Kathrein UFSconnect 916 multiple vulnerabilities

Project Description

The UFSconnect series by Kathrein provide a telnet daemon by default without authentication. Since no password is required, anyone can login as root easily. The web service can be overloaded by few parallel requests which can be abused to conduct a simple Denial of Service attack. The access to the web interface is not protected with a login mechanism. Therefore, anyone can control the receiver over the network (or internet).


 

Vendor description

“As a globally leading specialist, Kathrein has unique know-how: our business fields cover a wide range of communication technologies. They produce intelligent solutions for the connected world – and clearly aim to remain a step ahead. We think ahead to the future of communication technology.”

Source: https://www.kathrein.com/en/company/business-fields/

 

Business recommendation

The Kathrein receiver series can be controlled via its web interface. It is intended to control this device also via internet over the Kathrein android or iOS App. Missing authentication enables an attacker to control all Kathrein UFS receivers over the web interface via port 9000/TCP. Actions like switch channel, power off or increase/decrease volume are only few examples. An attacker can also stream channels via port 49152/TCP or a dynamic defined UDP port which depends on the content of the downloaded ‘T*.asx’ file.

SEC Consult recommends not to forward any port of this device to the internet until a thorough security review has been performed by security professionals and all identified issues have been resolved.

Upgrade to newer hardware is recommended since this product line is end-of-life and not longer supported by Kathrein.

 

Vulnerability overview/description

 

1) Unauthenticated root access by default

An attacker can login to the device without password as “root”. Botnets are mostly built by such weak default settings.

 

2) Denial of Service (DoS)

The receiver can be restarted by killing the web-service on the device from remote. This results in a connection loss between the TV and the receiver itself.

 

3) Unauthenticated Control of Receiver over the Network

The receiver can be controlled via web-service by GET-requests. An attacker is able to do the following actions without authentication:

-) Switch the channel
-) Record on a channel
-) Delete records
-) Restart the receiver
-) Watch live-streams by using another UDP-port

 

Proof of concept

The vendor stated that the product line is end-of-life, hence there is no fix available. The proof of concept has been removed from this advisory.

 

Vulnerable / tested versions

UFSconnect 916 Firmware 2.23 Build 224

The firmware of UFSconnect 906 (2.22 Build 349) is partially equal and very similar to the firmware of UFSconnect 916 (2.23 Build 224).

Based on results of the SEC Technologies IoT Inspector (http://www.iot-inspector.com/ – automated firmware analysis tool) we believe that UFSconnect 906 (2.22 Build 349) is also prone to the identified vulnerabilities as well as UFSconnect 916 (2.23 Build 224).

Since controlling the receiver is possible via the Kathrein UFScontrol app on different UFS models, we believe that the following products are also prone to 3) too:
UFS 912, UFS 913, UFS 922, UFS 923, UFS 924, UFS 925, UFS 935, UFS 946

 

Vendor contact timeline

2017-03-21: Sending advisory via secure file-upload to the vendor.
2017-06-07: Asked for status update.
2017-06-09: Vendor answered that he will be reachable at 2017-06-12.
2017-06-12: Call with vendor. Product line is end-of-life (EOL), no fix is planned. Informing vendor that the advisory will be published
without PoC on 2017-07-27.
2017-07-27: Coordinated release of advisory.

 

Solution

Upgrade to newer hardware.

 

Workaround

Set a password for the “root” user.

There is no workaround for the vulnerable web service. Restrict network access of web service. Do not expose this service to the internet.

 

Advisory URL

https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html

 

 

EOF T. Weber / @2017

 

Project Details

  • TitleSEC Consult Vulnerability Lab Security Advisory < 20170727-1 > Multiple vulnerabilities
  • ProductKATHREIN - UFSconnect 916, UFSconnect 906
  • Vulnerable version2.23 Build 224, 2.22 Build 349
  • Fixed version--
  • CVE number--
  • ImpactHigh
  • Homepagehttps://www.kathrein.com/de/
  • Found2017-03-06
  • By T. Weber (Office Vienna) SEC Consult Vulnerability Lab

Cookie Preference

Please select an option. You can find more information about the consequences of your choice at Help.

Select an option to continue

Your selection was saved!

Help

Help

To continue, you must make a cookie selection. Below is an explanation of the different options and their meaning.

  • Accept all cookies:
    All cookies such as tracking and analytics cookies.
  • Accept first-party cookies only:
    Only cookies from this website.
  • Reject all tracking cookies:
    No cookies except for those necessary for technical reasons are set.

You can change your cookie setting here anytime: Privacy Statement. Legal Notice

Back