0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Teltonika RUT9XX Missing Access Control To UART Root Terminal Vulnerability
Author
Risk
[
Security Risk Critical
]0day-ID
Category
Date add
CVE
Platform
# Teltonika RUT9XX Missing Access Control to UART Root Terminal # Link: https://github.com/sbaresearch/advisories/tree/public/2018/SBA-ADV-20180319-02_Teltonika_Incorrect_Access_Control ## Vulnerability Overview ## Teltonika RUT9XX routers with firmware before 00.04.233 provide a root terminal on a serial interface without proper access control. This allows attackers with physical access to execute arbitrary commands with root privileges. * **Identifier** : SBA-ADV-20180319-02 * **Type of Vulnerability** : Incorrect Access Control * **Software/Product Name** : [Teltonika RUT955](https://teltonika.lt/product/rut955/) * **Vendor** : [Teltonika](https://teltonika.lt/) * **Affected Versions** : Firmware RUT9XX_R_00.04.199 and probably prior, newer firmware versions if settings were not cleared * **Fixed in Version** : RUT9XX_R_00.04.233 * **CVE ID** : CVE-2018-17534 * **CVSSv3 Vector** : CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H * **CVSSv3 Base Score** : 6.8 (Medium) ## Vendor Description ## > RUT955 is a highly reliable and secure LTE router with I/O, GNSS and > RS232/RS485 for professional applications. Router delivers high > performance, mission-critical cellular communication and GPS location > capabilities. Source: <https://teltonika.lt/product/rut955/> ## Impact ## An attacker with physical access can fully compromise the device, by exploiting the vulnerabilities documented in this advisory. Sensitive data stored or transmitted via the device might get exposed through this attack. We recommend upgrading to version RUT9XX_R_00.04.233 or newer, which includes fixes for the vulnerability described in this advisory. It is important to clear all settings during upgrade, for example, by disabling the "Keep all settings" checkbox while upgrading via the webinterface. Otherwise, newer firmware versions remain vulnerable. ## Vulnerability Description ## RUT9XX routers provide a UART/serial interface on two pins of an internal card-edge connector. * RX: Pin 1 - Rectangle-like pin on the top-side (CPU side) * TX: Pin 8 - Rectangle-like pin on the bottom-side The UART interface uses TTL-level and a baud rate of 115200. It provides log output and a root terminal without proper access control. ## Proof-of-Concept ## Our test device with firmware RUT9XX_R_00.04.172 provided the following log output during boot and after hitting the ENTER key: ```text *************************************** * U-Boot 3.0.1 2017-02-15 * *************************************** BOARD: Teltonika RUT9XX RAM: 128 MB DDR2 32-bit CL3-4-4-10 FLASH: 16 MB Winbond W25Q128 CLOCKS: CPU/RAM/AHB/SPI/REF 550/400/200/ 25/ 40 MHz Hit any key to stop booting: 0 Booting image from 0x9F040000... Vendor/image name: Teltonika RUT9xx Hardware ID: 0x35000001 Whole image size: 15.5 MB (16252928 bytes) Kernel size: 1.1 MB (1191732 bytes) Rootfs size: 9.7 MB (10170504 bytes) Kernel load address: 0x80060000 Kernel entry point: 0x80060000 Header CRC... skipped Data CRC... skipped Stopping network... OK! Uncompressing Kernel... OK! Starting kernel... [ 0.000000] Linux version 3.18.44 (simonas@Teltonika-I3) (gcc version 4.8.3 (OpenWrt/Linaro GCC 4.8-2014.04 r40569) ) #1 Tue Apr 10 15:23:49 EEST 2018 [ 0.000000] bootconsole [early0] enabled [ 0.000000] CPU0 revision is: 0001974c (MIPS 74Kc) [ 0.000000] SoC: Atheros AR9344 rev 3 [ 0.000000] Determined physical RAM map: [ 0.000000] memory: 08000000 @ 00000000 (usable) procd: Console is alive procd: - watchdog - procd: - preinit - procd: - early - procd: - watchdog - procd: - ubus - procd: - init - Please press Enter to activate this console. [ 20.140000] usb 1-1.3: new high-speed USB device number 4 using ehci-platform [ 20.280000] option 1-1.3:1.0: GSM modem (1-port) converter detected [ 20.280000] usb 1-1.3: GSM modem (1-port) converter now attached to ttyUSB1 [ 20.290000] option 1-1.3:1.1: GSM modem (1-port) converter detected [ 20.300000] usb 1-1.3: GSM modem (1-port) converter now attached to ttyUSB2 [ 20.310000] option 1-1.3:1.2: GSM modem (1-port) converter detected [ 20.310000] usb 1-1.3: GSM modem (1-port) converter now attached to ttyUSB3 [ 20.320000] option 1-1.3:1.3: GSM modem (1-port) converter detected [ 20.330000] usb 1-1.3: GSM modem (1-port) converter now attached to ttyUSB4 [ 20.360000] qmi_wwan 1-1.3:1.4: cdc-wdm0: USB WDM device [ 20.360000] qmi_wwan 1-1.3:1.4: Quectel EC21&EC25&EC20 R2.0 work on RawIP mode [ 20.370000] qmi_wwan 1-1.3:1.4 wwan0: register 'qmi_wwan' at usb-ehci-platform-1.3, WWAN/QMI device, xx:xx:xx:xx:xx:xx [ 22.280000] jffs2: notice: (1498) jffs2_build_xattr_subsystem: complete building xattr subsystem, 0 of xdatum (0 unchecked, 0 orphan) and 0 of xref (0 dead, 0 orphan) found. [ 26.220000] device eth0 entered promiscuous mode [ 28.520000] eth0: link up (1000Mbps/Full duplex) [ 28.520000] br-lan: port 1(eth0) entered forwarding state [ 28.530000] br-lan: port 1(eth0) entered forwarding state [ 30.530000] br-lan: port 1(eth0) entered forwarding state [ 33.220000] Ports leds ON procd: - init complete - BusyBox v1.24.2 () built-in shell (ash) ____ _ ___ ____ _(_)_ | _ \ _ _| |_ / _ \/ ___| (_)@(_) | |_) | | | | __| | | \___ \ /(_) | _ <| |_| | |_| |_| |___) | \|/ |_| \_\\__,_|\__|\___/|____/ \|/ Teltonika RUT9XX 2014 - 2018 root@router:/# id uid=0(root) gid=0(root) root@router:/# ``` ## Timeline ## * `2018-03-19` identification of vulnerability in version RUT9XX_R_00.04.84 * `2018-04-10` re-test of version RUT9XX_R_00.04.161 * `2018-04-16` re-test of version RUT9XX_R_00.04.172 * `2018-04-16` initial vendor contact through public address * `2018-04-18` vendor response with security contact * `2018-04-19` disclosed vulnerability to vendor security contact * `2018-04-26` vendor released fix in version RUT9XX_R_00.04.233 * `2018-07-09` notify vendor about incomplete fix * `2018-07-25` notify vendor about incomplete fix * `2018-09-25` request CVE from MITRE * `2018-09-26` MITRE assigned CVE-2018-17534 * `2018-09-26` notify vendor about incomplete fix * `2018-10-03` vendor stated that clearing of settings is required * `2018-10-10` re-test of version RUT9XX_R_00.04.233 * `2018-10-11` public disclosure ## References ## * Firmware Changelog: <https://wiki.teltonika.lt/index.php?title=RUT9xx_Firmware> ## Credits ## * David Gnedt ([SBA Research](https://www.sba-research.org/)) # 0day.today [2024-11-16] #