Multiple vulnerabilities in several ATEN IP KVM Switches


Jakob Lell from the TU Berlin computer security working group ( http://www.agrs.tu-berlin.de/v-menue/ag_rechnersicherheit/parameter/en/ ) has discovered multiple vulnerabilities in several ATEN IP KVM Switches. Affected products: - ATEN KH1516i IP KVM Switch (browser firmware version 1.0.063) - ATEN KN9116 IP KVM Switch (firmware version 1.1.104) - Aten PN9108 Power over the NET (only CVE-2009-1477) The KH1508i uses the same firmware as the KH1516i and is thus most likely affected as well. The KN9108 uses the same firmware as the KN9116. It is possible that other devices are affected as well. If you have access to other similar devices and want to test whether they are vulnerable as well, please contact me at jakob@cs.tu-berlin.de. Impact: Arbitrary code execution on client system, Information disclosure and man in the middle attacks. Background: Aten produces several IP KVM Switches. This devices can be used like a normal kvm switch with an attached keyboard, mouse and monitor. However, it is also possible to access the hosts connected to the kvm switch via a network using an ordinary PC as a client. As this can also be used via an insecure network, it is very important that this connection is cryptographically protected against sniffing of confidential data (e.g. keystrokes, monitor signals) and man in the middle attacks. The affected products provide an SSL encrypted web interface. After authenticating to the web interface the user can download a client program (java or windows). The client program contains temporary authentication data so that it can connect to the kvm switch without asking the user for username/password again. CVE-2009-1477: Same SSL Key for all devices All tested devices (KH1516i, KN9116 and PN9108) use the same SSL key for the https web interface. If an attacker manages to extract the private key from one single device, (s)he can decrypt the https traffic of all other affected devices. This includes the username and password used to authenticate to the kvm switch. If the attacker is able to carry out a man in the middle attack, (s)he can also compromise client systems by exchanging the windows or java client software which is downloaded from the kvm switch via https. Severity: High CVE-2009-1472: Java client arbitrary code execution The java client program connects to the kvm switch on port 9002 and downloads and runs a new java class. This connection is encrypted using AES. However, the encryption key is hardcoded in the client program. So a man in the middle attacker can inject an other java class file which can execute arbitrary java code on the client computer. This java code is not protected by a sandbox as the client isn't run as a java applet. It is also possible to use this vulnerability to do a man in the middle attack to gain access to the machines connected to the kvm switch. Severity: High CVE-2009-1473: Cryptographic weakness in key exchange When the windows/java client connects to the device, the kvm switch and the client negotiate a symmetric session key. This key negotiation uses RSA in an insecure way. An attacker who can monitor the traffic between the client and the kvm switch is able to repeat client-side calculations to get the session key. By using this session key an attacker can decrypt the traffic and reconstruct the keystrokes. Furthermore it is also possible to carry out a man in the middle attack and gain access to the machines connected to the KVM switch. Both the Windows and the Java clients are affected. Severity: High CVE-2009-1474: Incomplete encryption The connection between the client and the kvm switch is not completely encrypted. The transfer of keystrokes is encrypted. However, mouse events are not protected in any way. So a man in the middle attacker can inject arbitrary mouse movements and press mouse buttons. Depending on the operating system and setup this may be used to compromise computers attached to the kvm switch. Severity: Medium CVE-2009-1474: Session ID Cookie not secure-only When the user connects to the device via http on port 80, the device redirects the user to the same device on port 443 (https). There the user logs in and gets a session id cookie. However, this cookie does not contain the secure option as specified in rfc2109. When the user goes back to http for any reason, an attacker can sniff the session id. Using this session ID it is possible to download the Windows/Java client program (which contains authentication data) and then access the computers connected to the KVM Switch. As the first connection via http to the kvm switch is not protected, a man in the middle attacker can inject some dynamic content so that the browser automatically reloads the http site after logging in. Severity: Low The vendor has been notified about CVE-2009-1473 on 5.3.2009 and about the other issues on 30.4.2009. Up to now we didn't receive a firmware upgrade. Suggested workaround: Avoid connecting to the KVM Switch via untrusted networks.