exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Siglent Technologies SDS 1202X-E Digital Oscilloscope 5.1.3.13 Hardcoded Credentials

Siglent Technologies SDS 1202X-E Digital Oscilloscope 5.1.3.13 Hardcoded Credentials
Posted Nov 30, 2018
Authored by T. Weber | Site sec-consult.com

Siglent Technologies SDS 1202X-E Digital Oscilloscope version 5.1.3.13 suffers from multiple security vulnerabilities including hardcoded backdoor accounts, missing authentication, and more.

tags | exploit, vulnerability
SHA-256 | 9c2308d462e08188151b5811bf316c27b479ee4b0ffda09667d3a3e6d83074a1

Siglent Technologies SDS 1202X-E Digital Oscilloscope 5.1.3.13 Hardcoded Credentials

Change Mirror Download
SEC Consult Vulnerability Lab Security Advisory < 20181130-0 >
=======================================================================
title: Multiple Vulnerabilities
product: Siglent Technologies SDS 1202X-E Digital Oscilloscope
vulnerable version: V5.1.3.13
fixed version: -
CVE number: -
impact: High
homepage: http://siglenteu.com/
https://www.siglent.eu/
https://www.siglentamerica.com/
found: 2018-08-06
by: T. Weber (Office Vienna)
SEC Consult Vulnerability Lab

An integrated part of SEC Consult
Europe | Asia | North America

https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
"SIGLENT is an international high-tech company, concentrating on R&D, sales,
production and services of measurement products. As an ISO9001:2000
International Quality Management System and ISO 14001:2004 Environmental
Management System Certified company, SIGLENT is also a member of the China
Electronic Instrument Industry Association and Guangdong Instrument
Representative Association.
[...]
SIGLENT focuses on the electronic test & measurement instrument industry and
sees research & development as a core competency, while keeping a strong
competitive edge through technology innovation and strict quality control. Try
a Siglent product. Then compare the performance and the features to any other
model, any other brand. Then compare the price. We believe there is no better
value anyplace."

Source: http://www.siglenteu.com/about.aspx


Business recommendation:
------------------------
The identified backdoor accounts are accessible through Telnet, hence a compromise
of the device via a local network attack is possible.

Any malicious modification of measurement values may have serious impact on the
product or service which is created or offered by using this oscilloscope.
Therefore, all procedures which are executed with this device are untrustworthy.

SEC Consult recommends not to use this product within a network of a production
environment until a thorough security review has been performed by security
professionals and all identified issues have been resolved.

The vendor was unresponsive and did not provide a patch.


Vulnerability overview/description:
-----------------------------------
1) Hardcoded Backdoor Accounts
Two backdoor accounts are present on the system. A Telnet service is listening
on port 23 which enables an attacker to connect as root to the oscilloscope via
LAN.

The password hashes are hardcoded and are difficult to change for the end user
because the "shadow" file is stored on a cramfs (intentionally write-only)
file system.


2) Missing Authentication / Design Issue
The software "EasyScopeX" can be used from any computer in the network to
configure and interact with the oscilloscope. This is possible without prior
authentication which enables everyone to change settings on the oscilloscope.


3) Unencrypted Communication
The software "EasyScopeX" communicates via unencrypted TCP packets with the
client computer / oscilloscope.


4) Outdated and Vulnerable Software Components
Multiple software components embedded in the firmware are outdated and found
to be vulnerable to various publicly known security issues.


Proof of concept:
-----------------
1) Hardcoded Backdoor Accounts
The following password hashes were dumped from "/etc/shadow" by connecting to
the UART interface on the PCB:

root
siglent
(The password hashes have been removed from this advisory)


2) Missing Authentication / Design Issue
It is sufficient to install the "EasyScopeX" software and control the oscilloscope
without any authentication.


3) Unencrypted Communication
The software "EasyScopeX" communicates in plaintext via various ports by using
the portmapper. The default ports are "5024" and "5025".


4) Outdated and Vulnerable Software Components
Using the IoT Inspector software we found the following outdated and vulnerable
components:
* BusyBox 1.20.1
* GNU glibc 2.13
* Linux Kernel 3.19.0


Vulnerable / tested versions:
-----------------------------
The following device / firmware version has been tested:
* Siglent SDS1202X-E (V5.1.3.13)

It is assumed that other firmware versions are affected as well.


Vendor contact timeline:
------------------------
2018-08-22: Contacting German VDE CERT for coordination support
2018-09-04: Asking for a status update from the vendor
2018-09-05: VDE CERT: no response from vendor yet
2018-09-12: US sales person from Siglent has answered, VDE CERT
is sending advisory to be forwarded to engineering
2018-10-10: Asking for a status update (affected versions, etc)
2018-10-10: VDE CERT: asking vendor for update, vendor reply:
"I forwarded it to our VP of Engineering for
consideration. The R&D offices are located in China,
so I do not have any further visibility or information."
2018-10-12: VDE CERT: if there are no news until end of October,
we will release security advisory beginning of November
2018-11-23: VDE CERT: no news from the vendor, planning release
2018-11-30: Public release of security advisory


Solution:
---------
The vendor was unresponsive and did not provide a patch. See workaround section
to reduce the attack surface.


Workaround:
-----------
* Don't use the LAN interface or if needed use only in trusted networks
* Connect to the UART interface and place a script which closes port 23 on the
device during bootup if Telnet is not used.


Advisory URL:
-------------
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult
Europe | Asia | North America

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/career/index.html

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/contact/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF T. Weber / @2018

Login or Register to add favorites

File Archive:

January 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    0 Files
  • 2
    Jan 2nd
    13 Files
  • 3
    Jan 3rd
    5 Files
  • 4
    Jan 4th
    5 Files
  • 5
    Jan 5th
    9 Files
  • 6
    Jan 6th
    5 Files
  • 7
    Jan 7th
    0 Files
  • 8
    Jan 8th
    0 Files
  • 9
    Jan 9th
    18 Files
  • 10
    Jan 10th
    31 Files
  • 11
    Jan 11th
    30 Files
  • 12
    Jan 12th
    33 Files
  • 13
    Jan 13th
    25 Files
  • 14
    Jan 14th
    0 Files
  • 15
    Jan 15th
    0 Files
  • 16
    Jan 16th
    7 Files
  • 17
    Jan 17th
    25 Files
  • 18
    Jan 18th
    38 Files
  • 19
    Jan 19th
    6 Files
  • 20
    Jan 20th
    21 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    24 Files
  • 24
    Jan 24th
    68 Files
  • 25
    Jan 25th
    22 Files
  • 26
    Jan 26th
    20 Files
  • 27
    Jan 27th
    17 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    20 Files
  • 31
    Jan 31st
    31 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close