Multiple Vulnerabilities in Rittal IoT Interface & CMC III Processing Unit

Title

Multiple Vulnerabilities

Product

Rittal IoT Interface & CMC III Processing Unit

Vulnerable Version

<6.21.00.2

Fixed Version

6.21.00.2

CVE Number

CVE-2024-47943, CVE-2024-47944, CVE-2024-47945

Impact

critical

Found

03.06.2024

By

Johannes Kruchem (Office Vienna) | SEC Consult Vulnerability Lab

Multiple security vulnerabilities have been identified in the Rittal IoT Interface and the CMC III Processing Unit, which could allow attackers to compromise the system and gain unauthorized access. These included improper verification of firmware updates, the lack of protection mechanisms for hardware interfaces, and predictable session ID generation. Together, these flaws enabled authenticated remote code execution or physical unauthenticated code execution, session hijacking, and unauthorized access, putting the system at risk of being controlled by malicious actors.

Vendor description

"Innovative strength has been woven into the Rittal DNA since its foundation. In 1961, Rudolf Loh Elektrogerätebau was founded in Rittershausen by the entrepreneur Rudolf Loh, with one simple guiding principle:  'Enclosures off the shelf, immediately.' In its founding year it launched the world's first standard enclosure on the market. In 1969, the company was renamed Rittal, in honour of its roots in Rittershausen in Dietzhölztal. Within just a few years, Rittal enclosures had become established as a global standard, and have remained so to this day."

Source: www.rittal.com/com-en/Company


Business recommendation

The vendor provides a patch which should be installed immediately on the affected devices.

SEC Consult highly recommends to perform a thorough security review of the product conducted by security professionals to identify and resolve potential further security issues.

 

Vulnerability overview/description

1) Improper signature verification of firmware upgrade files (CVE-2024-47943)

The firmware upgrade function in the admin web interface checks if the patch files are signed before executing the containing run.sh script. The signing process is kind of an HMAC with a long string as key which is hard-coded in the firmware and is freely available for download. This allows crafting malicious "signed" .patch files in order to compromise the device and execute arbitrary code.


2) Missing Protection Mechanism for Alternate Hardware Interface (CVE-2024-47944)

The device directly executes .patch files on a USB stick without any authentication. This leads to an unauthenticated code execution in combination with 1).


3) Predictable Session ID (CVE-2024-47945)

The device is vulnerable to session hijacking due to insufficient entropy in its session ID generation algorithm. The session IDs are predictable, with only 32,768 possible values per user, which allows attackers to pre-generate valid session IDs, leading to unauthorized access to user sessions. This is not only due to the use of an (insecure) rand() function call but also because of missing initialization via srand(). As a result only the PIDs are effectively used as seed.


Proof of concept

1) Improper signature verification of firmware upgrade files (CVE-2024-47943)

To create a firmware or patch file passing the signature verification the following steps are necessary:

  • Store SHA512sum of all files of the fake firmware (needs run.sh) in file "rittal"
  • Append hardcoded key "8ab4ce0f72bce9b3837281b7928732c5abfc43103a681214942dec2cc91f236ce8e9263f5778cc6db253ade368b0db4a9ff2adb9cc9f76c5114fe3ffcaf38bba" to the file
  • Store SHA512sum of the file "rittal" in rittal.sig (delete "rittal" file if in directory)
  • Create .tar of fake firmware files (e.g. run.sh & rittal.sig)
  • Rename to <name>.patch
  • Apply firmware upgrade (needs admin session in web interface)
  • Profit

The attached PoC code creates a new valid .patch file which will be executed with root privileges when the firmware upgrade will be applied.


2) Missing Protection Mechanism for Alternate Hardware Interface (CVE-2024-47944)

This PoC describes the exploit from 1) without authentication but physical access. For exploitation a signed (see 1)) firmware or .patch file is needed. A script checks for new content of plugged-in USB sticks or SD cards. If there is a .patch file available, the signature verification process will be triggered.

The attached PoC code can also be used to generate signed firmware files.


3) Predictable Session ID (CVE-2024-47945)

The following function generates the sessionID for the web interface. The code is part of the json.cgi script, which is invoked by the Lighttpd web server:

  generate_sessionID(int a1, int UserID)
  {
    int pid; // r5
    int seed; // r0  

    pid = getpid();
    seed = rand();
    srand(pid + seed);
    return ((rand() + 123) & 0xFFFFF00F) + 16 * UserID;
  }

It has been identified that the rand() function used in the sessionID generation has a complexity of 2^31, which is inherently weak. However, the practical implications for online brute-force attacks are limited due to additional factors.

The Process ID (PID) can range between 0 and 32768, and the UserID can vary from 0 to 256, which slightly increases the complexity. The primary issue lies in the initial call to rand(), which always returns 1804289383 because it is not initialized with srand(). Since json.cgi is invoked for every request, the subsequent initialization does not take effect. This results in the seed being essentially ineffective, leaving only the PID to function as the seed.

The UserID value is dependent on the user, with "admin" having a UserID of 0 and "user" having a UserID of 1. Consequently, the sessionID has an entropy of only 32768, making it highly susceptible to exploitation within a few minutes.

The attached PoC code takes a list of sessionIDs and performs an online brute-force attack. A valid session needs to be active.


Vulnerable / tested versions

The following versions have been tested which were the latest version available at the time of the test:

  • 6.17.00
  • 6.19.00.1

It is assumed that all previous versions <V6.21.00.2 are affected.

The vendor confirmed that the products 3124.300 IoT Interface and 7030.000 CMC III Processing Unit are affected.

Vendor contact timeline

2024-06-21: Contacting vendor through info@rittal.de; no response.
2024-07-01: Contacting vendor through LinkedIn.
2024-07-02: Received contact for embedded devices.
2024-07-03: Sent advisory to Rittal contact.
2024-07-12: Response from vendor that V6.21.00.2 with fixed vulnerabilities will be released on 2024-09-30.
2024-10-07: Reserving CVE numbers.
2024-10-08: Informing Rittal about upcoming security conference talk having Rittal as an example regarding SessionID entropy, sending CVE numbers to vendor, asking again about affected products.
2024-10-11: Vendor confirms affected products, security fixes have already been published.
2024-10-15: Coordinated release of security advisory.

Solution

The vendor provides a patched version V6.21.00.2 which can be downloaded from the following URL:
www.rittal.com/de-de/products/deep/3124300

 

Workaround

None


Advisory URL

sec-consult.com/vulnerability-lab/

 

EOF Johannes Kruchem / @2024

 

Interested to work with the experts of SEC Consult? Send us your application
Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices