SHDesigns Resident Download Manager does not authenticate firmware downloads

Overview

SHDesigns’ Resident Download Manager (as well as the Ethernet Download Manager) does not authenticate firmware downloads before executing code and deploying them to devices.

Description

CWE-494**: Download of Code Without Integrity Check**** -**CVE-2016-6567

SHDesigns’ Resident Download Manager provides firmware update capabilities for Rabbit 2000/3000 CPU boards, which according to the reporter may be used in some industrial control and embedded applications.

The Resident Download Manager does not verify that the firmware is authentic before executing code and deploying the firmware to devices. A remote attacker with the ability to send UDP traffic to the device may be able to execute arbitrary code on the device.

According to SHDesigns’ website, the Resident Download Manager and other Rabbit Tools have been discontinued since June 2011.

---

Impact

A remote attacker with the ability to send UDP traffic to the device may be able to execute arbitrary code on the device.

---

Solution

The CERT/CC is currently unaware of a practical solution to this problem.

According to the reporter, affected users may disable the network update feature. It is also possible that developers of products using the Resident Download Manager may be able to write a download verification wrapper around the Resident Download Manager library, but may not be practical in all scenarios.

---

Affected users may also consider the following workaround:

Restrict network access

Restrict network access to the device containing the Rabbit CPU and Resident Download Manager to a secured LAN segment.

---

Vendor Information

167623

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

AddOn Technologies __ Affected

Notified: January 20, 2017 Updated: February 01, 2017

Statement Date: January 31, 2017

Status

Affected

Vendor Statement

`This vulnerability was addressed in the basic design of our Addon keypad since
its inception. The SH Designs program cannot be used to modify the firmware in
our keypad without specialized knowledge of specific procedures necessary to
initiate a firmware replacement.

We have further strengthened the procedure as of firmware version 5.5.05 to
include the necessity to also enter the administrator password to initiate a
firmware replacement.

To identify which type of protection your keypad has, verify the program
version in the keypad by looking at the printed header at power-up.

To be clear, the SH Designs program that has the vulnerability would normally
only be used by trained service personnel on a very infrequent basis. Field
updates to the firmware in the keypad are not often done. Also, specific
knowledge of the keypad operation is necessary to use the SH Designs program to
perform a firmware update. Furthermore, the knowledge and time investment
necessary to create and install a program that might be able to perform a
malicious action with an embedded processor like the one used in our keypad
creates a very unlikely scenario that it would ever be attempted. Our product
does not even use a standard operating system. The keypad is also normally used
in a secure location that would have UDP access restricted at the router to the
subnet level.`

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Dataprobe, Inc. __ Affected

Notified: April 07, 2017 Updated: April 07, 2017

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

• <http://blog.tmcnet.com/blog/tom-keating/computer-hardware/dataprobe-ibootbar-review.asp&gt;

Addendum

We have reached out to the vendor regarding the SHDesigns RDM vulnerability.

Additionally, the cookie authentication bypass vulnerability reported in the tmcnet.com blog was assigned CVE IDs as follows:

`CVE-2007-6759 = Dataprobe iBootBar (with 2007-09-20 and possibly later
released firmware) allows remote attackers to bypass authentication,
and conduct power-cycle attacks on connected devices, via a DCRABBIT
cookie.

CVE-2007-6760 = Dataprobe iBootBar (with 2007-09-20 and possibly later
beta firmware) allows remote attackers to bypass authentication, and
conduct power-cycle attacks on connected devices, via a DCCOOKIE
cookie.`

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23167623 Feedback>).

SHDesigns Affected

Notified: January 13, 2017 Updated: January 26, 2017

Statement Date: January 13, 2017

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Cobham plc Unknown

Notified: December 05, 2016 Updated: December 05, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Grass Valley Unknown

Notified: January 20, 2017 Updated: January 20, 2017

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

IDC Corporation Unknown

Notified: January 20, 2017 Updated: January 20, 2017

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Maguire Unknown

Notified: January 20, 2017 Updated: January 20, 2017

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

CVSS Metrics

Group	Score	Vector
Base	9.3	AV:N/AC:M/Au:N/C:C/I:C/A:C
Temporal	8	E:POC/RL:U/RC:UR
Environmental	6.0	CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

• <http://shdesigns.org/rabbit/&gt;
• <https://www.digi.com/products/rabbitprocessor&gt;
• <https://www.digi.com/lp/rabbit&gt;
• <https://cwe.mitre.org/data/definitions/494.html&gt;

Acknowledgements

Thanks to Nolan Ray of NCC Group for reporting this vulnerability.

This document was written by Garret Wassermann.

Other Information

CVE IDs:	CVE-2016-6567, CVE-2007-6759, CVE-2007-6760
Date Public:	2017-01-31 Date First Published: