Multiple Vulnerabilities in Siglent Technologies SDS 1202X-E Digital Oscilloscope

Project Description

A digital oscilloscope by Siglent Technologies is affected by multiple vulnerabilities such as hardcoded backdoor accounts or missing authentication. The vendor was unresponsive and did not provide a patch.


Vendor description

SIGLENT is an international high-tech company, concentrating on R&D, sales, production and services of measurement products. As an ISO9001:2000 International Quality Management System and ISO 14001:2004 Environmental Management System Certified company, SIGLENT is also a member of the China Electronic Instrument Industry Association and Guangdong Instrument Representative Association.
[…]
SIGLENT focuses on the electronic test & measurement instrument industry and sees research & development as a core competency, while keeping a strong competitive edge through technology innovation and strict quality control. Try a Siglent product. Then compare the performance and the features to any other model, any other brand. Then compare the price. We believe there is no better value anyplace.

Source: http://www.siglenteu.com/about.aspx

Business recommendation

The identified backdoor accounts are accessible through Telnet, hence a compromise of the device via a local network attack is possible. Any malicious modification of measurement values may have serious impact on the product or service which is created or offered by using this oscilloscope. Therefore, all procedures which are executed with this device are untrustworthy.

SEC Consult recommends not to use this product within a network of a production environment until a thorough security review has been performed by security professionals and all identified issues have been resolved.

The vendor was unresponsive and did not provide a patch.

Vulnerability overview/description

1) Hardcoded Backdoor Accounts

Two backdoor accounts are present on the system. A Telnet service is listening on port 23 which enables an attacker to connect as root to the oscilloscope via LAN.

The password hashes are hardcoded and are difficult to change for the end user because the “shadow” file is stored on a cramfs (intentionally read-only) file system.

2) Missing Authentication / Design Issue

The software “EasyScopeX” can be used from any computer in the network to configure and interact with the oscilloscope. This is possible without prior authentication which enables everyone to change settings on the oscilloscope.

3) Unencrypted Communication

The software “EasyScopeX” communicates via unencrypted TCP packets with the client computer / oscilloscope.

4) Outdated and Vulnerable Software Components

Multiple software components embedded in the firmware are outdated and found to be vulnerable to various publicly known security issues.

 

Proof of concept

1) Hardcoded Backdoor Accounts

The following password hashes were dumped from “/etc/shadow” by connecting to the UART interface on the PCB:
root
siglent
(The password hashes have been removed from this advisory)

2) Missing Authentication / Design Issue

It is sufficient to install the “EasyScopeX” software and control the oscilloscope without any authentication.

3) Unencrypted Communication

The software “EasyScopeX” communicates in plaintext via various ports by using the portmapper. The default ports are “5024” and “5025”.

4) Outdated and Vulnerable Software Components

Using the IoT Inspector software we found the following outdated and vulnerable components:

  • BusyBox 1.20.1
  • GNU glibc 2.13
  • Linux Kernel 3.19.0

 

Vulnerable / tested versions

The following device / firmware version has been tested:

  • Siglent SDS1202X-E (V5.1.3.13)

It is assumed that other firmware versions are affected as well.

 

Vendor contact timeline

2018-08-22:Contacting German VDE CERT for coordination support.
2018-09-04:Asking for a status update from the vendor.
2018-09-05:VDE CERT: no response from vendor yet.
2018-09-12US sales person from Siglent has answered, VDE CERT is sending advisory to be forwarded to engineering.
2018-10-10Asking for a status update (affected versions, etc).
2018-10-10VDE CERT: asking vendor for update, vendor reply:
“I forwarded it to our VP of Engineering for consideration. The R&D offices are located in China, so I do not have any further visibility or information.”
2018-10-12VDE CERT: if there are no news until end of October, we will release security advisory beginning of November.
2018-11-23VDE CERT: no news from the vendor, planning release.
2018-11-30Public release of security advisory.

Solution

The vendor was unresponsive and did not provide a patch. See workaround section to reduce the attack surface.

 

Workaround

  • Don’t use the LAN interface or if needed use only in trusted networks
  • Connect to the UART interface and place a script which closes port 23 on the device during bootup if Telnet is not used.

 

Advisory URL

https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html

 

EOF T. Weber / @2018

 

 

Interested to work with the experts of SEC Consult? Send us your application.
Want to improve your own cyber security with the experts of SEC Consult?
Contact our local offices.

Project Details

  • TitleMultiple Vulnerabilities
  • ProductSiglent Technologies SDS 1202X-E Digital Oscilloscope
  • Vulnerable versionV5.1.3.13
  • Fixed version-
  • CVE number-
  • ImpactHigh
  • Homepagehttp://siglenteu.com https://www.siglent.eu https://www.siglentamerica.com
  • Found2018-08-06
  • ByT. Weber (Office Vienna) | SEC Consult Vulnerability Lab

Cookie Preference

Please select an option. You can find more information about the consequences of your choice at Help.

Select an option to continue

Your selection was saved!

Help

Help

To continue, you must make a cookie selection. Below is an explanation of the different options and their meaning.

  • Accept all cookies:
    All cookies such as tracking and analytics cookies.
  • Accept first-party cookies only:
    Only cookies from this website.
  • Reject all tracking cookies:
    No cookies except for those necessary for technical reasons are set.

You can change your cookie setting here anytime: Blog. Blog

Back