KATHREIN UFSconnect 916 / 906 DoS / Unauthenticated Actions

Type packetstorm
Reporter T. Weber
Modified 2017-07-27T00:00:00


                                            `SEC Consult Vulnerability Lab Security Advisory < 20170727-1 >  
title: Multiple vulnerabilities  
product: KATHREIN - UFSconnect 916, UFSconnect 906  
vulnerable version: 2.23 Build 224, 2.22 Build 349  
fixed version: -  
CVE number:  
impact: High  
homepage: https://www.kathrein.com/de/  
found: 2017-03-06  
by: T. Weber (Office Vienna)  
SEC Consult Vulnerability Lab  
An integrated part of SEC Consult  
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow  
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich  
Vendor description:  
"As a globally leading specialist, Kathrein has unique know-how: our  
business fields cover a wide range of communication technologies. They  
produce intelligent solutions for the connected world a and clearly aim to  
remain a step ahead. We think ahead to the future of communication  
Source: https://www.kathrein.com/en/company/business-fields/  
Business recommendation:  
The Kathrein receiver series can be controlled via its web interface. It is  
intended to control this device also via internet over the Kathrein android  
or iOS App. Missing authentication enables an attacker to control all Kathrein  
UFS receivers over the web interface via port 9000/TCP. Actions like switch  
channel, power off or increase/decrease volume are only few examples. An  
attacker can also stream channels via port 49152/TCP or a dynamic defined UDP  
port which depends on the content of the downloaded 'T*.asx' file.  
SEC Consult recommends not to forward any port of this device to the internet  
until a thorough security review has been performed by security professionals  
and all identified issues have been resolved.  
Upgrade to newer hardware is recommended since this product line is  
end-of-life and not longer supported by Kathrein.  
Vulnerability overview/description:  
1) Unauthenticated root access by default  
An attacker can login to the device without password as "root". Botnets  
are mostly built by such weak default settings.  
2) Denial of Service (DoS)  
The receiver can be restarted by killing the web-service on the device from  
remote. This results in a connection loss between the TV and the receiver  
3) Unauthenticated Control of Receiver over the Network  
The receiver can be controlled via web-service by GET-requests. An attacker  
is able to do the following actions without authentication:  
-) Switch the channel  
-) Record on a channel  
-) Delete records  
-) Restart the receiver  
-) Watch live-streams by using another UDP-port  
Proof of concept:  
The vendor stated that the product line is end-of-life, hence there is no fix  
available. The proof of concept has been removed from this advisory.  
Vulnerable / tested versions:  
UFSconnect 916 Firmware 2.23 Build 224  
The firmware of UFSconnect 906 (2.22 Build 349) is partially equal and very  
similar to the firmware of UFSconnect 916 (2.23 Build 224).  
Based on results of the SEC Technologies IoT Inspector  
(http://www.iot-inspector.com/ -  
automated firmware analysis tool) we believe that UFSconnect 906  
(2.22 Build 349) is also prone to the identified vulnerabilities as well as  
UFSconnect 916 (2.23 Build 224).  
Since controlling the receiver is possible via the Kathrein UFScontrol app  
on different UFS models, we believe that the following products are also prone  
to 3) too:  
UFS 912, UFS 913, UFS 922, UFS 923, UFS 924, UFS 925, UFS 935, UFS 946  
Vendor contact timeline:  
2017-03-21: Sending advisory via secure file-upload to the vendor.  
2017-06-07: Asked for status update.  
2017-06-09: Vendor answered that he will be reachable at 2017-06-12.  
2017-06-12: Call with vendor. Product line is end-of-life (EOL), no fix is  
planned. Informing vendor that the advisory will be published  
without PoC on 2017-07-27.  
2017-07-27: Coordinated release of advisory.  
Upgrade to newer hardware.  
Set a password for the "root" user.  
There is no workaround for the vulnerable web service. Restrict network  
access of web service. Do not expose this service to the internet.  
Advisory URL:  
SEC Consult Vulnerability Lab  
SEC Consult  
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow  
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich  
About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It  
ensures the continued knowledge gain of SEC Consult in the field of network  
and application security to stay ahead of the attacker. The SEC Consult  
Vulnerability Lab supports high-quality penetration testing and the evaluation  
of new offensive and defensive technologies for our customers. Hence our  
customers obtain the most current information about vulnerabilities and valid  
recommendation about the risk profile of new technologies.  
Interested to work with the experts of SEC Consult?  
Send us your application https://www.sec-consult.com/en/Career.htm  
Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://www.sec-consult.com/en/About/Contact.htm  
Mail: research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult  
EOF T. Weber / @2017