Headline
CVE-2023-25369: CVE/CVE-2023-25369.md at main · BretMcDanel/CVE
Siglent SDS 1104X-E SDS1xx4X-E_V6.1.37R9.ADS is vulnerable to Denial of Service on the user interface triggered by malformed SCPI command.
Description
Siglent SDS 1104X-E SDS1xx4X-E_V6.1.37R9.ADS is vulnerable to Denial of Service on the user interface triggered by malformed SCPI command.
Discovery Information
Date: December 2022
Discoverer: Bret McDanel
Versions
At least SDS1xx4X-E_V6.1.37R9.ADS, and possibly earlier. Reportedly fixed May 2023. It is unknown if other devices have a similar flaw as they were unavailable to the researcher at the time research was performed.
Background
The SIGLENT SDS1000X-E is a two and four channel oscilloscope. Controlling the various features is an embedded system running Linux. The oscilloscope has an ethernet port and optional USB wifi.
Standard Commands for Programmable Instruments (SCPI) is a standard for syntax and commands to use in controlling programmable test and measurement devices. – Source Wikipedia
References
https://siglent.com
https://en.wikipedia.org/wiki/Standard_Commands_for_Programmable_Instruments
Vulnerability****CWE 284: Improper Access Control****Affected Ports
- SCPI Ports: 5024 (tcp), 5025 (tcp)
- Web Port: 80 (tcp)
Discussion
The SCPI processes bind to two different network ports, 5024 and 5025. Neither require authentication. A malformed SCPI command can be sent that causes the main process to crash. When this occurs the web interface, physical buttons, and physical display cease functioning.
Proof of Concept
nc 192.168.1.42 5025 <<< "SYST:COMM:LAN:IPAD 192.168.1.42;whoami;\n"
Mitigation
It is advised to upgrade to the current version of firmware. Further, IoT devices, such as oscilloscopes, should be placed on a segregated network and access to the affected ports be blocked from untrusted hosts.