SEC Consult Vulnerability Lab Security Advisory < 20160602-0 >=======================================================================title: Multiple critical vulnerabilitiesproduct: Ubee EVW3226 Advanced wireless voice gatewayvulnerable version: Firmware EVW3226_1.0.20fixed version: -CVE number: -impact: criticalhomepage: http://ift.tt/1Phkpgwfound: 2016-01-09by: Manuel Hofer (Office Vienna)SEC Consult Vulnerability LabAn integrated part of SEC ConsultBangkok - Berlin - Linz - Montreal - MoscowSingapore - Vienna (HQ) - Vilnius - Zurichhttp://ift.tt/1mGHMNR=======================================================================Vendor description:-------------------"Ubee Interactive is on a mission. A mission that began with the developmentof our industry-defining line of DOCSIS cable modems. And one that continueswith a drive toward becoming the leading business-to-business provider ofbroadband connectivity products and solutions worldwide. Our current productportfolio includes data, voice, video, mobility and portable devices."Source: http://ift.tt/1y0ggTfBusiness recommendation:------------------------Network security should not depend on the security of independent devices, suchas cable modems. An attacker with root access to such a device can enableattacks on connected networks, such as administrative networks managed by theISP or other cable modem users.Vulnerabilities described in this security advisory might be exploited incombination with other vulnerabilities not associated with this product (XSS inweb forums accessing the modem, malvertising, etc.).It is highly recommended by SEC Consult not to use this device until athorough security review has been performed by security professionals and allidentified issues have been resolved.It is assumed that further critical vulnerabilities exist within the firmwareof this device.Vulnerability overview/description:-----------------------------------1) Missing authentication for configuration downloadThe admin interface does not explicitly require any authentication prior todownloading a previously requested configuration backup file.2) Plaintext storage of administrative passwordThe password for the user "admin" is stored in clear text. An attacker withaccess to the configuration file or the device itself, can easily obtain thispassword. By exploiting issue 1) the clear text admin password can be retrieved.3) "Encrypted" configuration backup not actually encryptedA certain built in cgi action [removed] asks the user to provide a password inorder to "encrypt your configuration's backup". A quick analysis of thisfunction has shown that the configuration backup does not actually get encrypted,and only a file "pass.txt" is appended to the archive containing the passwordprovided by the user, in cleartext. Additionally, this promotes a false sense ofsecurity as in this case, an attacker with access to the configuration file caneasily obtain the clear text password for the admin interface.4) Authenticated arbitrary file upload leading to arbitrary command executionBy analyzing the configuration file format and further exploiting a knownvulnerability inside the busybox tar implementation it is possible to uploadarbitrary files to the device. This enables an attacker to execute arbitrarysystem commands and gain full root access on the device.5) Heap-based buffer overflow vulnerability in URL decodingThe function responsible for URL decoding allocates the buffer for the decodedstring based on the number of '%' characters in the request string. This leadsto a heap based buffer overflow.Proof of concept:-----------------Since no public fix is available for any of the described vulnerabilities yet,the proof of concept will not be published.Vulnerable / tested versions:-----------------------------The following firmware has been tested which was the most recent versionat the time of discovery:EVW3226_1.0.20Vendor contact timeline:------------------------2016-01-13: Contacting CERT.at for security contact ofUPC Austria (Liberty Global)2016-01-17: Contacting vendor Ubee Interactive through'eusupport (at) ubeeinteractive (dot) com [email concealed]' and 'eusales (at) ubeeinteractive (dot) com [email concealed]'requesting security contact.2016-01-17: Disclosure of identified vulnerabilities to UPC Austria in advance.2016-01-20: No reply from Ubee Interactive. Requesting direct contact throughUPC Austria.2016-01-22: Received contact at Ubee Interactive. Establishing contact with again asking for public key tosend encrypted advisory.2016-01-23: Sending unencrypted advisory to Michael Mao and Kyle Li at Ubee.2016-02-29: Asking Ubee for status update.2016-02-29: Ubee states vulnerabilities 1-4 are fixed. still working on 5.Rollout to UPC customers will need more time.2016-02-29: SEC Consult postpones release to 2016-04-04, after discussing theissues with UPC Austria.2016-04-04: Asking again for status of patch deployment. No answer, rescheduling.2016-05-13: Announcing advisory release for 2016-06-02 to UPC and asking forstatus of patch deployment again.2016-05-13: UPC Austria replies. No details, status will be provided later.2016-05-26: Asking again for status of patch deployment, reminding about releasedate.2016-05-27: UPC Austria replies. Details on status will be provided next week.2016-05-31: Advisory coordination with UPC.2016-06-01: Receiving statement of UPC regarding patch status2016-06-02: Public release of security advisory without detailed PoC as thereis no patch available.Solution:---------There is no public patch available yet, it is currently in testing phase.Here is a statement from UPC Austria concerning this issue:"We are in close contact with the manufacturer and are working together on asolution to the problems caused by the factory. The update will be implementedsome time in June following successful testing. In addition, UPC is continuingwith the modem swap project. Over the past 2 years, we have already providedmore than 200,000 customers in Austria and Switzerland with a new-generationmodem free of charge." (Source: UPC from 2016-06-01)Workaround:-----------No workaround available.Advisory URL:-------------http://ift.tt/1UwAo9B~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~SEC Consult Vulnerability LabSEC ConsultBangkok - Berlin - Linz - Montreal - MoscowSingapore - Vienna (HQ) - Vilnius - ZurichAbout SEC Consult Vulnerability LabThe SEC Consult Vulnerability Lab is an integrated part of SEC Consult. Itensures the continued knowledge gain of SEC Consult in the field of networkand application security to stay ahead of the attacker. The SEC ConsultVulnerability Lab supports high-quality penetration testing and the evaluationof new offensive and defensive technologies for our customers. Hence ourcustomers obtain the most current information about vulnerabilities and validrecommendation about the risk profile of new technologies.~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Interested to work with the experts of SEC Consult?Send us your application http://ift.tt/1X0nW5wInterested in improving your cyber security with the experts of SEC Consult?Contact our local offices http://ift.tt/1UwzJF7~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Mail: research at sec-consult dot comWeb: http://ift.tt/1mGHMNRBlog: http://ift.tt/1OrTVF9Twitter: https://twitter.com/sec_consultEOF Manuel Hofer / 2016-----BEGIN PGP SIGNATURE-----Version: GnuPG v2iQIcBAEBCAAGBQJXUCfSAAoJEC0t17XG7og/dWgP/RXZ3xpMaceDZrQyh58vMJrJ32YinEbhD6HkB29trdP96jAYR6DACvmoF/UEO+o9Et1wnCpWySRVssN3jRGOS83QdioTS9Em5crKrVl9yShUnlyvis765jmb/5+XO2QeVpH/8jWkYxOujWAWR4/9oklt81XRuhQI+w5BvTnXwsWWiOepB6yglHMMLyrB8h/D1129wmvG7U4P+pk+xGpIz3ynPMgZFILYLlC4voKI6lpurTOVvjR4UV3HTkOeCPq+Yil/6vGxaZVGB4Y6VC98MZBSzdmO+6rCzqqpWy/ObmqokIVrwi3F2dnrwwoVSFNoN180aGKQ73SvO38AniLsOHPscNupc1H0AKJPN3b9hw1YxGwlcOvPK7RJO7DLDSyf3LD8SSGpIGa78QaARs1+2shqir8i7ccILKWh2PoOLa+O7xpkn54XGA2wAhKaWFtD7C8HvPM5tAZcwJi2pCp/vOV8fBI0WbPixqoEHQDDnGOJVC/qkfuKqwD+aT0U1gnJb84jQIP+Hfgboxw9/IJ1zmJy7RwR3U8jxTZ43XzDNIhSyy90e2/zR5DyrTrVOvGvhxAszr5ngC+dv5F/L90R/QrW6P4Jxli4lnUNp9+qLrvZdwOlr0kBR9/AqlOfFLWpLUbl90cRID+aYVzHzgwLuUicab55IdyuvMtrafbG7vWq=WfKy-----END PGP SIGNATURE-----[ reply ]from SecurityFocus Vulnerabilities http://ift.tt/1RQzekI
SEC Consult Vulnerability Lab Security Advisory < 20160602-0 >
=======================================================================
title: Multiple critical vulnerabilities
product: Ubee EVW3226 Advanced wireless voice gateway
vulnerable version: Firmware EVW3226_1.0.20
fixed version: -
CVE number: -
impact: critical
homepage: http://ift.tt/1Phkpgw
found: 2016-01-09
by: Manuel Hofer (Office Vienna)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Bangkok - Berlin - Linz - Montreal - Moscow
Singapore - Vienna (HQ) - Vilnius - Zurich
http://ift.tt/1mGHMNR
=======================================================================
Vendor description:
-------------------
"Ubee Interactive is on a mission. A mission that began with the development
of our industry-defining line of DOCSIS cable modems. And one that continues
with a drive toward becoming the leading business-to-business provider of
broadband connectivity products and solutions worldwide. Our current product
portfolio includes data, voice, video, mobility and portable devices."
Source: http://ift.tt/1y0ggTf
Business recommendation:
------------------------
Network security should not depend on the security of independent devices, such
as cable modems. An attacker with root access to such a device can enable
attacks on connected networks, such as administrative networks managed by the
ISP or other cable modem users.
Vulnerabilities described in this security advisory might be exploited in
combination with other vulnerabilities not associated with this product (XSS in
web forums accessing the modem, malvertising, etc.).
It is highly recommended by SEC Consult not to use this device until a
thorough security review has been performed by security professionals and all
identified issues have been resolved.
It is assumed that further critical vulnerabilities exist within the firmware
of this device.
Vulnerability overview/description:
-----------------------------------
1) Missing authentication for configuration download
The admin interface does not explicitly require any authentication prior to
downloading a previously requested configuration backup file.
2) Plaintext storage of administrative password
The password for the user "admin" is stored in clear text. An attacker with
access to the configuration file or the device itself, can easily obtain this
password. By exploiting issue 1) the clear text admin password can be retrieved.
3) "Encrypted" configuration backup not actually encrypted
A certain built in cgi action [removed] asks the user to provide a password in
order to "encrypt your configuration's backup". A quick analysis of this
function has shown that the configuration backup does not actually get encrypted,
and only a file "pass.txt" is appended to the archive containing the password
provided by the user, in cleartext. Additionally, this promotes a false sense of
security as in this case, an attacker with access to the configuration file can
easily obtain the clear text password for the admin interface.
4) Authenticated arbitrary file upload leading to arbitrary command execution
By analyzing the configuration file format and further exploiting a known
vulnerability inside the busybox tar implementation it is possible to upload
arbitrary files to the device. This enables an attacker to execute arbitrary
system commands and gain full root access on the device.
5) Heap-based buffer overflow vulnerability in URL decoding
The function responsible for URL decoding allocates the buffer for the decoded
string based on the number of '%' characters in the request string. This leads
to a heap based buffer overflow.
Proof of concept:
-----------------
Since no public fix is available for any of the described vulnerabilities yet,
the proof of concept will not be published.
Vulnerable / tested versions:
-----------------------------
The following firmware has been tested which was the most recent version
at the time of discovery:
EVW3226_1.0.20
Vendor contact timeline:
------------------------
2016-01-13: Contacting CERT.at for security contact of
UPC Austria (Liberty Global)
2016-01-17: Contacting vendor Ubee Interactive through
'eusupport (at) ubeeinteractive (dot) com [email concealed]' and 'eusales (at) ubeeinteractive (dot) com [email concealed]'
requesting security contact.
2016-01-17: Disclosure of identified vulnerabilities to UPC Austria in advance.
2016-01-20: No reply from Ubee Interactive. Requesting direct contact through
UPC Austria.
2016-01-22: Received contact at Ubee Interactive. Establishing contact with
send encrypted advisory.
2016-01-23: Sending unencrypted advisory to Michael Mao and Kyle Li at Ubee.
2016-02-29: Asking Ubee for status update.
2016-02-29: Ubee states vulnerabilities 1-4 are fixed. still working on 5.
Rollout to UPC customers will need more time.
2016-02-29: SEC Consult postpones release to 2016-04-04, after discussing the
issues with UPC Austria.
2016-04-04: Asking again for status of patch deployment. No answer, rescheduling.
2016-05-13: Announcing advisory release for 2016-06-02 to UPC and asking for
status of patch deployment again.
2016-05-13: UPC Austria replies. No details, status will be provided later.
2016-05-26: Asking again for status of patch deployment, reminding about release
date.
2016-05-27: UPC Austria replies. Details on status will be provided next week.
2016-05-31: Advisory coordination with UPC.
2016-06-01: Receiving statement of UPC regarding patch status
2016-06-02: Public release of security advisory without detailed PoC as there
is no patch available.
Solution:
---------
There is no public patch available yet, it is currently in testing phase.
Here is a statement from UPC Austria concerning this issue:
"We are in close contact with the manufacturer and are working together on a
solution to the problems caused by the factory. The update will be implemented
some time in June following successful testing. In addition, UPC is continuing
with the modem swap project. Over the past 2 years, we have already provided
more than 200,000 customers in Austria and Switzerland with a new-generation
modem free of charge." (Source: UPC from 2016-06-01)
Workaround:
-----------
No workaround available.
Advisory URL:
-------------
http://ift.tt/1UwAo9B
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult
Bangkok - Berlin - Linz - Montreal - Moscow
Singapore - Vienna (HQ) - Vilnius - Zurich
About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application http://ift.tt/1X0nW5w
Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices http://ift.tt/1UwzJF7
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mail: research at sec-consult dot com
Web: http://ift.tt/1mGHMNR
Blog: http://ift.tt/1OrTVF9
Twitter: https://twitter.com/sec_consult
EOF Manuel Hofer / 2016
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJXUCfSAAoJEC0t17XG7og/dWgP/RXZ3xpMaceDZrQyh58vMJrJ
32YinEbhD6HkB29trdP96jAYR6DACvmoF/UEO+o9Et1wnCpWySRVssN3jRGOS83Q
dioTS9Em5crKrVl9yShUnlyvis765jmb/5+XO2QeVpH/8jWkYxOujWAWR4/9oklt
81XRuhQI+w5BvTnXwsWWiOepB6yglHMMLyrB8h/D1129wmvG7U4P+pk+xGpIz3yn
PMgZFILYLlC4voKI6lpurTOVvjR4UV3HTkOeCPq+Yil/6vGxaZVGB4Y6VC98MZBS
zdmO+6rCzqqpWy/ObmqokIVrwi3F2dnrwwoVSFNoN180aGKQ73SvO38AniLsOHPs
cNupc1H0AKJPN3b9hw1YxGwlcOvPK7RJO7DLDSyf3LD8SSGpIGa78QaARs1+2shq
ir8i7ccILKWh2PoOLa+O7xpkn54XGA2wAhKaWFtD7C8HvPM5tAZcwJi2pCp/vOV8
fBI0WbPixqoEHQDDnGOJVC/qkfuKqwD+aT0U1gnJb84jQIP+Hfgboxw9/IJ1zmJy
7RwR3U8jxTZ43XzDNIhSyy90e2/zR5DyrTrVOvGvhxAszr5ngC+dv5F/L90R/QrW
6P4Jxli4lnUNp9+qLrvZdwOlr0kBR9/AqlOfFLWpLUbl90cRID+aYVzHzgwLuUic
ab55IdyuvMtrafbG7vWq
=WfKy
-----END PGP SIGNATURE-----
[ reply ]