Headline
Nexans FTTO GigaSwitch Outdated Components / Hardcoded Backdoor
Nexans FTTO GigaSwitch industrial/office switches HW version 5 suffer from having a hardcoded backdoor user and multiple outdated vulnerable software components.
SEC Consult Vulnerability Lab Security Advisory < 20220615-0 >
title: Hardcoded Backdoor User and Outdated Software Components
product: Nexans FTTO GigaSwitch industrial/office switches HW version 5
vulnerable version: See “Vulnerable / tested versions”
fixed version: V6.02N, V7.02
CVE number: CVE-2022-32985
impact: High
homepage: https://www.nexans.com/
found: 2020-05-25
by: T. Weber (Office Vienna)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult, an Atos company
Europe | Asia | North America
https://www.sec-consult.com
=======================================================================
Vendor description:
“As a global player in the cable industry, Nexans is behind the scenes
delivering the innovative services and resilient products that carry thousands
of watts of energy and terabytes of data per second around the world. Millions
of homes, cities, businesses are powered every day by Nexans’ high-quality
sustainable cabling solutions. We help our customers meet the challenges they
face in the fields of energy infrastructure, energy resources, transport,
buildings, telecom and data, providing them with solutions and services for the
most complex cable applications in the most demanding environments.”
Source: https://www.nexans.com/company/What-we-do.html
Business recommendation:
The vendor provides a patch which should be installed immediately.
SEC Consult recommends to perform a thorough security review of these
products conducted by security professionals to identify and resolve all
security issues.
Vulnerability overview/description:
Outdated Vulnerable Software Components
A static scan with the IoT Inspector (ONEKEY) revealed outdated software packages that
are used in the devices’ firmware. Four of them were verified by using the
MEDUSA scalable firmware runtime.Hardcoded Backdoor User (CVE-2022-32985)
A hardcoded root user was found in "/etc/passwd". In combination with the
invoked dropbear SSH daemon in the libnx_apl.so library, it can be used on port
50201 and 50200 to login on a system shell.
Proof of concept:
- Outdated Vulnerable Software Components
Based on an automated scan with the IoT Inspector (ONEKEY) the following third party
software packages were found to be outdated:
Firmware version 6.02L:
BusyBox 1.20.2
Dropbear SSH 2012.55
GNU glibc 2.17
lighttpd 1.4.48
OpenSSL 1.0.2h
The following CVEs were verified with MEDUSA scalable firmware emulation:
- CVE-2015-9261 (Unzip)
The crafted ZIP archive “x_6170921383890712452.bin” was taken from:
https://www.openwall.com/lists/oss-security/2015/10/25/3
Execution inside the firmware emulation:
bash-4.2# unzip x_6170921383890712452.bin
Archive: x_6170921383890712452.bin
inflating: ]3j½r«IK-%Ix
do_page_fault(): sending SIGSEGV to unzip for invalid read access from 735ededc
epc = 0044bb28 in busybox[400000+99000]
ra = 0044b968 in busybox[400000+99000]
Segmentation fault
- CVE-2015-0235 (gethostbyname “GHOST” buffer overflow)
PoC code was taken from:
https://gist.github.com/dweinstein/66e6a088191ac0e8105c
- CVE-2015-7547 (getaddrinfo buffer overflow)
PoC code was taken from:
https://github.com/fjserna/CVE-2015-7547
-bash-4.4# python /medusa_exploits/cve-2015-7547-poc.py &
[1] 259
-bash-4.4# chroot /medusa_rootfs/ bin/bash
bash-4.2# cd /medusa_exploits/
bash-4.2# ./cve-2015-7547_glibc_getaddrinfo
[UDP] Total Data len recv 36
[UDP] Total Data len recv 36
Connected with 127.0.0.1:34356
[TCP] Total Data len recv 76
[TCP] Request1 len recv 36
[TCP] Request2 len recv 36
Segmentation fault
- CVE-2017-16544 (shell autocompletion vulnerability)
A file with the name “\ectest\n\e]55;test.txt\a” was created to trigger the
vulnerability.
ls “pressing <TAB>”
test
]55;test.txt
- Hardcoded Backdoor User (CVE-2022-32985)
The hardcoded system user, reachable via the dropbear SSH daemon was found due
to multiple indications on the system. The undocumented root user itself was
contained in the “passwd” file:
Content of the file "/etc/passwd".
root:oFQzvQf5qrI56:0:0:root:/home/root:/bin/sh
[…]
A suspicious port for the SSH daemon was chosen in the config file of dropbear:
Content of the file "/etc/init.d/dropbear":
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
DAEMON=/usr/sbin/dropbear
NAME=dropbear
DESC="Dropbear SSH server"
PIDFILE=/var/run/dropbear.pid
DROPBEAR_PORT="50200 -p 50201"
[…]
This is invoked from "/usr/lib/libnx_apl.so.0.0.0", which can be seen in the
following pseudo-code:
void dropbear_server_init(char param_1)
{
__pid_t __pid;
char *pcVar1;
int aiStack16 [2];
__pid = fork();
if (__pid == 0) {
__pid = fork();
if (__pid != 0) {
/* WARNING: Subroutine does not return */
exit(0);
}
if (param_1 == ‘\0’) {
pcVar1 = "/etc/init.d/dropbear stop";
}
else {
pcVar1 = "/etc/init.d/dropbear start"; <—
}
execl("/bin/sh","sh",&DAT_2cd91564,pcVar1,0);
}
else {
waitpid(__pid,aiStack16,0);
}
return;
}
This function is called if a specific command is issued in the CLI interface:
[…]
iVar6 = telnet_cmp_command((char *)(param_3 + 0xf2),"ssh",2);
if (iVar6 != 0) {
if (param_2 < 4) {
netbuf_fwd_sprintf(param_1,"\r\n%%Error: Parameter missing\r\n");
iVar6 = shared_mem_get_addr(&var_shm);
iVar7 = shared_mem_get_addr(&var_shm);
uVar8 = shared_mem_read_u8(&var_shm,iVar7 + 0x161a);
shared_mem_write_u8(&var_shm,iVar6 + 0x161a,uVar8 & 0xff | 0x10);
return;
}
iVar6 = telnet_cmp_command((char *)(param_3 + 0x16b),"start",1);
if (iVar6 != 0) {
dropbear_server_init(‘\x01’); <—
netbuf_fwd_sprintf(param_1,"Starting dropbear…\r\n");
return;
}
iVar6 = telnet_cmp_command((char *)(param_3 + 0x16b),"stop",1);
if (iVar6 != 0) {
dropbear_server_init(‘\0’); <—
netbuf_fwd_sprintf(param_1,"Stopping dropbear…\r\n");
return;
}
netbuf_fwd_sprintf(param_1,"Uknown dropbear command…\r\n");
return;
[…]
The mentioned library is used in the CLI program that is running on the device.
Vulnerable / tested versions:
The following firmware versions have been tested:
- Nexans FTTO GigaSwitch HW Version 5 (all industrial/office switches) / Firmware 6.02L
- Nexans FTTO GigaSwitch HW Version 5 (all industrial/office switches) / Firmware 5.04M
Vendor contact timeline:
2020-05-28: Contacting the vendor’s PSIRT under the following link:
http://www.nexans-ans.de/support/index.php?u=security_portal_sendmail
No answer.
2020-06-08: Contacting vendor again via [email protected]. Extended
deadline by 11 days.
2020-06-16: Telephone call with Nexans representative. Security advisory was
received. It will be reviewed to confirm the found issues.
2020-06-26: Telephone call with Nexans representative. Nexans is working on the
reported issues and will remove the dropbear daemon as first
measure.
2020-08-04: Vendor stated that a fix for the outdated software components will
be available in November.
2020-11-12: Asked for status update.
2020-11-16: Contact stated, that firmware test will need more time. Updates are
estimated to be ready in Q1 of 2020.
2020-11-20: Vendor confirmed Q1 as estimated disclosure date.
2021-01-21: Asked for status update; Vendor stated that the release with all
fixes is aimed to be published end of Q1.
2021-03-09: Asked for status update.
2021-03-17: Vendor stated that the firmware is in testing stage. The fixed
firmware will be released in May.
2021-06-10: Asked for status update.
2021-06-14: Vendor stated that the firmware is not ready due to COVID19 and
homeschooling. The fixed firmware will be released end of August.
2021-08-31: Asked for status update.
2021-09-07: Vendor stated that the fixed firmware will be ready end of 2021.
2022-05-23: Informed vendor that the advisory will be released mid of June 2022.
2022-05-24: Firmware V7.02 is available for download which fixes most outdated
components issues.
2022-06-15: Release of security advisory.
Solution:
The vendor provides an updated firmware here:
https://www.nexans-ans.de/support/firmware/
Firmware version V6.02N has the backdoor removed and was already published a while ago.
Version V7.02 also has the backdoor removed and most of the outdated software issues.
Workaround:
None
Advisory URL:
https://sec-consult.com/vulnerability-lab/
SEC Consult Vulnerability Lab
SEC Consult, an Atos company
Europe | Asia | North America
About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an
Atos company. It ensures the continued knowledge gain of SEC Consult in the
field of network and application security to stay ahead of the attacker. The
SEC Consult Vulnerability Lab supports high-quality penetration testing and
the evaluation of new offensive and defensive technologies for our customers.
Hence our customers obtain the most current information about vulnerabilities
and valid recommendation about the risk profile of new technologies.
Interested to work with the experts of SEC Consult?
Send us your application https://sec-consult.com/career/
Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://sec-consult.com/contact/
Mail: security-research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult
EOF T. Weber / @2022
Related news
An issue was discovered in Poly EagleEye Director II before 2.2.2.1. os.system command injection can be achieved by an admin.
libnx_apl.so on Nexans FTTO GigaSwitch before 6.02N and 7.x before 7.02 implements a Backdoor Account for SSH logins on port 50200 or 50201.
Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.
Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.
Exim 4 before 4.94.2 allows Integer Overflow to Buffer Overflow in receive_add_recipient via an e-mail message with fifty million recipients. NOTE: remote exploitation may be difficult because of resource consumption.
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Parser). Supported versions that are affected are 5.5.61 and prior, 5.6.41 and prior, 5.7.23 and prior and 8.0.12 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
huft_build in archival/libarchive/decompress_gunzip.c in BusyBox before 1.27.2 misuses a pointer, causing segfaults and an application crash during an unzip operation on a specially crafted ZIP file.
Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: JMX). Supported versions that are affected are Java SE: 6u171, 7u161, 8u152 and 9.0.1; Java SE Embedded: 8u151; JRockit: R28.3.16. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded, JRockit accessible data as well as unauthorized access to critical data or complete access to all Java SE, Java SE Embedded, JRockit accessible data. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.0 Base Score 7.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/A...
Multiple buffer overflows in Active Management Technology (AMT) in Intel Manageability Engine Firmware 8.x/9.x/10.x/11.0/11.5/11.6/11.7/11.10/11.20 allow attacker with local access to the system to execute arbitrary code with AMT execution privilege.
In the add_match function in libbb/lineedit.c in BusyBox through 1.27.2, the tab autocomplete feature of the shell, used to get a list of filenames in a directory, does not sanitize filenames and results in executing any escape sequence in the terminal. This could potentially result in code execution, arbitrary file writes, or other attacks.
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.11 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client programs). Supported versions that are affected are 5.5.56 and earlier and 5.6.36 and earlier. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data as well as unauthorized read access to a subset of MySQL Server accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Server. CVSS 3.0 Base Score 5.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).
Unspecified vulnerability in Oracle MySQL 5.5.50 and earlier, 5.6.31 and earlier, and 5.7.13 and earlier allows remote authenticated users to affect availability via vectors related to DML.
spl_array.c in the SPL extension in PHP before 5.5.37 and 5.6.x before 5.6.23 improperly interacts with the unserialize implementation and garbage collection, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free and application crash) via crafted serialized data.
Unspecified vulnerability in Oracle MySQL 5.5.45 and earlier and 5.6.26 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Option.
Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier, 5.6.29 and earlier, and 5.7.11 and earlier allows local users to affect integrity and availability via vectors related to Federated.
Multiple stack-based buffer overflows in the (1) send_dg and (2) send_vc functions in the libresolv library in the GNU C Library (aka glibc or libc6) before 2.23 allow remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted DNS response that triggers a call to the getaddrinfo function with the AF_UNSPEC or AF_INET6 address family, related to performing "dual A/AAAA DNS queries" and the libnss_dns.so.2 NSS module.
Unspecified vulnerability in Oracle MySQL 5.5.31 and earlier and 5.6.11 and earlier allows remote authenticated users to affect availability via unknown vectors related to Optimizer.
Unspecified vulnerability in Oracle MySQL Server 5.5.44 and earlier, and 5.6.25 and earlier, allows remote authenticated users to affect confidentiality, integrity, and availability via vectors related to DML.
Unspecified vulnerability in Oracle Java SE 6u101, 7u85 and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality via vectors related to JGSS.
Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45, and Java SE Embedded 7u75 and 8u33 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries, a different vulnerability than CVE-2015-4732.
Unspecified vulnerability in Oracle MySQL Server 5.5.42 and earlier, and 5.6.23 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Server : Compiling.
Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u40 allows remote attackers to affect integrity and availability via unknown vectors related to Tools.
Heap-based buffer overflow in the __nss_hostname_digits_dots function in glibc 2.2, and other 2.x versions before 2.18, allows context-dependent attackers to execute arbitrary code via vectors related to the (1) gethostbyname or (2) gethostbyname2 function, aka "GHOST."
The cdf_check_stream_offset function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, relies on incorrect sector-size data, which allows remote attackers to cause a denial of service (application crash) via a crafted stream offset in a CDF file.