Analysing BAB TECHNOLOGIE eibport V3 to gain root SSH access
Because of the blind hit with CVE-2020-24573 in BAB TECHNOLOGIE GmbH eibPort V3 for a simple Denial of Service
and the gpg protected firmware file, I was in the mode of “challenge accepted”.
Almost all IoT devices have some security issues, don’t they?
A search for vulnerability reports may or may not be successful.
Is the product secure if there are no vulnerability reports? Has anyone tried it yet and published?
But spending around 1200 € on a device just to hack it? Thanks to online shopping with 14 days right of rescission … yes, finally I did it and it was worth it for both sides.
By design, there are good protections built in, now they’re getting even better.
It was me a pleasure to move forward, to touch and to overcome the barriers.
I got some new insights. At the end I reported 10 issues, from which concretely 6 CVEs will be published.
The manufacturer has identified further 10 issues internally.
As agreed with the manufacturer, further details will follow in a few months only.
To protect your system, update to at least (current) firmware v3.9.1 and setup a strong password.
Change your current password and follow the instructions if your current password does not meet the now enforced minimum requirements.
The impact of the vulnerabilities is not only limited to this special device.
BAB TECHNOLOGIE GmbH is the vendor and manufacturer of the product eibPort V3.
But the same device can be found on different brand labeled vendors:
- “ABB” (Asea Brown Boveri Ltd) and its spain label “ABB/NIESSEN” with its product EIB-Port LAN Gateway 9637.1 and other names
–> An update is available, refer to ABB Security Advisory as 2021-09-07: Cybersecurity Advisory - EIBPORT vulnerabilities at https://global.abb/group/en/technology/cyber-security/alerts-and-notifications
- Hager Group and its label Berker GmbH & Co. KG with its product IP-Control KNX 75710004 / 75710036 – here the product is a discontinued model and not updates are expected anymore.
–> Latest firmware is FW_IPC3-1.9.3.ZIP called “Firmware-Update für IP-Control (R9 V1.9.3, 2019-10)” from 2019 but is internally from May 2018
- INTERRA with its product IP Control
–> I don’t know, if they are still supported by the updates
By now here is the list of identified and published vulnerabilities only:
2021-09-16 post started
2022-xx-xx more technical details are comming
The information provided is released “as is” without warranty of any kind. The publisher disclaims all warranties, either express or implied, including all warranties of merchantability. No responsibility is taken for the correctness of this information. In no event shall the publisher be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if the publisher has been advised of the possibility of such damages.
The contents of this advisory are copyright (c) 2021 by psytester and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.