ID (CVE-2024-47945)
The device is vulnerable to session hijacking due to insufficient entropy
in its session ID generation algorithm. The session IDs are predictable,
with only 32,768 possible values per user, which allows attackers to pre-generate
valid session IDs, leading to unauthorized access to user sessions. This is not
only due to the use of an (insecure) rand() function call but also because of
missing initialization via srand(). As a result only the PIDs are effectively
used as seed.


Proof of concept:
-----------------
1) Improper signature verification of firmware upgrade files (CVE-2024-47943)
To create a firmware or patch file passing the signature verification
the following steps are necessary:

- Store SHA512sum of all files of the fake firmware (needs run.sh) in file "rittal"
- Append hardcoded key "8ab4ce0f72bce9b3837281b7928732c5abfc43103a681214942dec2cc
   91f236ce8e9263f5778cc6db253ade368b0db4a9ff2adb9cc9f76c5114fe3ffcaf38bba" to the file
- Store SHA512sum of the file "rittal" in rittal.sig (delete "rittal" file if in directory)
- Create .tar of fake firmware files (e.g. run.sh & rittal.sig)
- Rename to <name>.patch
- Apply firmware upgrade (needs admin session in web interface)
- Profit

The attached PoC code creates a new valid .patch file which will be executed with
root privileges when the firmware upgrade will be applied.


2) Missing Protection Mechanism for Alternate Hardware Interface (CVE-2024-47944)
This PoC describes the exploit from 1) without authentication but physical access.
For exploitation a signed (see 1)) firmware or .patch file is needed.
A script checks for new content of plugged-in USB sticks or SD cards.
If there is a .patch file available, the signature verification process
will be triggered.

The attached PoC code can also be used to generate signed firmware files.


3) Predictable Session ID (CVE-2024-47945)
The following function generates the sessionID for the web interface.
The code is part of the json.cgi script, which is invoked by the
Lighttpd web server:

   generate_sessionID(int a1, int UserID)
   {
     int pid; // r5
     int seed; // r0

     pid = getpid();
     seed = rand();
     srand(pid + seed);
     return ((rand() + 123) & 0xFFFFF00F) + 16 * UserID;
   }

It has been identified that the rand() function used in the sessionID generation
has a complexity of 2^31, which is inherently weak. However, the practical
implications for online brute-force attacks are limited due to additional factors.

The Process ID (PID) can range between 0 and 32768, and the UserID can vary from
0 to 256, which slightly increases the complexity. The primary issue lies
in the initial call to rand(), which always returns 1804289383 because it is not
initialized with srand(). Since json.cgi is invoked for every request, the
subsequent initialization does not take effect. This results in the seed being
essentially ineffective, leaving only the PID to function as the seed.

The UserID value is dependent on the user, with "admin" having a UserID of 0 and
"user" having a UserID of 1.

Consequently, the sessionID has an entropy of only 32768, making it highly
susceptible to exploitation within a few minutes.

The attached PoC code takes a list of sessionIDs and performs an online
brute-force attack. A valid session needs to be active.


Vulnerable / tested versions:
-----------------------------
The following versions have been tested which were the latest version available
at the time of the test:
* 6.17.00
* 6.19.00.1

It is assumed that all previous versions <V6.21.00.2 are affected.

The vendor confirmed that the products 3124.300 IoT Interface and 7030.000 CMC
III Processing Unit are affected.


Vendor contact timeline:
------------------------
2024-06-21: Contacting vendor through info@...tal.de; no response.
2024-07-01: Contacting vendor through LinkedIn.
2024-07-02: Received contact for embedded devices.
2024-07-03: Sent advisory to Rittal contact.
2024-07-12: Response from vendor that V6.21.00.2 with fixed vulnerabilities will
             be released on 2024-09-30.
2024-10-07: Reserving CVE numbers.
2024-10-08: Informing Rittal about upcoming security conference talk having Rittal
             as an example regarding SessionID entropy, sending CVE numbers to vendor,
             asking again about affected products.
2024-10-11: Vendor confirms affected products, security fixes have already been
             published.
2024-10-15: Coordinated release of security advisory.


Solution:
---------
The vendor provides a patched version V6.21.00.2 which can be downloaded from
the following URL:
https://www.rittal.com/de-de/products/deep/3124300


Workaround:
-----------
None


Advisory URL:
-------------
https://sec-consult.com/vulnerability-lab/


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab
An integrated part of SEC Consult, an Eviden business
Europe | Asia

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an
Eviden business. It ensures the continued knowledge gain of SEC Consult in the
field of network and application security to stay ahead of the attacker. The
SEC Consult Vulnerability Lab supports high-quality penetration testing and
the evaluation of new offensive and defensive technologies for our customers.
Hence our customers obtain the most current information about vulnerabilities
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://sec-consult.com/contact/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: https://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF Johannes Kruchem / @2024

View attachment "sessionIDs.txt" of type "text/plain" (343545 bytes)

View attachment "sessionID_online_Brute_Forcer.py" of type "text/x-python" (2489 bytes)

View attachment "create_signed_firmware.py" of type "text/x-python" (2742 bytes)

Download attachment "smime.p7s" of type "application/pkcs7-signature" (4201 bytes)

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ