Teltonika RUT9XX路由器安全漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1351180 漏洞类型 授权问题
发布时间 2018-10-13 更新时间 2019-10-23
CVE编号 CVE-2018-17534 CNNVD-ID CNNVD-201810-712
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2018100112
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201810-712
|漏洞详情
Teltonika RUT9XX routers (又称LuCI)是立陶宛Teltonika公司的一款路由器产品。 使用00.04.233之前版本固件的Teltonika RUT9XX路由器存在安全漏洞,该漏洞源于程序没有进行正确的访问控制。物理位置接近的攻击者可利用该漏洞以root权限执行任意命令。
|漏洞EXP
# Teltonika RUT9XX Missing Access Control to UART Root Terminal #

Link: https://github.com/sbaresearch/advisories/tree/public/2018/SBA-ADV-20180319-02_Teltonika_Incorrect_Access_Control

## Vulnerability Overview ##

Teltonika RUT9XX routers with firmware before 00.04.233 provide a root
terminal on a serial interface without proper access control. This
allows attackers with physical access to execute arbitrary commands
with root privileges.

* **Identifier**            : SBA-ADV-20180319-02
* **Type of Vulnerability** : Incorrect Access Control
* **Software/Product Name** : [Teltonika RUT955](https://teltonika.lt/product/rut955/)
* **Vendor**                : [Teltonika](https://teltonika.lt/)
* **Affected Versions**     : Firmware RUT9XX_R_00.04.199 and probably prior,
                              newer firmware versions if settings were not cleared
* **Fixed in Version**      : RUT9XX_R_00.04.233
* **CVE ID**                : CVE-2018-17534
* **CVSSv3 Vector**         : CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
* **CVSSv3 Base Score**     : 6.8 (Medium)

## Vendor Description ##

> RUT955 is a highly reliable and secure LTE router with I/O, GNSS and
> RS232/RS485 for professional applications. Router delivers high
> performance, mission-critical cellular communication and GPS location
> capabilities.

Source: <https://teltonika.lt/product/rut955/>

## Impact ##

An attacker with physical access can fully compromise the device, by
exploiting the vulnerabilities documented in this advisory. Sensitive
data stored or transmitted via the device might get exposed through
this attack.

We recommend upgrading to version RUT9XX_R_00.04.233 or newer, which
includes fixes for the vulnerability described in this advisory.
It is important to clear all settings during upgrade, for example, by
disabling the "Keep all settings" checkbox while upgrading via the
webinterface. Otherwise, newer firmware versions remain vulnerable.

## Vulnerability Description ##

RUT9XX routers provide a UART/serial interface on two pins of an
internal card-edge connector.

* RX: Pin 1 - Rectangle-like pin on the top-side (CPU side)
* TX: Pin 8 - Rectangle-like pin on the bottom-side

The UART interface uses TTL-level and a baud rate of 115200. It
provides log output and a root terminal without proper access control.

## Proof-of-Concept ##

Our test device with firmware RUT9XX_R_00.04.172 provided the following
log output during boot and after hitting the ENTER key:

```text
***************************************
*     U-Boot 3.0.1     2017-02-15     *
***************************************

  BOARD: Teltonika RUT9XX
    RAM: 128 MB DDR2 32-bit CL3-4-4-10
  FLASH: 16 MB Winbond W25Q128
 CLOCKS: CPU/RAM/AHB/SPI/REF
         550/400/200/ 25/ 40 MHz

Hit any key to stop booting:  0

Booting image from 0x9F040000...

   Vendor/image name:    Teltonika RUT9xx
   Hardware ID:          0x35000001
   Whole image size:     15.5 MB (16252928 bytes)
   Kernel size:          1.1 MB (1191732 bytes)
   Rootfs size:          9.7 MB (10170504 bytes)
   Kernel load address:  0x80060000
   Kernel entry point:   0x80060000

   Header CRC...  skipped
   Data CRC...    skipped

Stopping network... OK!
Uncompressing Kernel... OK!
Starting kernel...

[    0.000000] Linux version 3.18.44 (simonas@Teltonika-I3) (gcc version 4.8.3 (OpenWrt/Linaro GCC 4.8-2014.04 r40569) ) #1 Tue Apr 10 15:23:49 EEST 2018
[    0.000000] bootconsole [early0] enabled
[    0.000000] CPU0 revision is: 0001974c (MIPS 74Kc)
[    0.000000] SoC: Atheros AR9344 rev 3
[    0.000000] Determined physical RAM map:
[    0.000000]  memory: 08000000 @ 00000000 (usable)
procd: Console is alive
procd: - watchdog -
procd: - preinit -
procd: - early -
procd: - watchdog -
procd: - ubus -
procd: - init -
Please press Enter to activate this console.
[   20.140000] usb 1-1.3: new high-speed USB device number 4 using ehci-platform
[   20.280000] option 1-1.3:1.0: GSM modem (1-port) converter detected
[   20.280000] usb 1-1.3: GSM modem (1-port) converter now attached to ttyUSB1
[   20.290000] option 1-1.3:1.1: GSM modem (1-port) converter detected
[   20.300000] usb 1-1.3: GSM modem (1-port) converter now attached to ttyUSB2
[   20.310000] option 1-1.3:1.2: GSM modem (1-port) converter detected
[   20.310000] usb 1-1.3: GSM modem (1-port) converter now attached to ttyUSB3
[   20.320000] option 1-1.3:1.3: GSM modem (1-port) converter detected
[   20.330000] usb 1-1.3: GSM modem (1-port) converter now attached to ttyUSB4
[   20.360000] qmi_wwan 1-1.3:1.4: cdc-wdm0: USB WDM device
[   20.360000] qmi_wwan 1-1.3:1.4: Quectel EC21&EC25&EC20 R2.0 work on RawIP mode
[   20.370000] qmi_wwan 1-1.3:1.4 wwan0: register 'qmi_wwan' at usb-ehci-platform-1.3, WWAN/QMI device, xx:xx:xx:xx:xx:xx
[   22.280000] jffs2: notice: (1498) jffs2_build_xattr_subsystem: complete building xattr subsystem, 0 of xdatum (0 unchecked, 0 orphan) and 0 of xref (0 dead, 0 orphan) found.
[   26.220000] device eth0 entered promiscuous mode
[   28.520000] eth0: link up (1000Mbps/Full duplex)
[   28.520000] br-lan: port 1(eth0) entered forwarding state
[   28.530000] br-lan: port 1(eth0) entered forwarding state
[   30.530000] br-lan: port 1(eth0) entered forwarding state
[   33.220000] Ports leds ON
procd: - init complete -



BusyBox v1.24.2 () built-in shell (ash)

   ____        _    ___  ____        _(_)_
  |  _ \ _   _| |_ / _ \/ ___|      (_)@(_)
  | |_) | | | | __| | | \___ \       /(_)
  |  _ <| |_| | |_| |_| |___) |    \|/
  |_| \_\\__,_|\__|\___/|____/     \|/

Teltonika RUT9XX 2014 - 2018

root@router:/# id
uid=0(root) gid=0(root)
root@router:/#
```

## Timeline ##

* `2018-03-19` identification of vulnerability in version RUT9XX_R_00.04.84
* `2018-04-10` re-test of version RUT9XX_R_00.04.161
* `2018-04-16` re-test of version RUT9XX_R_00.04.172
* `2018-04-16` initial vendor contact through public address
* `2018-04-18` vendor response with security contact
* `2018-04-19` disclosed vulnerability to vendor security contact
* `2018-04-26` vendor released fix in version RUT9XX_R_00.04.233
* `2018-07-09` notify vendor about incomplete fix
* `2018-07-25` notify vendor about incomplete fix
* `2018-09-25` request CVE from MITRE
* `2018-09-26` MITRE assigned CVE-2018-17534
* `2018-09-26` notify vendor about incomplete fix
* `2018-10-03` vendor stated that clearing of settings is required
* `2018-10-10` re-test of version RUT9XX_R_00.04.233
* `2018-10-11` public disclosure

## References ##

* Firmware Changelog: <https://wiki.teltonika.lt/index.php?title=RUT9xx_Firmware>

## Credits ##

* David Gnedt ([SBA Research](https://www.sba-research.org/))

|参考资料

来源:packetstormsecurity.com

链接:http://packetstormsecurity.com/files/149779/Teltonika-RUT9XX-Missing-Access-Control-To-UART-Root-Terminal.html


来源:seclists.org

链接:http://seclists.org/fulldisclosure/2018/Oct/28


来源:github.com

链接:https://github.com/sbaresearch/advisories/tree/public/2018/SBA-ADV-20180319-02_Teltonika_Incorrect_Access_Control