CVE-2021-28910 BAB TECHNOLOGIE GmbH eibPort V3 prior version 3.9.1 contains basic SSRF vulnerability. It allow unauthenticated attackers to request to any internal and external server

Overview

  • CVE: CVE-2021-28910
  • Author: psytester
  • Title: BAB TECHNOLOGIE GmbH eibPort V3 prior version 3.9.1 contains basic SSRF vulnerability. It allow unauthenticated attackers to request to any internal and external server
  • Vulnerability Type: CWE-918 Server-Side Request Forgery (SSRF)
  • CVSSv3.1 Base Score: 7.5
  • CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
  • Publishing Date: 08.09.2021
  • Updated: –

  • Vendor and manufacturer: BAB TECHNOLOGIE GmbH
    • Product: eibPort V3
  • Brand labeled vendor: ABB Asea Brown Boveri Ltd and its spain label NIESSEN
    • Product: EIB-Port LAN Gateway 9637.1 and other names
  • Brand labeled vendor: Hager Group and its label Berker GmbH & Co. KG
    • Product: IP-Control KNX 75710004 / 75710036
  • Brand labeled vendor: INTERRA
    • Product: IP Control

Timeline:

  • Vendor BAB TECHNOLOGIE contacted: 04.03.2021
    • Vendor confirmation: 11.03.2021
    • Some e-mail updates by vendor and calls until final release of firmware 3.9.1
    • Vendor patch: 3.9.1 since August 2021
    • Vendor Reference: general hint in changelog
    • Affected Firmware version: 3.8.3 and before
  • Vendor ABB contacted: 22.06.2021
  • Vendor Hager/Berker contacted: 22.06.2021
    • Vendor Hager/Berker reminder: 18.08.2021
    • Vendor confirmation: N.A. due to no response
    • Vendor patch: not expected, as the product is listed as discontinued model
  • Vendor INTERRA contacted: 20.08.2021
    • Vendor confirmation: N.A. due to no response

Background

From vendor’s website:
The EIBPORT connects KNX or EnOcean building control with the IP world.
[…]
Whether simple or complex – use over 50 integrated services for almost all automation tasks in building automation. Program your own control sequences with the graphical LOGIKEDITOR or integrate third-party applications such as Amazon® Alexa. […]
Via a secure connection, you can also control and maintain the EIBPORT remotely. […]
On request, the EIBPORT also functions as an IP router in the KNX installation and as a programming interface to the ETS.
[…]

Issue Description

This CVE is part of the whole story analysing eibport to gain root SSH access
Unauthenticated attackers can perform basic SSRF.
Technical details will not be published for the time being. This might be done in some months.

CVE

CVE-2021-28910

CVSSv3.1 Base Score

CVSSv3.1 Base Score: 7.5

CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C

Credit

This time just me :-)

Disclaimer

The information provided is released “as is” without warranty of any kind. The publisher disclaims all warranties, either express or implied, including all warranties of merchantability. No responsibility is taken for the correctness of this information. In no event shall the publisher be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if the publisher has been advised of the possibility of such damages.

The contents of this advisory are copyright (c) 2021 by psytester and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.

Written on September 8, 2021