DiCal-RED 4009 Information Disclosure

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID: SYSS-2024-042
Product: DiCal-RED
Manufacturer: Swissphone Wireless AG
Affected Version(s): Unknown
Tested Version(s): 4009
Vulnerability Type: Exposure of Sensitive Information to an Unauthorized Actor (CWE-200)
Risk Level: Medium
Solution Status: Open
Manufacturer Notification: 2024-04-16
Solution Date: None
Public Disclosure: 2024-08-20
CVE Reference: CVE-2024-36441
Author of Advisory: Sebastian Hamann, SySS GmbH

Overview:

DiCal-RED is a radio module for communication between emergency vehicles and  
control rooms. It provides Ethernet, Wi-Fi and cellular network connectivity  
and runs a Linux- and BusyBox-based operating system.

The manufacturer describes the product as follows (see [1]):

"The DiCal-Red radio data module reliably guides you to your destination. This  
is ensured by the linking of navigation (also for the transmission of position  
data) and various radio modules."

Due to missing authentication checks, the device is vulnerable to the  
disclosure of sensitive information.

Vulnerability Details:

The device provides a network server on TCP port 2101. This service does not
seem to process any input, but it regularly sends data to connected clients.
This includes operation messages when they are processed by the device.
An unauthenticated attacker can therefore gain information about current
emergency situations and possibly also emergency vehicle positions or routes.

Proof of Concept (PoC):

$ telnet <IP or hostname> 2101  
[Wait ...]

Solution:

The manufacturer recommends not running the device in an untrusted network.

Disclosure Timeline:

2024-02-29: Vulnerability discovered  
2024-04-16: Vulnerability reported to manufacturer  
2024-05-10: Manufacturer states that the vulnerability will not be fixed  
2024-05-14: Vulnerability reported to CERT-Bund  
2024-08-13: CERT-Bund informs us that the vendor declared the product EOL  
2024-08-20: Public disclosure of vulnerability

References:

[1] Product website for DiCal-RED
https://www.swissphone.com/solutions/components/terminals/radio-data-module-dical-red/
[2] SySS Security Advisory SYSS-2024-042
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-042.txt
[3] SySS Responsible Disclosure Policy
https://www.syss.de/en/responsible-disclosure-policy

Credits:

This security vulnerability was found by Sebastian Hamann of SySS GmbH.

E-Mail: [email protected]  
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Sebastian_Hamann.asc  
Key ID: 0x9CE0E440429D8B96  
Key Fingerprint: F643 DF21 62C4 7C53 7DB2 8BA1 9CE0 E440 429D 8B96

Disclaimer:

The information provided in this security advisory is provided “as is”
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS website.

Copyright:

Creative Commons - Attribution (by) - Version 3.0  
URL: http://creativecommons.org/licenses/by/3.0/deed.en

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE9kPfIWLEfFN9souhnODkQEKdi5YFAmbEQgQACgkQnODkQEKd  
i5ZG5RAAgQx1MolkOvk+4nbY4vXjd6bkqa+9e0v1vw8Yu+9Mmb7AhLqz9sHSpe/Y  
bSGnVJowj57irXIYAjuAjXnczRuRVFgOZY+CS3+8aIi0uJ/xuaJh7OSBY6WKDMG1  
S9voYYQ0QJBWxRBX/e+isTKag+XAAG3rBM9/B8S/kQOMXk+ikId0/l4iLici6MEg  
QxRRVOKBgq55zMePg9s42R+M14r+QtMm/8DV6syleaJfYMj/mAq1YDfqVaJms60j  
N2zb6dhlbnaz0xODV9Pjss3X7VvOgiHXtXTCU2CGlYIupNXAtbr0O5MZPGzrjeES  
CrvTfn2SidvxWIJ8n9ldVdL9vImikOdZ5KWrZsaUIdVaSYumyyKNFuW4dbgsd206  
wXU04AH82azCa9uGybCNQwjuvLLReN9H2/hZS865FIf9JD46qyV7fcSbu70kOmbb  
u8mljYWV5cLUEmURj/K9IgSKueyHlVk8hR+seYP7KgYA3zpegbiuaMabLetPgqOT  
j9eleo1AOeDeNqpVoBAwEA2qZ2N1LI2IfrA3ZTXWIO6qMU/r40551/3wd6TC7Fa4  
rypR9+7J371kSRn/eLYTOOqrnlteFOdcEPQbz3r/5wUWmIuNgcR/ipzPrZKsvaPb  
oXqB3PkjDORrKfXpBtT6oHmv7C0wRhZJgbeIhk7IYyfl8lebLps=  
=zVD2  
-----END PGP SIGNATURE-----