CVE-2023-25369: CVE/CVE-2023-25369.md at main · BretMcDanel/CVE

Description

Siglent SDS 1104X-E SDS1xx4X-E_V6.1.37R9.ADS is vulnerable to Denial of Service on the user interface triggered by malformed SCPI command.

Discovery Information

Date: December 2022
Discoverer: Bret McDanel

Versions

At least SDS1xx4X-E_V6.1.37R9.ADS, and possibly earlier. Reportedly fixed May 2023. It is unknown if other devices have a similar flaw as they were unavailable to the researcher at the time research was performed.

Background

The SIGLENT SDS1000X-E is a two and four channel oscilloscope. Controlling the various features is an embedded system running Linux. The oscilloscope has an ethernet port and optional USB wifi.

Standard Commands for Programmable Instruments (SCPI) is a standard for syntax and commands to use in controlling programmable test and measurement devices. – Source Wikipedia

References

https://siglent.com
https://en.wikipedia.org/wiki/Standard_Commands_for_Programmable_Instruments

Vulnerability****CWE 284: Improper Access Control****Affected Ports

• SCPI Ports: 5024 (tcp), 5025 (tcp)
• Web Port: 80 (tcp)

Discussion

The SCPI processes bind to two different network ports, 5024 and 5025. Neither require authentication. A malformed SCPI command can be sent that causes the main process to crash. When this occurs the web interface, physical buttons, and physical display cease functioning.

Proof of Concept

nc 192.168.1.42 5025 <<< "SYST:COMM:LAN:IPAD 192.168.1.42;whoami;\n"

Mitigation

It is advised to upgrade to the current version of firmware. Further, IoT devices, such as oscilloscopes, should be placed on a segregated network and access to the affected ports be blocked from untrusted hosts.