Summary: Rittal has addressed critical vulnerabilities in their IoT Interface and CMC III Processing Unit that could allow unauthorized access and malicious code execution. Discovered by SEC Consult, these flaws highlight serious security risks associated with firmware upgrades and session management.
Threat Actor: Unknown | unknown
Victim: Rittal | Rittal
Key Point :
- Improper Signature Verification of Firmware Upgrades (CVE-2024-47943) allows attackers to craft malicious firmware updates.
- Missing Protection Mechanism for Alternate Hardware Interface (CVE-2024-47944) enables unauthenticated code execution via physical access.
- Predictable Session ID (CVE-2024-47945) leads to session hijacking due to insufficient entropy in session ID generation.
- Proof-of-concept code demonstrates real-world exploit scenarios for these vulnerabilities.
- Rittal has released a patched version (V6.21.00.2) and urges immediate updates to affected devices.
Rittal, a leading provider of industrial automation solutions, has addressed multiple vulnerabilities in their IoT Interface and CMC III Processing Unit. Discovered by Johannes Kruchem of SEC Consult Vulnerability Lab, these flaws could allow attackers to gain unauthorized access and execute malicious code on affected devices.
“Multiple security vulnerabilities have been identified in the Rittal IoT Interface and the CMC III Processing Unit, which could allow attackers to compromise the system and gain unauthorized access,” warns the advisory.
Vulnerabilities Unveiled:
The identified vulnerabilities include:
-
Improper Signature Verification of Firmware Upgrades (CVE-2024-47943): The firmware upgrade function utilizes a flawed signature verification process, allowing attackers to craft malicious firmware updates that appear legitimate. “The signing process is kind of an HMAC with a long string as key which is hard-coded in the firmware and is freely available for download,” explains the advisory. This enables attackers to execute arbitrary code on the device during an upgrade.
Missing Protection Mechanism for Alternate Hardware Interface (CVE-2024-47944): The device lacks proper authentication when handling firmware updates from USB sticks or SD cards. This, combined with the flawed signature verification, allows for unauthenticated code execution by physically accessing the device.
Predictable Session ID (CVE-2024-47945): The session ID generation mechanism suffers from insufficient entropy, making session IDs predictable. “The session IDs are predictable, with only 32,768 possible values per user, which allows attackers to pre-generate valid session IDs, leading to unauthorized access to user sessions,” states the advisory. This vulnerability enables session hijacking, allowing attackers to take over user sessions.
Proof of Concept: Real-World Exploit Scenarios
The advisory provides proof-of-concept (PoC) code that demonstrates how attackers can exploit these vulnerabilities. For instance, CVE-2024-47943 shows how to create a malicious firmware update that bypasses the signature verification, while CVE-2024-47945 includes a PoC script capable of performing an online brute-force attack to crack session IDs. The PoC code illustrates how these vulnerabilities can be exploited by both remote and physical attackers to compromise the Rittal IoT Interface and CMC III Processing Unit.
Impact and Remediation:
These vulnerabilities affect Rittal IoT Interface (3124.300) and CMC III Processing Unit (7030.000) versions prior to V6.21.00.2. Rittal has released a patched version (V6.21.00.2) to address these issues and urges users to update their devices immediately.