Multiple vulnerabilities in Digitalstrom Konfigurator

SEC Consult Vulnerability Lab Security Advisory < publishing date 20160422-1 >

=======================================================================

title: Multiple vulnerabilities in Digitalstrom Konfigurator

product: Digitalstrom Konfigurator

vulnerable version: 1.10.0

fixed version: 1.10.4

CVE number: -

impact: High

homepage: www.digitalstrom.com

found: 2015-10-01

by: W. Schober (Office Vienna)

SEC Consult Vulnerability Lab

 

An integrated part of SEC Consult

Berlin - Frankfurt/Main - Montreal - Singapore

Vienna (HQ) - Vilnius - Zurich

 

www.sec-consult.com

 

=======================================================================

 

Vendor description:

-------------------

"Digitalstrom is designed to systematically network all the electrical devices

in your home. The control of light ambiances, security technology and

household devices is just the start. You can simply download these new

functions to your Digitalstrom server; they will install themselves

automatically. And tomorrow has already become today."

 

Source: www.digitalstrom.com/en/idea/Good-morning/

 

 

Business recommendation:

------------------------

SEC Consult recommends every user to sign out immediately after configuring

the Digitalstrom installation in the Digitalstrom Konfigurator. This should

prevent cross-site request forgery attacks. Furthermore every user should be

aware that an attack could occure everytime when he clicks on an unknown link.

 

However, SEC Consult recommends the vendor to conduct a comprehensive security

analysis, based on security source code reviews, in order to identify all

available vulnerabilities in the Digitalstrom Konfigurator and increase the

security of its customers.

 

 

Vulnerability overview/description:

-----------------------------------

 

1) Multiple Persistent Cross-Site Scripting

Digitalstrom Konfigurator suffers from multiple cross-site scripting

vulnerabilities, which allow stealing session tokens and impersonation of

other users in order to gain unauthorized access to the web interface.

Furthermore it is possible to alter the contents of the interface in the

context of the current user.

 

 

2) Cross-Site Request Forgery

Digitalstrom Konfigurator doesn't implement any kind of cross-site request

forgery protection. Due to that, attackers are able to execute arbitrary

requests with the privileges of any user. The only requirement is, that a

victim visits a malicious webpage. For example, an administrator can be

forced to execute unwanted actions. Some of these actions are:

 

-) Change network configuration

-) Enable SSH service

-) Turn various devices on and off

 

 

Proof of concept:

-----------------

Has been removed due to the request from the vendor.

 

 

Vulnerable / tested versions:

-----------------------------

Digitalstrom Konfigurator 1.10.0

 

 

Vendor contact timeline:

------------------------

2015-11-09: Transmission of advisory via email

2015-12-02: As requested by Digitalstrom: New PoC for XSS

2016-01-31: Vendor released updated version 1.10.4

2016-04-22: Public advisory release

 

 

Solution:

---------

Upgrade to version 1.10.4.

The effectiveness of the vendor's update was not verified by the SEC Consult

Vulnerability Lab.

 

 

Workaround:

-----------

no workaround available

 

 

Advisory URL:

-------------

www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

SEC Consult Vulnerability Lab

 

SEC Consult

Berlin - Frankfurt/Main - Montreal - Singapore - Vienna (HQ) - Vilnius - Zurich

 

About SEC Consult Vulnerability Lab

The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It

ensures the continued knowledge gain of SEC Consult in the field of network

and application security to stay ahead of the attacker. The SEC Consult

Vulnerability Lab supports high-quality penetration testing and the evaluation

of new offensive and defensive technologies for our customers. Hence our

customers obtain the most current information about vulnerabilities and valid

recommendation about the risk profile of new technologies.

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Interested to work with the experts of SEC Consult?

Send us your application www.sec-consult.com/career/

 

Interested in improving your cyber security with the experts of SEC Consult?

Contact our local offices www.sec-consult.com/contact/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

Mail: research at sec-consult dot com

Web: www.sec-consult.com

Blog: blog.sec-consult.com

Twitter: twitter.com/sec_consult

 

EOF W. Schober / @2015