Security
Headlines
HeadlinesLatestCVEs

Headline

DiCal-RED 4009 Log Disclosure

DiCal-RED version 4009 is vulnerable to unauthorized log access and other files on the device’s file system due to improper authentication checks.

Packet Storm
#vulnerability#web#mac#linux#auth#sap#wifi

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID: SYSS-2024-040
Product: DiCal-RED
Manufacturer: Swissphone Wireless AG
Affected Version(s): Unknown
Tested Version(s): 4009
Vulnerability Type: Improper Authentication (CWE-287)
Risk Level: High
Solution Status: Open
Manufacturer Notification: 2024-04-16
Solution Date: None
Public Disclosure: 2024-08-20
CVE Reference: CVE-2024-36444
Author of Advisory: Sebastian Hamann, SySS GmbH


Overview:

DiCal-RED is a radio module for communication between emergency vehicles and  
control rooms. It provides Ethernet, Wi-Fi and cellular network connectivity  
and runs a Linux- and BusyBox-based operating system.

The manufacturer describes the product as follows (see [1]):

"The DiCal-Red radio data module reliably guides you to your destination. This  
is ensured by the linking of navigation (also for the transmission of position  
data) and various radio modules."

Due to improper authentication checks, the device is vulnerable to  
unauthorized access to logs and other files on the device's file system.

Vulnerability Details:

The device allows viewing log files via the administrative web interface.
This function does not require an authenticated session.


Proof of Concept (PoC):

As other parts of the administrative web interface do require authentication,  
a simple proof of concept is to log in to the web interface and navigate to  
the function to view log files.  
Log file contents are returned by a URL similar to  
http:/192.0.2.1/cgi-bin/fdmcgiwebv2.cgi?action=displayfilel&data={%22FilePath%22:%22%22,%22FileAlias%22:%22FdmDebugPath%22,%22LinesMax%22:0}

Using a local proxy to remove the QSESSIONID cookie from this request shows  
that the content is also returned when not sending any session information.

Solution:

The manufacturer recommends not running the device in an untrusted network.


Disclosure Timeline:

2024-02-29: Vulnerability discovered  
2024-04-16: Vulnerability reported to manufacturer  
2024-05-10: Manufacturer states that the vulnerability will not be fixed  
2024-05-14: Vulnerability reported to CERT-Bund  
2024-08-13: CERT-Bund informs us that the vendor declared the product EOL  
2024-08-20: Public disclosure of vulnerability

References:

[1] Product website for DiCal-RED
https://www.swissphone.com/solutions/components/terminals/radio-data-module-dical-red/
[2] SySS Security Advisory SYSS-2024-040
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-040.txt
[3] SySS Responsible Disclosure Policy
https://www.syss.de/en/responsible-disclosure-policy


Credits:

This security vulnerability was found by Sebastian Hamann of SySS GmbH.

E-Mail: [email protected]  
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Sebastian_Hamann.asc  
Key ID: 0x9CE0E440429D8B96  
Key Fingerprint: F643 DF21 62C4 7C53 7DB2 8BA1 9CE0 E440 429D 8B96

Disclaimer:

The information provided in this security advisory is provided “as is”
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS website.


Copyright:

Creative Commons - Attribution (by) - Version 3.0  
URL: http://creativecommons.org/licenses/by/3.0/deed.en

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE9kPfIWLEfFN9souhnODkQEKdi5YFAmbEQgMACgkQnODkQEKd  
i5ZgGw/9GlpK9ZCfsFYDOaonfqTm0zPxu1CURL4gT2gnmcWKnvZMnSBVtI2qolR/  
oyp8GMhBkQ5i1msTZXCBFTQfmxAjniNZ4hpg9nxY/9q7uThu8td2A89Ge9+qP7u0  
06Z52kYGhMK+C5Ecoww9pOjNtL233B6300kSxxBh4wspAUw8NdOtnBO9zTiU8zcw  
MPjPsoHNofn6Ah1BRw40vkPTDGoKE9wD17nNJn0lnpgvP03ZLgEErk4gkvK0L1ts  
N33g1R0k2M3vKzhid9FUFE+OEFN4NdkmTUqylGU9uLEhtSZiZ5CT1kAcNp6PUOlA  
EmNqudfLngHVhyfTAVXhbJV8C/I9tCiktPiPD3g4sAP5FwsmnfKXvwULCABV7Y6I  
6szsx1JPojyaYTi0hGKviJjewyEld9p7qLuCDt/Hq6BqkxaZkAN1JuyuqMLQDw8k  
ghIBzdqxCpaoa3r43Cg6mpiNzhe9cRYHDDSQ5wl+5nKI4NDy7xxaQd8psyg5CjCP  
CxgJTHne5zvFhtZP7LFa82R3Yux6x6k2XcxbsgoBaBYXS9Qj+QKLU5HxbZVbVwWS  
c0kZzHWWydiaqSfXl5OZDPZIcOZH3C95kXFY78XMOhndqg9yW7ot3OJ/RR5GfX1X  
jqcbLv9k0XCRr55bH/vcLWoJw9oGxfX25FlH2Sp7VYiaIohd8cM=  
=Iaf1  
-----END PGP SIGNATURE-----

Packet Storm: Latest News

CUPS IPP Attributes LAN Remote Code Execution