SEC Consult Vulnerability Lab Security Advisory < 20241015-0 > ======================================================================= title: Multiple Vulnerabilities product: Rittal IoT Interface & CMC III Processing Unit vulnerable version: <6.21.00.2 fixed version: 6.21.00.2 CVE number: CVE-2024-47943, CVE-2024-47944, CVE-2024-47945 impact: high/critical homepage: https://www.rittal.com found: 2024-06-03 by: Johannes Kruchem (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Eviden business Europe | Asia https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "Innovative strength has been woven into the Rittal DNA since its foundation. In 1961, Rudolf Loh Elektrogerätebau was founded in Rittershausen by the entrepreneur Rudolf Loh, with one simple guiding principle: “Enclosures off the shelf, immediately.” In its founding year it launched the world’s first standard enclosure on the market. In 1969, the company was renamed Rittal, in honour of its roots in Rittershausen in Dietzhölztal. Within just a few years, Rittal enclosures had become established as a global standard, and have remained so to this day." Source: https://www.rittal.com/com-en/Company Business recommendation: ------------------------ The vendor provides a patch which should be installed immediately on the affected devices. SEC Consult highly recommends to perform a thorough security review of the product conducted by security professionals to identify and resolve potential further security issues. Vulnerability overview/description: ----------------------------------- 1) Improper signature verification of firmware upgrade files (CVE-2024-47943) The firmware upgrade function in the admin web interface checks if the patch files are signed before executing the containing run.sh script. The signing process is kind of an HMAC with a long string as key which is hard-coded in the firmware and is freely available for download. This allows crafting malicious "signed" .patch files in order to compromise the device and execute arbitrary code. 2) Missing Protection Mechanism for Alternate Hardware Interface (CVE-2024-47944) The device directly executes .patch files on a USB stick without any authentication. This leads to an unauthenticated code execution in combination with 1). 3) Predictable Session ID (CVE-2024-47945) The device is vulnerable to session hijacking due to insufficient entropy in its session ID generation algorithm. The session IDs are predictable, with only 32,768 possible values per user, which allows attackers to pre-generate valid session IDs, leading to unauthorized access to user sessions. This is not only due to the use of an (insecure) rand() function call but also because of missing initialization via srand(). As a result only the PIDs are effectively used as seed. Proof of concept: ----------------- 1) Improper signature verification of firmware upgrade files (CVE-2024-47943) To create a firmware or patch file passing the signature verification the following steps are necessary: - Store SHA512sum of all files of the fake firmware (needs run.sh) in file "rittal" - Append hardcoded key "8ab4ce0f72bce9b3837281b7928732c5abfc43103a681214942dec2cc 91f236ce8e9263f5778cc6db253ade368b0db4a9ff2adb9cc9f76c5114fe3ffcaf38bba" to the file - Store SHA512sum of the file "rittal" in rittal.sig (delete "rittal" file if in directory) - Create .tar of fake firmware files (e.g. run.sh & rittal.sig) - Rename to <name>.patch - Apply firmware upgrade (needs admin session in web interface) - Profit The attached PoC code creates a new valid .patch file which will be executed with root privileges when the firmware upgrade will be applied. 2) Missing Protection Mechanism for Alternate Hardware Interface (CVE-2024-47944) This PoC describes the exploit from 1) without authentication but physical access. For exploitation a signed (see 1)) firmware or .patch file is needed. A script checks for new content of plugged-in USB sticks or SD cards. If there is a .patch file available, the signature verification process will be triggered. The attached PoC code can also be used to generate signed firmware files. 3) Predictable Session ID (CVE-2024-47945) The following function generates the sessionID for the web interface. The code is part of the json.cgi script, which is invoked by the Lighttpd web server: generate_sessionID(int a1, int UserID) { int pid; // r5 int seed; // r0 pid = getpid(); seed = rand(); srand(pid + seed); return ((rand() + 123) & 0xFFFFF00F) + 16 * UserID; } It has been identified that the rand() function used in the sessionID generation has a complexity of 2^31, which is inherently weak. However, the practical implications for online brute-force attacks are limited due to additional factors. The Process ID (PID) can range between 0 and 32768, and the UserID can vary from 0 to 256, which slightly increases the complexity. The primary issue lies in the initial call to rand(), which always returns 1804289383 because it is not initialized with srand(). Since json.cgi is invoked for every request, the subsequent initialization does not take effect. This results in the seed being essentially ineffective, leaving only the PID to function as the seed. The UserID value is dependent on the user, with "admin" having a UserID of 0 and "user" having a UserID of 1. Consequently, the sessionID has an entropy of only 32768, making it highly susceptible to exploitation within a few minutes. The attached PoC code takes a list of sessionIDs and performs an online brute-force attack. A valid session needs to be active. Vulnerable / tested versions: ----------------------------- The following versions have been tested which were the latest version available at the time of the test: * 6.17.00 * 6.19.00.1 It is assumed that all previous versions <V6.21.00.2 are affected. The vendor confirmed that the products 3124.300 IoT Interface and 7030.000 CMC III Processing Unit are affected. Vendor contact timeline: ------------------------ 2024-06-21: Contacting vendor through info () rittal de; no response. 2024-07-01: Contacting vendor through LinkedIn. 2024-07-02: Received contact for embedded devices. 2024-07-03: Sent advisory to Rittal contact. 2024-07-12: Response from vendor that V6.21.00.2 with fixed vulnerabilities will be released on 2024-09-30. 2024-10-07: Reserving CVE numbers. 2024-10-08: Informing Rittal about upcoming security conference talk having Rittal as an example regarding SessionID entropy, sending CVE numbers to vendor, asking again about affected products. 2024-10-11: Vendor confirms affected products, security fixes have already been published. 2024-10-15: Coordinated release of security advisory. Solution: --------- The vendor provides a patched version V6.21.00.2 which can be downloaded from the following URL: https://www.rittal.com/de-de/products/deep/3124300 Workaround: ----------- None Advisory URL: ------------- https://sec-consult.com/vulnerability-lab/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Eviden business Europe | Asia About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an Eviden business. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://sec-consult.com/career/ Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://sec-consult.com/contact/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: security-research at sec-consult dot com Web: https://www.sec-consult.com Blog: https://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF Johannes Kruchem / @2024
Attachment:
sessionIDs.txt
Description:
Attachment:
sessionID_online_Brute_Forcer.py
Description:
Attachment:
create_signed_firmware.py
Description:
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/