Twenty Year Anniversary

KATHREIN UFSconnect 916 / 906 DoS / Unauthenticated Actions

KATHREIN UFSconnect 916 / 906 DoS / Unauthenticated Actions
Posted Jul 27, 2017
Authored by T. Weber | Site sec-consult.com

KATHREIN UFSconnect 916 and 906 with firmware version 2.23 build 224 suffer from denial of service and unauthenticated access vulnerabilities.

tags | exploit, denial of service, vulnerability
MD5 | ca0531e9beaa5674b87dfd3a24c1b333

KATHREIN UFSconnect 916 / 906 DoS / Unauthenticated Actions

Change Mirror Download
SEC Consult Vulnerability Lab Security Advisory < 20170727-1 >
=======================================================================
title: Multiple vulnerabilities
product: KATHREIN - UFSconnect 916, UFSconnect 906
vulnerable version: 2.23 Build 224, 2.22 Build 349
fixed version: -
CVE number:
impact: High
homepage: https://www.kathrein.com/de/
found: 2017-03-06
by: T. Weber (Office Vienna)
SEC Consult Vulnerability Lab

An integrated part of SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich

https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
"As a globally leading specialist, Kathrein has unique know-how: our
business fields cover a wide range of communication technologies. They
produce intelligent solutions for the connected world a and clearly aim to
remain a step ahead. We think ahead to the future of communication
technology."

Source: https://www.kathrein.com/en/company/business-fields/

Business recommendation:
------------------------
The Kathrein receiver series can be controlled via its web interface. It is
intended to control this device also via internet over the Kathrein android
or iOS App. Missing authentication enables an attacker to control all Kathrein
UFS receivers over the web interface via port 9000/TCP. Actions like switch
channel, power off or increase/decrease volume are only few examples. An
attacker can also stream channels via port 49152/TCP or a dynamic defined UDP
port which depends on the content of the downloaded 'T*.asx' file.

SEC Consult recommends not to forward any port of this device to the internet
until a thorough security review has been performed by security professionals
and all identified issues have been resolved.

Upgrade to newer hardware is recommended since this product line is
end-of-life and not longer supported by Kathrein.

Vulnerability overview/description:
-----------------------------------
1) Unauthenticated root access by default
An attacker can login to the device without password as "root". Botnets
are mostly built by such weak default settings.

2) Denial of Service (DoS)
The receiver can be restarted by killing the web-service on the device from
remote. This results in a connection loss between the TV and the receiver
itself.

3) Unauthenticated Control of Receiver over the Network
The receiver can be controlled via web-service by GET-requests. An attacker
is able to do the following actions without authentication:
-) Switch the channel
-) Record on a channel
-) Delete records
-) Restart the receiver
-) Watch live-streams by using another UDP-port

Proof of concept:
-----------------
The vendor stated that the product line is end-of-life, hence there is no fix
available. The proof of concept has been removed from this advisory.

Vulnerable / tested versions:
-----------------------------
UFSconnect 916 Firmware 2.23 Build 224

The firmware of UFSconnect 906 (2.22 Build 349) is partially equal and very
similar to the firmware of UFSconnect 916 (2.23 Build 224).

Based on results of the SEC Technologies IoT Inspector
(http://www.iot-inspector.com/ -
automated firmware analysis tool) we believe that UFSconnect 906
(2.22 Build 349) is also prone to the identified vulnerabilities as well as
UFSconnect 916 (2.23 Build 224).

Since controlling the receiver is possible via the Kathrein UFScontrol app
on different UFS models, we believe that the following products are also prone
to 3) too:
UFS 912, UFS 913, UFS 922, UFS 923, UFS 924, UFS 925, UFS 935, UFS 946


Vendor contact timeline:
------------------------
2017-03-21: Sending advisory via secure file-upload to the vendor.
2017-06-07: Asked for status update.
2017-06-09: Vendor answered that he will be reachable at 2017-06-12.
2017-06-12: Call with vendor. Product line is end-of-life (EOL), no fix is
planned. Informing vendor that the advisory will be published
without PoC on 2017-07-27.
2017-07-27: Coordinated release of advisory.

Solution:
---------
Upgrade to newer hardware.


Workaround:
-----------
Set a password for the "root" user.
There is no workaround for the vulnerable web service. Restrict network
access of web service. Do not expose this service to the internet.

Advisory URL:
-------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/Career.htm

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/About/Contact.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF T. Weber / @2017

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

April 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    5 Files
  • 2
    Apr 2nd
    17 Files
  • 3
    Apr 3rd
    11 Files
  • 4
    Apr 4th
    21 Files
  • 5
    Apr 5th
    17 Files
  • 6
    Apr 6th
    12 Files
  • 7
    Apr 7th
    1 Files
  • 8
    Apr 8th
    6 Files
  • 9
    Apr 9th
    21 Files
  • 10
    Apr 10th
    18 Files
  • 11
    Apr 11th
    42 Files
  • 12
    Apr 12th
    7 Files
  • 13
    Apr 13th
    14 Files
  • 14
    Apr 14th
    1 Files
  • 15
    Apr 15th
    1 Files
  • 16
    Apr 16th
    15 Files
  • 17
    Apr 17th
    20 Files
  • 18
    Apr 18th
    24 Files
  • 19
    Apr 19th
    20 Files
  • 20
    Apr 20th
    7 Files
  • 21
    Apr 21st
    10 Files
  • 22
    Apr 22nd
    2 Files
  • 23
    Apr 23rd
    17 Files
  • 24
    Apr 24th
    35 Files
  • 25
    Apr 25th
    14 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close