Maxim Rupp: PHOENIX CONTACT FL COM SERVER RS485: Lack of proper ACL (Full Disclosure) and Improper Neutralization (CVE-2017-16723)

Lack of proper ACL (Full Disclosure) and Improper Neutralization (CVE-2017-16723)
PHOENIX CONTACT FL COM SERVER RS485

September, 2018 • Maxim Rupp (@mmrupp)

Please note that this post is published in coordination with the vendor. This is not a criticism of the vendor or their products, it only tries to draw attention to existing security issues for their solution.

Index

Vulnerabilities in PHOENIX CONTACT FL COM SERVER RS485
Index
Summary
Overview
Affected Product
Impact
Identified Security Issues
Lack of proper ACL (Full Disclosure)
Improper Neutralization (CVE-2017-16723)
Mitigation and Solution
References

Summary

Overview

The following security issues refer to the standard web-based configuration interface of the affected PHOENIX CONTACT FL COM SERVER RS485 device.

Affected Product

Lack of proper ACL and Improper Neutralization:
FL COM SERVER RS485

Improper Neutralization (according to the vendor):
FL COMSERVER BASIC 232/422/485,
FL COMSERVER UNI 232/422/485,
FL COMSERVER BAS 232/422/485-T,
FL COMSERVER UNI 232/422/485-T,
FL COM SERVER RS232, and
PSI-MODEM/ETH.

Impact

Successful exploitation of these vulnerabilities may allow an unauthenticated, malicious remote user to modify configuration variables on the affected device.

Identified Security Issues

Lack of proper ACL (Full Disclosure)

According to CERT@VDE’s security advisory VDE-2017-004, "On devices with older firmware versions, an unauthenticated user with network access is able to change (but not activate) the configuration variables by accessing a specific URL on the web server, without authenticating in the web interface first. A changed configuration can only be permanently saved and activated by an authenticated user." (Impact section, para. 1).

Firstly, it is necessary to understand the logic of the configuration process of the affected device from the standard web-based HMI. This process can be divided into the following steps:

Step a) For the accessing and changing of the settings in the web-based configuration interface, the so-called "read" password is required. This password is requested upon opening of the configuration page and it is based on an HTTP Basic access authentication method. It is important to understand that at this step the application only marks the changing of settings in the HMI, but does not apply them to the device itself.

Step b) For the saving of the changes from the previous step with the "Save & Reboot" function, the so-called "write" password is required. This password is requested each time at the saving of the configuration and it is based on a form-based authentication method. Saving and activation of the changes from the a step are not possible without a valid password from this step. It should also be noted that it is not always necessary to perform the "Save & Reboot" process to activate new values in some parameters and the second improper neutralization issue takes advantage of this factor.

It is worth noting that this basic principle of the configuration process for a device is a pretty good solution in terms of safety.

Nevertheless, the presence of a particular function in its entirety does not mean its correct implementation or integration with other components of the application. In this specific case due to the incorrect logic of the processing sequence of processes in the application, it is still possible to modify the settings without authenticating and thereby violating the existing access-control rules (ACL). As a consequence, a malicious user is able to use lack of proper ACL by accessing a specific uniform resource locator on the web server to bypass existing authentication from the first step and to modify the application settings. Taking advantage of this issue, it may influence the application settings only at the first step of the two required; the unsaved changes of the configuration that are present in the web interface will be discarded at the next power reset or reboot.

The following PoC demonstrates the possibility of modifying a configuration of the device, namely the value from the "Name of device" and "Description" fields will be changed, without authentication i.e. without knowing the password from the a step.

Proof of Concept Request:

Request (without HTTP Basic authentication header)

GET /setup.cgi?L=snmpconfig.htm&S435=Test123&S485=Test123&S565=Unknown&S535=Unknown&B386=0&B387=0&B388=0&B389=0&B390=0&B391=0&B392=0&B393=0&B384b0=1 HTTP/1.1
Host: <host>
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Response

HTTP/1.1 401 Unauthorized
WWW-Authenticate: Basic realm="Save Configuration(password only)"

The changes will be accepted by the application in spite of the 401 response status code that means "unauthenticated", i.e. the user does not have the necessary credentials.

Despite the absence of a password in the "Save & Reboot" function and the nonactive malicious configuration, for an attacker it is still possible to use the following attack scenario in which the worst case could lead to unauthorized modification of the settings and as a consequence of the compromised device:

An unauthenticated malicious user modify the configuration of the device via the previously described method, and the HMI marks this changes.
The legitimate administrator of the device also makes an independent modification via the HMI and activates it. The device will accept changes from the admin, but will also accept changes from the malicious user from the previous step.

And certainly at this point, it is worth considering that all illegitimate modifications will also be visible to the administrator, but the control and verification of propriety for all parameters each time before performing "Save & Reboot" function is an area of concern. This issue was addressed and confirmed by the vendor, but unfortunately was not qualified as a vulnerability and remained without detailed description and attention in the public advisory, despite the fact that the following issue has been highlighted to demonstrate the ACL as problematic and that it may be extending the surface of subsequent attacks.

Improper Neutralization (CVE-2017-16723)

In addition to the aforementioned issue, a problem relating to improper neutralization of input in one of the existing parameters during web page generation has been identified. This leads to a possible implementation of Cross-Site Scripting attack which allows the execution of arbitrary JavaScript on the affected host and thereby access to the web interface user data and functions. It should be noted that the value of the vulnerable parameter is stored and incorrectly processed on each page of the configuration web-based HMI. Thus this issue of a permanent type and an attack payload can be also executed without any user-interaction.
In this way, an unauthenticated, malicious remote user can use the ACL issue to import the malicious JavaScript payload that is possible to execute due to the improper neutralization issue.

The vendor received a PoC of the JS keyloggers that captures the user's keys pressing in the application environment and sends these data to a determined host. The keylogger is executed in a benign user’s browsing context and will allow compromising input of keyboard data in the "password" field of the b step.

According to the vendor the following devices are also affected by this issue:

FL COMSERVER BASIC 232/422/485,
FL COMSERVER UNI 232/422/485,
FL COMSERVER BAS 232/422/485-T,
FL COMSERVER UNI 232/422/485-T,
FL COM SERVER RS232,
FL COM SERVER RS485, and
PSI-MODEM/ETH.

To summarize, it is possible with the combination of these two issues to discredit existing "write" password in a plaintext for the second "Save & Reboot" procedure on the affected device. An example of an appropriate attack scenario that combines these two security issues described above are listed below:

By taking advantage of the ACL issue it is possible to import the malicious JavaScript payload into the web-based configuration interface.
By taking advantage of the improper neutralization issue it is possible to execute the payload in a browsing context to compromise the credentials of system procedures.

An example of interception of keystrokes on the host side of a malicious user:

[...]
[...] "GET /keylogger/s HTTP/1.1" [...]
[...] "GET /keylogger/e HTTP/1.1" [...]
[...] "GET /keylogger/c HTTP/1.1" [...]
[...] "GET /keylogger/r HTTP/1.1" [...]
[...] "GET /keylogger/e HTTP/1.1" [...]
[...] "GET /keylogger/t HTTP/1.1" [...]
[...]

Mitigation and Solution

PHOENIX CONTACT released new firmware versions for the affected devices, which fix Improper Neutralization (CVE-2017-16723) vulnerability. The updated firmware may be downloaded from the product page on the PHOENIX CONTACT website. Customers can find more information in CERT@VDE’s security advisory VDE-2017-004 at the following location: https://cert.vde.com/de-de/advisories/vde-2017-004.

Phoenix Contact recommendations for security in automation systems: ah_en_industrial_security_107913_en_01.pdf.

References

https://ics-cert.us-cert.gov/advisories/ICSA-17-341-03 — PHOENIX CONTACT FL COMSERVER, FL COM SERVER, and PSI-MODEM/ETH
https://cert.vde.com/de-de/advisories/vde-2017-004 — PHOENIX CONTACT FL COMSERVER cross-site scripting (XSS) vulnerability

CVE-2017-16723 (CWE-79: Improper Neutralization of Input During Web Page Generation)