Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Teltonika Gateway TRB245 Multiple Vulnerabilities

High

Synopsis

CVE-2020-5770: Cross-site Request Forgery

The forms at the following locations were found to have no CSRF protection. By tricking a victim user into clicking a link, a remote, unauthenticated attacker can exploit this to completely take over the device.

  • /cgi-bin/luci/
  • /cgi-bin/luci/admin/logout
  • /cgi-bin/luci/admin/network
  • /cgi-bin/luci/admin/network/firewall
  • /cgi-bin/luci/admin/network/firewall/custom
  • /cgi-bin/luci/admin/network/firewall/forwards
  • /cgi-bin/luci/admin/network/firewall/rules
  • /cgi-bin/luci/admin/network/firewall/zones
  • /cgi-bin/luci/admin/network/iface_reconnect/
  • /cgi-bin/luci/admin/network/iface_status/
  • /cgi-bin/luci/admin/network/iface_status/lan
  • /cgi-bin/luci/admin/network/lan
  • /cgi-bin/luci/admin/network/lan/lan
  • /cgi-bin/luci/admin/network/mobile
  • /cgi-bin/luci/admin/network/mobile/general
  • /cgi-bin/luci/admin/network/mobile/operators
  • /cgi-bin/luci/admin/services/cli
  • /cgi-bin/luci/admin/services/cloud_solutions
  • /cgi-bin/luci/admin/services/cloud_solutions/rms
  • /cgi-bin/luci/admin/services/cloud_solutions/rms_get_status
  • /cgi-bin/luci/admin/services/data_sender
  • /cgi-bin/luci/admin/services/io
  • /cgi-bin/luci/admin/services/mobile_utilities
  • /cgi-bin/luci/admin/system/admin/root_ca
  • /cgi-bin/luci/admin/system/admin/troubleshoot
  • /cgi-bin/luci/admin/system/backup
  • /cgi-bin/luci/admin/system/packages/upload
  • /cgi-bin/luci/admin/system/wizard/step-rms

Proof of Concept

Please see attached csrf_poc_CVE-2020-5770.html for a sample dummy html page, when the form is clicked a POST request will be made to an authenticated users session on a Teltonika TRB245 and upload a backup archive.

To test this you will need to change the IP address in the HTML page to that of a Teltonika TRB245 that you have authenticated to.

CVE-2020-5771: Inadequate Validation of Backup Archive

The device has a backup feature that allows a user to download or upload a backup archive. The backup archive contains the /usr/ and /etc/ directories. According to Teltonika’s documentation, a backup archive can only be uploaded if it was generated from an identical device with identical or older firmware.

However, the checks to verify the above are insufficient from a security point of view. The only check to verify that the archive is from a Teltonika device is to check the output of 'cat /etc/version', as proven in the below proof of concept.

Proof of concept - Uploading a backdoored archive

For this proof of concept we will upload a backup archive which has been modified to include a backdoor user who has root privileges (see tampered_backup.tar.gz). Below are the steps the tester took to achieve this.

Download a backup archive and extract the contents.

Modify etc/passwd to add a new user.

Modify etc/shadow to add a password for this backdoor user.

Compress the two folders.

Upload the tampered archive.

At this point the device will reboot, when the device comes back up we will be able to ssh in with our backdoor user.

CVE-2020-5772: Inadequate Validation of Packages Uploaded

The verification that a given package is the package it is meant to be is insufficient, as can be seen by the following proof of concept. An attacker could tamper with any of Teltonika’s custom packages and add in backdoor access as root. They could then either give themselves root privileges (if they already have a low privilege account) or trick an existing user into installing their malicious package. Below seems to be the only verification of the integrity of the package (a check to /etc/version).

Proof of concept - Installing a backdoored package

As an example the tester downloaded one of Teltonika’s packages from their Wiki (​https://wiki.teltonika-networks.com/wikibase/images/3/3b/Networking_trb2xx_manual_packages_cot_0.0.1.ipk​).

Looking at the downloaded package we can see that it is gzip compressed.

We decompress this and find a tar compressed archive.

Inside this archive we find three more files; the data.tar.gz contains two directories /etc/ and /usr/.

What we can do at this point is add passwd and shadow files to the /etc/ directory with the credentials of a new user (for this example the user is called ‘hacker’ ).

Now we repack the package and give it the same filename. When we upload the new tampered package it will overwrite /etc/passwd and /etc/shadow with our own version. It is also worth noting that by default, users in the ‘user’ group have permission to do this.

We can now SSH in as our new ‘hacker’ user who has root privileges.

If you wish to test this yourself please see the attached tlt_custom_pkg_coStreamApp_2020-03-05_mips_24kc_CVE-2020-5772.ipk which contains the tampered package.

CVE-2020-5773: Insufficient Access Control: Users in the 'user' group are able to make changes to device by default

There are three levels of privilege possible to configure on the TRB245 web interface.

The user group is supposed to have no write access whatsoever on the device. However, during testing it was noted that by default members or the user group can make various changes, some of which can fully compromise the system.

Proof of concept

For proof of concept please refer to the above findings, by default both of those exploits can be carried out by members of the 'user' group.

Solution

Upgrade to TRB2XX_R_00.02.04.3 or newer.

Disclosure Timeline

07/01/2020 - Tenable attempts to find security contact.
07/07/2020 - Tenable uses Contact Us web form to ask for security contact email address. We cannot report through the vulnerability reporting web page.
07/08/2020 - Teltonika responds. Says we can send the report via email.
07/08/2020 - Tenable sends the report. 90-day date is 10/06/2020.
07/09/2020 - Teltonika thanks us for the report. They will investigate and follow up with us. They do ask us for a PoC as well.
07/09/2020 - Teltonika responds with their initial assessment.
07/09/2020 - Tenable thanks Teltonika for the update. Sends PoC's over.
07/10/2020 - Teltonika asks for our justification on CVSS scoring. They provide their own analysis.
07/10/2020 - Tenable provides justification.
07/14/2020 - Teltonika disagrees with certain points. They would like to discuss it further.
07/14/2020 - Tenable replies with further justification.
07/16/2020 - Teltonika still disagrees with CVSS scoring. Thanks us for engaging with them on the scoring. They estimate that a test firmware will be available within two weeks with all 5 vulns fixed. Asks if we are interested in taking a look at it.
07/16/2020 - Tenable agrees with their CVSS scoring. Provides updated score.
07/23/2020 - Teltonika says all items are fixed in a test firmware and are with QA. They will share it with us after they have a QA approved test firmware version. They agree with the new CVSS score.
07/23/2020 - Tenable says we are more than happy to test the firmware. However, we clarify our policy.
07/23/2020 - Teltonika thanks us. They will run everything through the team and get back to us.
07/27/2020 - Ideally, Teltonika would like to have confirmation from us that the firmware is solid before releasing it. They will update us when any new info is available.
07/29/2020 - Tenable asks Teltonika to let us know when a patch version is available for us to test, and we can take a look. We will stay on the lookout for any communications.
08/03/2020 - Tenable notices TRB2XX_R_00.02.04.3 was posted with a change log entry of July 31. Asks if it was intended to patch the vulnerabilities. We will investigate on our side as well.
08/03/2020 - Teltonika confirms that all vulnerabilities were addressed in TRB2XX_R_00.02.04.3. It would be great if Tenable could give feedback on it.
08/03/2020 - Since a patch was released, Tenable will post an advisory today. Communicates CVE assignments. We will take a look at the firmware ASAP.

All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.

Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.

For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.

If you have questions or corrections about this advisory, please email [email protected]

Risk Information

Tenable Advisory ID: TRA-2020-48
Credit:
Derrie Sutton
CVSSv2 Base / Temporal Score:
7.1 / 5.6
CVSSv2 Vector:
AV:N/AC:H/Au:S/C:C/I:C/A:C
CVSSv3 Base / Temporal Score:
7.5 / 6.7
CVSSv3 Vector:
AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected Products:
TRB2_R_00.02.04.01 firmware
Risk Factor:
High

Advisory Timeline

08/03/2020 - Advisory published.
08/04/2020 - Disclosure timeline item fixed.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training