Overview

• CVE: CVE-2021-28912
• Author: psytester
• Title: BAB TECHNOLOGIE GmbH eibPort V3. Each device has its own unique hard coded and weak root SSH key passphrase known as ‘eibPort string’. This is usable and the final part of an attack chain to gain SSH root access.
• Vulnerability Type:
  • CWE-798 Use of Hard-coded Credentials
  • CWE-521: Weak Password Requirements
• CVSSv3.1 Base Score: 6.8
• CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H/RL:O/RC:C
• Publishing Date: 08.09.2021

• Updated: –

• Vendor and manufacturer: BAB TECHNOLOGIE GmbH
  • Product: eibPort V3
• Brand labeled vendor: ABB Asea Brown Boveri Ltd and its spain label NIESSEN
  • Product: EIB-Port LAN Gateway 9637.1 and other names
• Brand labeled vendor: Hager Group and its label Berker GmbH & Co. KG
  • Product: IP-Control KNX 75710004 / 75710036
• Brand labeled vendor: INTERRA
  • Product: IP Control

Timeline:

• Vendor BAB TECHNOLOGIE contacted: 04.03.2021
  • Vendor confirmation: 11.03.2021
  • Some e-mail updates by vendor and calls until final release of firmware 3.9.1
  • Vendor patch: N.A. since this is device specific. A firmware update will not change it by now. Newer device production process will change it.
  • Vendor patch: N.A. since this is device specific. Firmware update will not change it by now
  • Vendor Reference: N.A.
  • Affected Firmware version: 3.9.1 and before
• Vendor ABB contacted: 22.06.2021
  • Vendor confirmation: 02.07.2021
  • Some e-mail updates and calls until final release of firmware 3.9.1
  • Vendor Reference: ABB Security Advisory as 2021-09-07: Cybersecurity Advisory - EIBPORT vulnerabilities at https://global.abb/group/en/technology/cyber-security/alerts-and-notifications
• Vendor Hager/Berker contacted: 22.06.2021
  • Vendor Hager/Berker reminder: 18.08.2021
  • Vendor confirmation: N.A. due to no response
  • Vendor patch: not expected, as the product is listed as discontinued model
• Vendor INTERRA contacted: 20.08.2021
  • Vendor confirmation: N.A. due to no response

Background

From vendor’s website:
The EIBPORT connects KNX or EnOcean building control with the IP world.
[…]
Whether simple or complex – use over 50 integrated services for almost all automation tasks in building automation. Program your own control sequences with the graphical LOGIKEDITOR or integrate third-party applications such as Amazon® Alexa. […]
Via a secure connection, you can also control and maintain the EIBPORT remotely. […]
On request, the EIBPORT also functions as an IP router in the KNX installation and as a programming interface to the ETS.
[…]

Issue Description

This CVE is part of the whole story analysing eibport to gain root SSH access
Each device has its own unique hard coded and weak root SSH key passphrase known as ‘eibPort string’.
The passphrase is written in the initialization phase during production at vendor side and cannot be changed by firmware updates.
This is usable and the final part of an attack chain to gain SSH root access.
Technical details will not be published for the time being. This might be done in some months.

Later productions are supposed to get stronger passphrase.

CVE

CVE-2021-28912

CVSSv3.1 Base Score

CVSSv3.1 Base Score: 6.8

CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H/RL:O/RC:C

Credit

This time just me :-)

Disclaimer

The information provided is released “as is” without warranty of any kind. The publisher disclaims all warranties, either express or implied, including all warranties of merchantability. No responsibility is taken for the correctness of this information. In no event shall the publisher be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if the publisher has been advised of the possibility of such damages.

The contents of this advisory are copyright (c) 2021 by psytester and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.