Siglent Technologies SDS 1202X-E Digital Oscilloscope 5.1.3.13 Hardcoded Credentials

`SEC Consult Vulnerability Lab Security Advisory < 20181130-0 >  
=======================================================================  
title: Multiple Vulnerabilities  
product: Siglent Technologies SDS 1202X-E Digital Oscilloscope  
vulnerable version: V5.1.3.13  
fixed version: -  
CVE number: -  
impact: High  
homepage: http://siglenteu.com/  
https://www.siglent.eu/  
https://www.siglentamerica.com/  
found: 2018-08-06  
by: T. Weber (Office Vienna)  
SEC Consult Vulnerability Lab  
  
An integrated part of SEC Consult  
Europe | Asia | North America  
  
https://www.sec-consult.com  
  
=======================================================================  
  
Vendor description:  
-------------------  
"SIGLENT is an international high-tech company, concentrating on R&D, sales,  
production and services of measurement products. As an ISO9001:2000  
International Quality Management System and ISO 14001:2004 Environmental  
Management System Certified company, SIGLENT is also a member of the China  
Electronic Instrument Industry Association and Guangdong Instrument  
Representative Association.  
[...]  
SIGLENT focuses on the electronic test & measurement instrument industry and  
sees research & development as a core competency, while keeping a strong  
competitive edge through technology innovation and strict quality control. Try  
a Siglent product. Then compare the performance and the features to any other  
model, any other brand. Then compare the price. We believe there is no better  
value anyplace."  
  
Source: http://www.siglenteu.com/about.aspx  
  
  
Business recommendation:  
------------------------  
The identified backdoor accounts are accessible through Telnet, hence a compromise  
of the device via a local network attack is possible.  
  
Any malicious modification of measurement values may have serious impact on the  
product or service which is created or offered by using this oscilloscope.  
Therefore, all procedures which are executed with this device are untrustworthy.  
  
SEC Consult recommends not to use this product within a network of a production  
environment until a thorough security review has been performed by security  
professionals and all identified issues have been resolved.  
  
The vendor was unresponsive and did not provide a patch.  
  
  
Vulnerability overview/description:  
-----------------------------------  
1) Hardcoded Backdoor Accounts  
Two backdoor accounts are present on the system. A Telnet service is listening  
on port 23 which enables an attacker to connect as root to the oscilloscope via  
LAN.  
  
The password hashes are hardcoded and are difficult to change for the end user  
because the "shadow" file is stored on a cramfs (intentionally write-only)  
file system.  
  
  
2) Missing Authentication / Design Issue  
The software "EasyScopeX" can be used from any computer in the network to  
configure and interact with the oscilloscope. This is possible without prior  
authentication which enables everyone to change settings on the oscilloscope.  
  
  
3) Unencrypted Communication  
The software "EasyScopeX" communicates via unencrypted TCP packets with the  
client computer / oscilloscope.  
  
  
4) Outdated and Vulnerable Software Components  
Multiple software components embedded in the firmware are outdated and found  
to be vulnerable to various publicly known security issues.  
  
  
Proof of concept:  
-----------------  
1) Hardcoded Backdoor Accounts  
The following password hashes were dumped from "/etc/shadow" by connecting to  
the UART interface on the PCB:  
  
root  
siglent  
(The password hashes have been removed from this advisory)  
  
  
2) Missing Authentication / Design Issue  
It is sufficient to install the "EasyScopeX" software and control the oscilloscope  
without any authentication.  
  
  
3) Unencrypted Communication  
The software "EasyScopeX" communicates in plaintext via various ports by using  
the portmapper. The default ports are "5024" and "5025".  
  
  
4) Outdated and Vulnerable Software Components  
Using the IoT Inspector software we found the following outdated and vulnerable  
components:  
* BusyBox 1.20.1  
* GNU glibc 2.13  
* Linux Kernel 3.19.0  
  
  
Vulnerable / tested versions:  
-----------------------------  
The following device / firmware version has been tested:  
* Siglent SDS1202X-E (V5.1.3.13)  
  
It is assumed that other firmware versions are affected as well.  
  
  
Vendor contact timeline:  
------------------------  
2018-08-22: Contacting German VDE CERT for coordination support  
2018-09-04: Asking for a status update from the vendor  
2018-09-05: VDE CERT: no response from vendor yet  
2018-09-12: US sales person from Siglent has answered, VDE CERT  
is sending advisory to be forwarded to engineering  
2018-10-10: Asking for a status update (affected versions, etc)  
2018-10-10: VDE CERT: asking vendor for update, vendor reply:  
"I forwarded it to our VP of Engineering for  
consideration. The R&D offices are located in China,  
so I do not have any further visibility or information."  
2018-10-12: VDE CERT: if there are no news until end of October,  
we will release security advisory beginning of November  
2018-11-23: VDE CERT: no news from the vendor, planning release  
2018-11-30: Public release of security advisory  
  
  
Solution:  
---------  
The vendor was unresponsive and did not provide a patch. See workaround section  
to reduce the attack surface.  
  
  
Workaround:  
-----------  
* Don't use the LAN interface or if needed use only in trusted networks  
* Connect to the UART interface and place a script which closes port 23 on the  
device during bootup if Telnet is not used.  
  
  
Advisory URL:  
-------------  
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html  
  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
SEC Consult Vulnerability Lab  
  
SEC Consult  
Europe | Asia | North America  
  
About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It  
ensures the continued knowledge gain of SEC Consult in the field of network  
and application security to stay ahead of the attacker. The SEC Consult  
Vulnerability Lab supports high-quality penetration testing and the evaluation  
of new offensive and defensive technologies for our customers. Hence our  
customers obtain the most current information about vulnerabilities and valid  
recommendation about the risk profile of new technologies.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://www.sec-consult.com/en/career/index.html  
  
Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://www.sec-consult.com/en/contact/index.html  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Mail: research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult  
  
EOF T. Weber / @2018  
  
`