Vendor description
"Innovative strength has been woven into the Rittal DNA since its foundation. In 1961, Rudolf Loh Elektrogerätebau was founded in Rittershausen by the entrepreneur Rudolf Loh, with one simple guiding principle: 'Enclosures off the shelf, immediately.' In its founding year it launched the world's first standard enclosure on the market. In 1969, the company was renamed Rittal, in honour of its roots in Rittershausen in Dietzhölztal. Within just a few years, Rittal enclosures had become established as a global standard, and have remained so to this day."
Source: www.rittal.com/com-en/Company
Business recommendation
The vendor provides a patch which should be installed immediately on the affected devices.
SEC Consult highly recommends to perform a thorough security review of the product conducted by security professionals to identify and resolve potential further security issues.
Vulnerability overview/description
1) Improper signature verification of firmware upgrade files (CVE-2024-47943)
The firmware upgrade function in the admin web interface checks if the patch files are signed before executing the containing run.sh script. The signing process is kind of an HMAC with a long string as key which is hard-coded in the firmware and is freely available for download. This allows crafting malicious "signed" .patch files in order to compromise the device and execute arbitrary code.
2) Missing Protection Mechanism for Alternate Hardware Interface (CVE-2024-47944)
The device directly executes .patch files on a USB stick without any authentication. This leads to an unauthenticated code execution in combination with 1).
3) Predictable Session ID (CVE-2024-47945)
The device is vulnerable to session hijacking due to insufficient entropy in its session ID generation algorithm. The session IDs are predictable, with only 32,768 possible values per user, which allows attackers to pre-generate valid session IDs, leading to unauthorized access to user sessions. This is not only due to the use of an (insecure) rand() function call but also because of missing initialization via srand(). As a result only the PIDs are effectively used as seed.
Proof of concept
1) Improper signature verification of firmware upgrade files (CVE-2024-47943)
To create a firmware or patch file passing the signature verification the following steps are necessary:
- Store SHA512sum of all files of the fake firmware (needs run.sh) in file "rittal"
- Append hardcoded key "8ab4ce0f72bce9b3837281b7928732c5abfc43103a681214942dec2cc91f236ce8e9263f5778cc6db253ade368b0db4a9ff2adb9cc9f76c5114fe3ffcaf38bba" to the file
- Store SHA512sum of the file "rittal" in rittal.sig (delete "rittal" file if in directory)
- Create .tar of fake firmware files (e.g. run.sh & rittal.sig)
- Rename to <name>.patch
- Apply firmware upgrade (needs admin session in web interface)
- Profit
The attached PoC code creates a new valid .patch file which will be executed with root privileges when the firmware upgrade will be applied.
2) Missing Protection Mechanism for Alternate Hardware Interface (CVE-2024-47944)
This PoC describes the exploit from 1) without authentication but physical access. For exploitation a signed (see 1)) firmware or .patch file is needed. A script checks for new content of plugged-in USB sticks or SD cards. If there is a .patch file available, the signature verification process will be triggered.
The attached PoC code can also be used to generate signed firmware files.
3) Predictable Session ID (CVE-2024-47945)
The following function generates the sessionID for the web interface. The code is part of the json.cgi script, which is invoked by the Lighttpd web server:
generate_sessionID(int a1, int UserID)
{
int pid; // r5
int seed; // r0
pid = getpid();
seed = rand();
srand(pid + seed);
return ((rand() + 123) & 0xFFFFF00F) + 16 * UserID;
}It has been identified that the rand() function used in the sessionID generation has a complexity of 2^31, which is inherently weak. However, the practical implications for online brute-force attacks are limited due to additional factors.
The Process ID (PID) can range between 0 and 32768, and the UserID can vary from 0 to 256, which slightly increases the complexity. The primary issue lies in the initial call to rand(), which always returns 1804289383 because it is not initialized with srand(). Since json.cgi is invoked for every request, the subsequent initialization does not take effect. This results in the seed being essentially ineffective, leaving only the PID to function as the seed.
The UserID value is dependent on the user, with "admin" having a UserID of 0 and "user" having a UserID of 1. Consequently, the sessionID has an entropy of only 32768, making it highly susceptible to exploitation within a few minutes.
The attached PoC code takes a list of sessionIDs and performs an online brute-force attack. A valid session needs to be active.
Vulnerable / tested versions
The following versions have been tested which were the latest version available at the time of the test:
- 6.17.00
- 6.19.00.1
It is assumed that all previous versions <V6.21.00.2 are affected.
The vendor confirmed that the products 3124.300 IoT Interface and 7030.000 CMC III Processing Unit are affected.