CVE-2021-28913 BAB TECHNOLOGIE GmbH eibPort V3 prior version 3.9.1 allow unauthenticated attackers access to /webif/SecurityModule to validate the so called and hard coded unique 'eibPort String' which acts as the root SSH key passphrase. This is usable and part of an attack chain to gain SSH root access.

Overview

  • CVE: CVE-2021-28913
  • Author: psytester
  • Title: BAB TECHNOLOGIE GmbH eibPort V3 prior version 3.9.1 allow unauthenticated attackers access to /webif/SecurityModule to validate the so called and hard coded unique ‘eibPort String’ which acts as the root SSH key passphrase. This is usable and part of an attack chain to gain SSH root access.
  • Vulnerability Type: CWE-306 Missing Authentication for Critical Function
  • CVSSv3.1 Base Score: 9.8
  • CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
  • Publishing Date: 08.09.2021
  • Updated: –

  • Vendor and manufacturer: BAB TECHNOLOGIE GmbH
    • Product: eibPort V3
  • Brand labeled vendor: ABB Asea Brown Boveri Ltd and its spain label NIESSEN
    • Product: EIB-Port LAN Gateway 9637.1 and other names
  • Brand labeled vendor: Hager Group and its label Berker GmbH & Co. KG
    • Product: IP-Control KNX 75710004 / 75710036
  • Brand labeled vendor: INTERRA
    • Product: IP Control

Timeline:

  • Vendor BAB TECHNOLOGIE contacted: 04.03.2021
    • Vendor confirmation: 11.03.2021
    • Some e-mail updates by vendor and calls until final release of firmware 3.9.1
    • Vendor patch: 3.9.1 since August 2021
    • Vendor Reference: general hint in changelog
    • Affected Firmware version: 3.8.3 and before
  • Vendor ABB contacted: 22.06.2021
  • Vendor Hager/Berker contacted: 22.06.2021
    • Vendor Hager/Berker reminder: 18.08.2021
    • Vendor confirmation: N.A. due to no response
    • Vendor patch: not expected, as the product is listed as discontinued model
  • Vendor INTERRA contacted: 20.08.2021
    • Vendor confirmation: N.A. due to no response

Background

From vendor’s website:
The EIBPORT connects KNX or EnOcean building control with the IP world.
[…]
Whether simple or complex – use over 50 integrated services for almost all automation tasks in building automation. Program your own control sequences with the graphical LOGIKEDITOR or integrate third-party applications such as Amazon® Alexa. […]
Via a secure connection, you can also control and maintain the EIBPORT remotely. […]
On request, the EIBPORT also functions as an IP router in the KNX installation and as a programming interface to the ETS.
[…]

Issue Description

This CVE is part of the whole story analysing eibport to gain root SSH access
Unauthenticated attackers can access uncontrolled the eibPort string validation service at /webif/SecurityModule in a brute force attack.
The hard coded unique ‘eibPort String’ acts as the root SSH key passphrase
This is usable and part of an attack chain to gain SSH root access.
Technical details will not be published for the time being. This might be done in some months.

CVE

CVE-2021-28913

CVSSv3.1 Base Score

CVSSv3.1 Base Score: 9.8

CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C

Credit

This time just me :-)

Disclaimer

The information provided is released “as is” without warranty of any kind. The publisher disclaims all warranties, either express or implied, including all warranties of merchantability. No responsibility is taken for the correctness of this information. In no event shall the publisher be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if the publisher has been advised of the possibility of such damages.

The contents of this advisory are copyright (c) 2021 by psytester and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.

Written on September 8, 2021