CVE Advisory - Partial Disclosure Zumtobel Multiple Vulnerabilities
03/21/2023
Introduction
The vulnerability has been found during a security assessment on Netlink CCD Onboard version 3.74 and Firmware version 3.80.
The Netlink CCD is an IoT control device with 3 DALI-compliant outputs and one LM-Bus interface for open-loop control of maximum 250 luminaires and motors. It can be operated locally or by using an external litenet server.
Vulnerabilities - CVE-2023-23325 Command Injection – CWE-78
| CVE-2023-23325 - Command Injection - CWE-78 | |||
|---|---|---|---|
| PRODUCT LINE | VERSION | SCORE | IMPACT |
| Netlink CCD | Onboard 3.74 Firmware 3.80 |
9.8 | High |
| OWASP CATEGORY | OWASP CONTROL | ||
| A03 - Injection | WSTG-INPV-11 WSTG-INPV-12 |
||
| AFFECTED ENDPOINT - AFFACTED PARAMETER | |||
| omitted | |||
| PREREQUISITES | |||
| No Special Configuration is required to reproduce the issue | |||
| CVSS VECTOR | |||
| AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | |||
Description
During the reverse engineering activity, a vulnerability was detected in the way the NetHostname parameter is processed. This parameter is not sanitized and thus injectable.
In order to be able to enter this parameter and attempt the injection, it was necessary to also enter the parameters for the DNS Server (NetLookupX) in the request, which are not present in the 'Network' screen. Once these parameters had been en-tered with correct data (IPs are correctly sanitised), it was possible to enter the NetHostname parameter in the request, in effect asking the system for a hostname change.
This parameter, passed by the user, is concatenated to a hardcoded string (/bin/hostname_str) which is then inserted in a system(*) call that executes the contents of the string (it is, in fact, a command for the underlying system).
This can be exploited by an attacker to achieve arbitrary command execution on the underlying OS by simply adding the ; character and inserting a new command (assuming Linux as a sub-system).
Owasp Category
A03 – Injection – OS command injection (also known as shell injection) is a web security vulnerability that allows an attacker to execute arbitrary operating system (OS) commands on the server that is running an application, and typically fully compromise the application and all its data.
It is a type of vulnerability that occurs when the contents of a parameter passed as input by the user, is used to execute commands on the OS using mostly native programming language functions. This type of attack is possible when Web application code uses user input in calls to the OS, without first sanitizing the input.
Mitigation
The most effective way to prevent Command Injection attacks is to avoid making calls to execute commands on the host operating system via the web application. If necessary, provide routines to validate user input by relying on established libraries.
Some examples of effective validation include:
- Validation against a whitelist of allowed values;
- Validation that the input is a number;
- Validation that the input contains only alphanumeric characters, no other syntax or whitespace.
It is recommended, as a temporary workaround, to enable web page browsing of netlink devices only from authorised IPs. It is also advisable to enable web authentication by changing the password for the 'Service' user, even if this countermeasure is affected by hard-coded passwords in the firmware.
Vulnerabilities – CVE-2023-23324 - Hardcoded credentials in source code – CWE-259
| CVE-2023-23324 - Hardcoded credentials in source code - CWE-259 | |||
|---|---|---|---|
| PRODUCT LINE | VERSION | SCORE | IMPACT |
| Netlink CCD | Onboard 3.74 Firmware 3.80 |
9.8 | High |
| OWASP CATEGORY | OWASP CONTROL | ||
| A07 - Identification and Authentication Failures | - | ||
| AFFECTED ENDPOINT - AFFACTED PARAMETER | |||
| omitted | |||
| PREREQUISITES | |||
| No Special Configuration is required to reproduce the issue | |||
| CVSS VECTOR | |||
| AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | |||
Description
Two hardcoded (base64-encoded, thus perfectly reversible) credentials (in NetlinkWeb::TNetlinkSite::TNetlinkSite) were detected during the firmware reverse engineering activity. This credentials pertain to the following user accounts:
- Service
- Administrator
The Service utility is disabled by default, and allows the user to enable authentication using HTTP Basic Auth. By configuring the "Activate password protection" and "Protect status page as well" flags, the web browser will ask for authentication for the requested pages.
The Service user has a hardcoded default password that can however be changed, thus partially mitigating the issue.
On the other hand, the hardcoded credentials for the Administrator user cannot be changed: this increases considerably the issue impact given that the Administrator user has maximum privileges.
For example, an attacker could use the hardcoded Administrator credentials to access the web interface and then exploit the previously documented command injection vulnerability in order to achieve arbitrary command execution as root user on the device.
Owasp Category
A07 – Identification and Authentication Failures - The use of hardcoded credentials (hardwired into the system) places the system under analysis at risk, as it would allow a potential attacker to bypass the intended authentication systems.
In generic terms, there are two variants of the case:
- Inbound: the application uses an authentication mechanism that verifies the credentials provided with a set of hard-coded credentials
- Outbound: the application connects to another system or component and uses hardcoded credentials to authenti-cate itself
This issue can lead to the exposure of resources or functionality to external agents, starting with sensitive data and ending with the execution of arbitrary code.
Mitigation
Mitigation for this type of vulnerability consists of removing references to passwords contained within the code, thereby moving the storage of secrets outside the application, creating appropriately protected containers in which to store a robust password hash. Mitigation of this type does not allow credentials to be traced via static analysis, in effect making the job much more complex for an attacker.
Vulnerabilities – CVE-2023-24294 – Buffer Overflow – CWE-121
| CVE-2023-24294 - Buffer Overflow – CWE-121 | |||
|---|---|---|---|
| PRODUCT LINE | VERSION | SCORE | IMPACT |
| Netlink CCD | Onboard 3.74 Firmware 3.80 |
7.5 | High |
| OWASP CATEGORY | OWASP CONTROL | ||
| OV - Other Vulnerabilities | WSTG-INPV-13 | ||
| AFFECTED ENDPOINT - AFFACTED PARAMETER | |||
| omitted | |||
| PREREQUISITES | |||
| No Special Configuration is required to reproduce the issue | |||
| CVSS VECTOR | |||
| AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | |||
Description
During the analysis, a problem was detected related to incorrect memory management using the unsafe function strcpy. The issue was detected in NetlinkWeb::Information::SetDeviceIdentification, and refers to the setting of the "location" parameter (locationTextBox variable). The same issue can be detected for the "name" parameter (http variable nameText-Box).
Specifically, the location parameter provided by the user, is copied into a local variable, of a predetermined size and without any kind of control over the number of characters to be copied. This makes it possible to send a string of characters larger than the budgeted one, sending the httpserv application crashing.
It is then possible for an attacker with access to the web interface to cause an application Denial of Service that can only be re-solved by a system reboot. It is worth noting that the light management part seems not to be impacted by this type of attack, as it is handled by a different process (litenetgcd)
In addition to Denial of Service, it is possible to take control of the processor's pc register, in effect setting the stage for exploit-ing buffer overflow in order to execute remote code on the machine. This is possible, despite the NX and ASLR protections present in the executable and the system, thanks to appropriate ROP chains, which exploit code already present in the exe-cutable and associated libraries. This type of exploitation has not been fully investigated due to time constraints.
Finally, it is possible to detect the use of the strcpy function and other unsafe functions in multiple places in the code which were not investigated due to time constraints.
Owasp Category
OV – Other Vulnerabilities: A buffer is a portion of memory used by a program in a running state. The purpose of this memory location is to save temporary data used by the program.
A buffer overflow vulnerability occurs when the length of data entered exceeds the buffer limit, which causes data to be written outside the allocated memory area, potentially overwriting data needed by the program and thus causing the program to crash.
An attacker can exploit this type of issue to control the execution flow of program instructions, either by inserting new potentially malicious instructions or by exposing technical information useful to other attacks.
C and C++ are two programming languages prone to buffer overflows, since memory management is totally up to the pro-grammer, who, by not implementing proper precautions to memory access features, could make the program vulnerable
Mitigation
It is recommended to revise the entire source code by going to change the use of unsafe functions such as strcpy, strcat, printf/sprint in preference to their safe versions (e.g. using strcpy_s instead of strcpy).
There are also several applicable countermeasures, such as:
PIE: Position Independent Executables (PIE) are the output of hardenized build processes. A binary compiled with PIE protection has both the code and all its dependencies loaded into random memory locations computed dynamically at the execution of the application. This type of countermeasure makes it more complex to perform ROP-type attacks.
Timeline
- October 2022: Discovered by Marco Prati of Yoroi.
- October 20, 2022: Reported to Zumbtobel R&D department
- December 05, 2022: Vulnerabilities confirmed by vendor
- January 19, 2023: CVE request to the mitre
- March 21, 2023: Coordinated disclosure
