Analysing BAB TECHNOLOGIE eibport V3 to gain root SSH access

Because of the blind hit with CVE-2020-24573 in BAB TECHNOLOGIE GmbH eibPort V3 for a simple Denial of Service
and the gpg protected firmware file, I was in the mode of “challenge accepted”.

Almost all IoT devices have some security issues, don’t they?
A search for vulnerability reports may or may not be successful.
Is the product secure if there are no vulnerability reports? Has anyone tried it yet and published?

But spending around 1200 € on a device just to hack it? Thanks to online shopping with 14 days right of rescission … yes, finally I did it and it was worth it for both sides.

By design, there are good protections built in, now they’re getting even better.
It was me a pleasure to move forward, to touch and to overcome the barriers.
I got some new insights. At the end I reported 10 issues, from which concretely 6 CVEs will be published.
The manufacturer has identified further 10 issues internally.

As agreed with the manufacturer, further details will follow in a few months only.

To protect your system, update to at least (current) firmware v3.9.1 and setup a strong password.
Change your current password and follow the instructions if your current password does not meet the now enforced minimum requirements.

The impact of the vulnerabilities is not only limited to this special device.
BAB TECHNOLOGIE GmbH is the vendor and manufacturer of the product eibPort V3.
But the same device can be found on different brand labeled vendors:

By now here is the list of identified and published vulnerabilities only:

CVE-2021-28909

CVE-2021-28910

CVE-2021-28911

CVE-2021-28912

CVE-2021-28913

CVE-2021-28914

Timeline

2021-09-16 post started
2022-xx-xx more technical details are comming

Disclaimer

The information provided is released “as is” without warranty of any kind. The publisher disclaims all warranties, either express or implied, including all warranties of merchantability. No responsibility is taken for the correctness of this information. In no event shall the publisher be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if the publisher has been advised of the possibility of such damages.

The contents of this advisory are copyright (c) 2021 by psytester and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.

Written on September 16, 2021