ESC 8832 Data Controller Vulnerability

29 May 2014

Good evening,

There post is the detailed walkthrough of the 0-day vulnerability affecting one of ESC (Environmental Systems Corporation) device, namely the ESC 8832 Data Controller.

TL;DR

This article will disclose the details of discovered vulnerability of the ESC 8832 Data Controller. This devices is often found on SCADA / ICS networks, as it’s function is data acquisition, processing and alarm generation about ambient data. More precisely (from the manual by the manufacturer), “The ESC Model 8832 Data System Controller is a microprocessor-based data acquisition system designed to acquire, process, store, report, and telemeter data in a multi-tasking environment. […]”. Basically it processes information from industrial sensors and does magic with the data, spitting back useful info.

The vendor “Environmental Systems Corporation (ESC)” was very receptive and responsive to the vulnerabilities and we coordinated the responsible disclosure details. According to ESC the product is no longer supported and cannot be upgraded via firmware upgrade. “Unfortunately, the 8832 Data Controller is now completely out of code space, and ESC has no technical ability to make any additional changes to the firmware.” (ESC) Particularly the web interface of the device was found vulnerable. The native client, installed on end-points where not tested.

The vendor recommendation for mitigation is to upgrade to the latest supported model. (Not tested by me) Alternatively, block port 80 with a firewall in front of the device. As a another alternative, educate operators and users to do not use the web interface for device management, as there are other means to manage the device. (Not tested by me)

Timeline

02/18/2015 - Vulnerability discovered
02/18/2015 - First contact with vendor
02/19/2015 - Response from vendor
02/20/2015 - Details submitted to vendor
02/23/2015 - Vendor verified all 5 issues, mutually agreed on 90 day full disclosure timeline
02/27/2015 - Vendor notified clients through email and support portal
05/28/2015 - Vendor was contacted with disclosure details and verbiage
05/29/2015 - Details, MSF module, POC was published on researcher’s web site. Submitted to Exploit-db.com

Exploit-DB submission

# Exploit Title: ESC 8832 Data Controller multiple vulnerabilities
# Date: 2014-05-29
# Platform: SCADA / Web Application
# Exploit Author: Balazs Makany
# Vendor Homepage: www.envirosys.com
# Version: ESC 8832 Data Controller Hardware
# Tested on: ESC 8832 Data Controller Hardware
# CVE : N/A (Yet)

POC for session hijacking: From a browser, simply enter the following URL:
http://IP_of_the_Device/escmenu.esp?sessionid=1&menuid=6_ and increment the sessionid parameter, starting from 1 up until it makes sense. Typically 15 is high enough.

POC (and other vulns as well) was confirmed by the vendor
Metasploit scanner module available here


Details

[1] Insecure user session handling (Session Hijacking)

Summary
This vulnerability allows an attacker to hijack a valid session that is in progress by a legitimate user.

Details
Due to the predictable session generation and due to the lack of cookie based authentication in the web interface, it was confirmed that an attacker from a different source IP address can issue valid requests, impersonating the authenticated user. The attack complexity is very low, no special software is required. It was noted that valid sessions do time out after certain period of inactivity, however hijacked sessions can elongating the session validity.

Impact
The attacker can bypass intended access restrictions and impersonate currently active users, including administrators. Successful exploitation will result in complete loss of control over the device, and may depend on the compromised user context.

Metasploit Module
Available here as an auxiliary scanner to determine live sessions. (Also, we will see if it will make it into the official repo.)

POC
From a browser, simply enter the following URL: http://IP_of_the_Device/escmenu.esp?sessionid=1&menuid=6 and modify the sessionid parameter, starting from 1 up until it makes sense. Typically 15 is high enough.


[2] Insecure user session generation (Predictable user session generation)

Summary
This vulnerability aids attackers to perform session hijacking

Details
Upon successful authentication, the generated session ID are sequential in nature and starts at 1. For example if no user is authenticated, the first user who authenticates will receive the session ID 1. The next authenticated user will receive session ID 2 and so on. There is also seems to be a ““read-only”” / unknown behavior when user ID 0 is supplied. Negative, invalid and other fuzzable values were not tested.

Impact
Successful exploitation will allow remote attackers to determine valid sessions, leading to session hijacking and can result in complete loss of control over the device.

POC
N/A, confirmed by vendor


[3] Insecure user authentication method (Unencrypted protocol)
Summary
This vulnerability allows man-in-the-middle attackers to gain valid cleartext credentials.

Details
The device is only capable of HTTP based authentication, which doesn’t seem to offer encryption such as HTTPS. Note that the native end-point client shipped with the device was not tested.

Impact
Man-in-the-middle attackers are able to sniff cleartext authentication credentials between the user and the device. Successful exploitation may result in partial or complete loss of control over the device, depending on the compromised user context.

POC
N/A, see web interface open ports and protocols


[4] Insecure user management (Lack of user names)
Summary
This vulnerability significantly decreases the complexity requirements for bruteforce attacks

Details
The web interface does not require a username to be entered in conjunction with the password; only the password drives the user role.

Impact
Attackers can have significantly higher success rate for password bruteforcing. Successful exploitation may result in partial or complete loss of control over the device, depending on the compromised user context.

POC
N/A, confirmed by vendor, inspect login screen


[5] Insecure user session token transmission (Session token in HTTP GET)
Summary
Session tokens are transmitted via HTTP GET request in unhashed form

Details
Upon successful authentication, the session ID is being sent in the URL GET request. (http[://]192.168[.]1.1/escmenu.esp?sessionid=1&menuid=6)

Impact
Man-in-the-middle attackers and caching devices (proxies, routers with spanning ports, loggers, browser history, IDS/IPS etc.) can effectively capture valid session IDs. The session ID transmitted in the GET request is vulnerable to session hijacking. Successful exploitation may result in partial or complete loss of control over the device, depending on the compromised user context.

POC
N/A, confirmed by vendor


Here is the advisory sent out by ESC; further details to follow here and related sites (Exploit-DB etc…). For now it is very vague intentionally to give some time for the affected customers to take defensive actions.

8832 Network Security Advisory – February 27, 2015

Purpose of this Notice
On February 18, 2015, white hat ethical hacker and responsible security researcher Balazs Makany (Twitter handle: @Th3R3g3nt) notified ESC that during his work as a cyber-security consultant, he has identified exploitable network security vulnerabilities affecting the browser-based user interface for the ESC 8832 Data Controller. Mr. Makany has shared the details of the exploits with ESC, and ESC has verified that the vulnerabilities exist in the latest firmware version (v3.02) and likely in all previous firmware versions of the 8832 Data Controller.

At the request of Mr. Makany, ESC has agreed to follow a “responsible disclosure” process (http://en.wikipedia.org/wiki/Responsible_disclosure) to allow stakeholders time to assess the risks of the vulnerabilities and take any action that they deem appropriate before the full details of the exploits are published within the cyber security community. Mr. Makany will publish the details of the exploits 90 days after the publication of this advisory.

The purpose of this Security Advisory is to inform users of the 8832 Data Controller that these security vulnerabilities exist and to give you time to assess the risks and address them before the exploits are made public.

The 8832 Browser-Based Interface

The particular vulnerabilities identified involve the seldom-used browser-based web interface on the 8832. For those who are unaware of the browser-based interface, a user can point a standard web browser such as Microsoft Internet Explorer, FireFox, or Google Chrome at the IP address of the 8832. For example, if the 8832’s network IP address is “192.168.1.23” then the user can type “192.168.1.23” with or without the “http” prefix into the address bar of the browser, and the browser will establish an unsecure http connection. If a network path exists between the user’s computer and the 8832, then the user will be asked for a login password. Entering a correct password will bring up a Graphical User Interface (GUI) similar to this: The browser-based interface grants access to the user depending on the level of password entered, up to and including full access and the ability to modify or delete configuration settings.

Discovered Vulnerabilities
Since the browser-based interface uses HTTP, all communications are sent unencrypted and can easily be read by an electronic eavesdropper along the network path using commonly-available packet capture programs. The exploits that Mr. Makany has identified would allow an attacker to bypass intended access restrictions and impersonate currently active users who have properly logged into a browser-based interface session, inheriting the access rights of the valid user.

No further information will be disclosed about the vulnerabilities at this time. However, 90 days after the publication of this advisory, the full details of these exploits will be published to the public by Mr. Makany.

Recommended Actions
Unfortunately, the 8832 Data Controller is now completely out of code space, and ESC has no technical ability to make any additional changes to the firmware. ESC is therefore unable to provide a firmware revision that addresses the vulnerabilities that Mr. Makany has identified. We recommend that users follow one of the following courses of action:

  • Replace the 8832 with an 8864. To provide improved network security, enhance performance, and provide a sustainable platform into the future, ESC has developed the 8864 Data Controller as a drop-in replacement for the 8832. ESC has been recommending for several years that customers prepare for a transition to the 8864 once it was available. The 8864 has been commercially available for well over a year, and we continue to recommend that our users upgrade as soon as possible. The 8864 utilizes an HTTPS encrypted interface and is not subject to the vulnerabilities that Mr. Makany has identified in the 8832.
  • Block port 80. For those customers who cannot yet upgrade to the 8864 and must continue using the 8832, we recommend that users completely block TCP/IP port 80 on units in the field and forgo the use of the HTTP interface altogether. Taking this approach would involve blocking all port 80 TCP/IP traffic to the 8832 by either establishing firewall rules on existing routers, or by installing a new router with port 80 blocked. The router should be placed between the 8832 and any network that may be a platform for an attack. Blocking port 80 will not impact operations of the 8832 other than the use of the browser-based interface. Some installations of the 8832 may already have port 80 blocked.
  • Don’t log into the browser-based interface. If you are unable to block port 80 and have not yet upgraded to an 8864, then a much less secure approach would be to administratively prohibit any valid users from ever logging on to the 8832 using a web browser via the browser-based interface. If a valid session is never active on the browser-based interface, then it cannot be hijacked.

All 8832 users should be aware that the 8832 utilizes task-based user accounts with passwords that must be shared among all users logging in at the same authorization level. As the device does not require a valid username to be provided during the authentication process, attackers can have a significantly higher success rate when attempting to guess passwords using a brute force attack. ESC recommends that these passwords be changed often.

If you have any additional questions about the network security of the 8832 Data Controller or these specific vulnerabilities, please contact ESC Support at 512-250-7901, [email protected], or through the Customer Access Portal (CAP). __________________ In keeping with our “we listened” commitment, we are providing you with a proactive notification of this issue. Please forward any feedback or comments to [email protected] Environmental Systems Corporation

10801 N MoPac Expy, Bldg 1-200 Austin, TX 78759 512-250-7900 envirosys.com