HackDig : Dig high-quality web security articles

«No Previous
No Next

Schneider Electric C-Bus Automation Controller (5500SHAC) 1.10 Remote Root Exploit

2022-05-28 21:26
Title: Schneider Electric C-Bus Automation Controller (5500SHAC) 1.10 Remote Root Exploit
Advisory ID: ZSL-2022-5707
Type: Local/Remote
Impact: System Access, DoS
Risk: (4/5)
Release Date: 29.05.2022
Summary
The C-Bus Network Automation Controller (5500NAC) and the Wiserfor C-Bus Automation Controller (5500SHAC)) is an advanced controller fromSchneider Electric. It is specifically designed to unite the C-Bus homeautomation solution with common household communication protocols, fromlighting and climate control, to security, entertainment and energy metering.The Wiser for C-Bus Automation Controller manages and controls C-Bus systemsfor residential homes or zones within a building and integrates functionssuch as heating/cooling, energy/load monitoring and remote control for C-Busand Modbus.
Description
The automation controller suffers from an authenticated arbitrarycommand execution vulnerability. An attacker can abuse the Start-up (init)script editor and exploit the 'script' POST parameter to insert maliciousLua script code and execute commands with root privileges that will grantfull control of the device.
Vendor
Schneider Electric SE - https://www.se.com
Affected Version
CLIPSAL 5500SHAC (i.MX28)
CLIPSAL 5500NAC (i.MX28)
SW: 1.10.0, 1.6.0
HW: 1.0
Potentially vulnerable (alternative products/same codebase?): 5500NAC2 and 5500AC2
SpaceLogic C-Bus
Tested On
CPU model: ARM926EJ-S rev 5 (v5l)
GNU/Linux 4.4.115 (armv5tejl)
LuaJIT 2.0.5
FlashSYS v2
nginx
Vendor Status
[12.03.2022] Vulnerability discovered.
[15.03.2022] Sent details to vendor.
[17.03.2022] Vendor creates case SE-6201, starts investigation.
[25.03.2022] Asked vendor for status update.
[26.03.2022] Vendor responds, assessment is still ongoing.
[30.03.2022] Vendor cannot reproduce with provided info, requests proof of execution.
[31.03.2022] Sent encrypted PoC script to the vendor.
[31.03.2022] Vendor receives PoC, starts analysis.
[11.04.2022] Asked vendor for confirmation and status update.
[11.04.2022] Vendor is still analyzing the vulnerability. Will let us know once the case is confirmed.
[20.04.2022] Asked vendor for confirmation and scheduled patch release date.
[21.04.2022] Vendor confirms SE-6201, working on action plan.
[22.04.2022] Vendor responds: The product team has not accepted this report as a valid vulnerability due to the following analysis:
The python script mentioned in the report uses the /scada-main/scripting/ editor to execute the lua script to gain remote access to the controller.However, to achieve this, the attacker needs to provide the administrator credentials to execute the script. So, this can be done only whenthe attacker has the administrator credentials with him. In order to prevent attackers from obtaining administrator credentials, the productimplements the following measures to make passwords difficult to brute force.
Force a user to change the default password the very first time they log in to the controller.
Uses of a strong password (Combination of characters with uppercase letter, lowercase letter and digit)
Block access to the controller after certain wrong login attempts.
[22.04.2022] Replied to the vendor. Asked vendor to assign SeeVeeE.
[30.04.2022] Asked vendor for status update.
[02.05.2022] Vendor closes SE-6201 (not a vuln).
[29.05.2022] Public security advisory released.
PoC
c-bus.py
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
N/A
Changelog
[29.05.2022] - Initial release
Contact
Zero Science Lab

Web: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk


Source: php.7075-2202-LSZ/seitilibarenluv/ne/km.ecneicsorez.www

Read:799 | Comments:0 | Tags: exploit

“Schneider Electric C-Bus Automation Controller (5500SHAC) 1.10 Remote Root Exploit”0 Comments

Submit A Comment

Name:

Email:

Blog :

Verification Code:

Announce

Share high-quality web security related articles with you:)
Tell me why you support me <3