-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID:               SYSS-2024-040
Product:                   DiCal-RED
Manufacturer:              Swissphone Wireless AG
Affected Version(s):       Unknown
Tested Version(s):         4009
Vulnerability Type:        Improper Authentication (CWE-287)
Risk Level:                High
Solution Status:           Open
Manufacturer Notification: 2024-04-16
Solution Date:             None
Public Disclosure:         2024-08-20
CVE Reference:             CVE-2024-36444
Author of Advisory:        Sebastian Hamann, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

DiCal-RED is a radio module for communication between emergency vehicles and
control rooms. It provides Ethernet, Wi-Fi and cellular network connectivity
and runs a Linux- and BusyBox-based operating system.

The manufacturer describes the product as follows (see [1]):

"The DiCal-Red radio data module reliably guides you to your destination. This
is ensured by the linking of navigation (also for the transmission of position
data) and various radio modules."

Due to improper authentication checks, the device is vulnerable to
unauthorized access to logs and other files on the device's file system.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The device allows viewing log files via the administrative web interface.
This function does not require an authenticated session.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

As other parts of the administrative web interface do require authentication,
a simple proof of concept is to log in to the web interface and navigate to
the function to view log files.
Log file contents are returned by a URL similar to
http:/192.0.2.1/cgi-bin/fdmcgiwebv2.cgi?action=displayfilel&data={%22FilePath%22:%22%22,%22FileAlias%22:%22FdmDebugPath%22,%22LinesMax%22:0}

Using a local proxy to remove the QSESSIONID cookie from this request shows
that the content is also returned when not sending any session information.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

The manufacturer recommends not running the device in an untrusted network.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2024-02-29: Vulnerability discovered
2024-04-16: Vulnerability reported to manufacturer
2024-05-10: Manufacturer states that the vulnerability will not be fixed
2024-05-14: Vulnerability reported to CERT-Bund
2024-08-13: CERT-Bund informs us that the vendor declared the product EOL
2024-08-20: Public disclosure of vulnerability

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for DiCal-RED
    https://www.swissphone.com/solutions/components/terminals/radio-data-module-dical-red/
[2] SySS Security Advisory SYSS-2024-040
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-040.txt
[3] SySS Responsible Disclosure Policy
    https://www.syss.de/en/responsible-disclosure-policy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Sebastian Hamann of SySS GmbH.

E-Mail: sebastian.hamann@syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Sebastian_Hamann.asc
Key ID: 0x9CE0E440429D8B96
Key Fingerprint: F643 DF21 62C4 7C53 7DB2 8BA1 9CE0 E440 429D 8B96

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS website.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE9kPfIWLEfFN9souhnODkQEKdi5YFAmbEQgMACgkQnODkQEKd
i5ZgGw/9GlpK9ZCfsFYDOaonfqTm0zPxu1CURL4gT2gnmcWKnvZMnSBVtI2qolR/
oyp8GMhBkQ5i1msTZXCBFTQfmxAjniNZ4hpg9nxY/9q7uThu8td2A89Ge9+qP7u0
06Z52kYGhMK+C5Ecoww9pOjNtL233B6300kSxxBh4wspAUw8NdOtnBO9zTiU8zcw
MPjPsoHNofn6Ah1BRw40vkPTDGoKE9wD17nNJn0lnpgvP03ZLgEErk4gkvK0L1ts
N33g1R0k2M3vKzhid9FUFE+OEFN4NdkmTUqylGU9uLEhtSZiZ5CT1kAcNp6PUOlA
EmNqudfLngHVhyfTAVXhbJV8C/I9tCiktPiPD3g4sAP5FwsmnfKXvwULCABV7Y6I
6szsx1JPojyaYTi0hGKviJjewyEld9p7qLuCDt/Hq6BqkxaZkAN1JuyuqMLQDw8k
ghIBzdqxCpaoa3r43Cg6mpiNzhe9cRYHDDSQ5wl+5nKI4NDy7xxaQd8psyg5CjCP
CxgJTHne5zvFhtZP7LFa82R3Yux6x6k2XcxbsgoBaBYXS9Qj+QKLU5HxbZVbVwWS
c0kZzHWWydiaqSfXl5OZDPZIcOZH3C95kXFY78XMOhndqg9yW7ot3OJ/RR5GfX1X
jqcbLv9k0XCRr55bH/vcLWoJw9oGxfX25FlH2Sp7VYiaIohd8cM=
=Iaf1
-----END PGP SIGNATURE-----