lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <AS8PR04MB881913C4B53304A1A03D4F06F435A@AS8PR04MB8819.eurprd04.prod.outlook.com>
Date: Thu, 14 Aug 2025 15:27:20 +0000
From: Georg Lukas <lukas@...solutions.de>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] Piciorgros TMO-100: Unauthorized configuration change via TFTP
 (CVE-2025-29617)

<PDF advisory:
https://rt-solutions.de/piciorgros/Piciorgros_TMO-100_TFTP_en.pdf >

Classification
--------------

-   CWE-306: Missing Authentication for Critical Function

-   CWE-940: Improper Verification of Source of a Communication Channel

-   CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

-   CVSS 4.0 Score: 8.4 / High
    CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:H/SC:L/SI:N/SA:H

-   CVSS 3.1 Score: 8.3 / High
    CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H

Affected systems
----------------

-   Piciorgros TMO-100 V3/V4 with software version below 4.20
    (discovered in V3.72)

Summary
-------

The Piciorgros TMO-100 is a data modem for TETRA radio networks. It has
an open TFTP service that cannot be disabled, allowing the modem
configuration to be read and written without authentication. TFTP access
is possible via both LAN and TETRA, meaning that an attacker who has
gained access to either of these networks can change the configuration
of all modems in the same TETRA data network. This allows the attacker
to configure port forwarding to gain access to systems behind the
modems, or to delete the dial-in data of the modems, disconnecting
critical infrastructure facilities. Starting with software version 4.20,
TFTP access is only activated for a 15-minute time window after a web
login to prevent attacks during normal operation.

Details
-------

During a penetration test carried out on behalf of a customer, a
Piciorgros TMO-100 data modem was part of the test scope. The
documentation and port scans revealed that a TFTP serveice (UDP port 69)
was active for uploading the firmware, accessing the configuration
("config.tmo"), voice alarms ("voicealarms.tmo") and another file
("plog.tmo"). Access is possible via the IP Loader software provided by
the manufacturer or with a TFTP client:

$ atftp 192.168.0.199
tftp> get config.tmo
tftp>
$ ls -al config.tmo
-rw-rw-r-- 1 pentest pentest 157184 Feb 21 16:13 config.tmo

This access is possible both via LAN and via the TETRA data network. The
retrieved file "config.tmo" contains all configuration parameters of the
modem in binary format, but no TETRA key material. It contains sensitive
data such as:

-   TETRA parameters (SSI, TMCC, TMNC)
-   PPP login data (user and password in plain text)
-   LAN configuration (IP address, network mask, gateway)
-   Port forwarding configuration (global forwarding / ports and IPs)

Excerpts from the configuration file with marked fields:

-   Modem LAN IP: c0a800c7 = 192.168.0.199
-   Network mask: fffff000 = 255.255.240.0
-   Default gateway: c0a80001 = 192.168.0.1

000000a0: 0000 0000 0000 0000 0000 003f 0000 c0a8 ...........?....
000000b0: 00c7 ffff f000 c0a8 0001 0050 1273 0045 ...........P.s.E

PPP access data: "TMO" / "TMO", modem ID: "TMO-100"

000002a0: 0000 0000 0000 0000 0000 0000 544d 4f00 ............TMO.
000002b0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000002c0: 544d 4f00 0000 0000 0000 0000 0000 0000 TMO.............
000002d0: 0000 0000 544d 4f2d 3130 3000 0000 0000 ....TMO-100.....

This access also allows the configuration file to be downloaded,
modified, and uploaded in order to obtain further access. To do this,
either the format must be completely reverse-engineered, or a second
modem is required on which the configuration can be imported and
adjusted as needed via the web interface.

Impact
------

An attacker with LAN access to a TMO-100 modem or to the TETRA data
network can retrieve and manipulate the configuration of all modems
connected to the TETRA data network without needing to know any
credentials. By changing the port forwarding configuration, they can
gain access to devices connected behind other data modems and, by
changing the TETRA parameters, take the modem offline so that a service
technician must come on site.

Mitigation for operators
------------------------

The modems should be updated to at least software version 4.20 to limit
the impact. The TFTP port can be changed to a non-standard value in the
web interface to make detection by attackers more difficult. Where
possible, TFTP access should be prevented by external firewalls.

Timeline
--------

-   2025-02-21 Discovery of the vulnerability
-   2025-02-27 Reported to the manufacturer
-   2025-03-06 Vulnerability confirmed by the manufacturer
-   2025-03-11 Release of software version V4.20 by the manufacturer
-   2025-08-14 Publication of the vulnerability as part of responsible
    disclosure

-- 
Dr.-Ing. Georg Lukas
rt-solutions.de GmbH
Oberländer Ufer 190a
D-50968 Köln

Mobil: (+49)179 4176591
Fax: (+49)221 93724 50
Zentrale: (+49)221 93724 0
Web : www.rt-solutions.de
rt-solutions.de
experts you can trust.

Sitz der Gesellschaft: Köln
Eingetragen beim Amtsgericht Köln: HRB 52645
Geschäftsführer: Prof. Dr. Ralf Schumann, Dr. Stefan Schemmer


Download attachment "smime.p7s" of type "application/pkcs7-signature" (6514 bytes)

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ