search menu icon-carat-right cmu-wordmark

CERT Coordination Center


SHDesigns Resident Download Manager does not authenticate firmware downloads

Vulnerability Note VU#167623

Original Release Date: 2017-01-31 | Last Revised: 2017-04-07

Overview

SHDesigns' Resident Download Manager (as well as the Ethernet Download Manager) does not authenticate firmware downloads before executing code and deploying them to devices.

Description

CWE-494: Download of Code Without Integrity Check - CVE-2016-6567

SHDesigns' Resident Download Manager provides firmware update capabilities for Rabbit 2000/3000 CPU boards, which according to the reporter may be used in some industrial control and embedded applications.

The Resident Download Manager does not verify that the firmware is authentic before executing code and deploying the firmware to devices. A remote attacker with the ability to send UDP traffic to the device may be able to execute arbitrary code on the device.

According to SHDesigns' website, the Resident Download Manager and other Rabbit Tools have been discontinued since June 2011.

Impact

A remote attacker with the ability to send UDP traffic to the device may be able to execute arbitrary code on the device.

Solution

The CERT/CC is currently unaware of a practical solution to this problem.

According to the reporter, affected users may disable the network update feature. It is also possible that developers of products using the Resident Download Manager may be able to write a download verification wrapper around the Resident Download Manager library, but may not be practical in all scenarios.

Affected users may also consider the following workaround:

Restrict network access

Restrict network access to the device containing the Rabbit CPU and Resident Download Manager to a secured LAN segment.

Vendor Information

167623
Expand all

AddOn Technologies

Notified:  January 20, 2017 Updated:  February 01, 2017

Statement Date:   January 31, 2017

Status

  Affected

Vendor Statement

This vulnerability was addressed in the basic design of our Addon keypad since
its inception. The SH Designs program cannot be used to modify the firmware in
our keypad without specialized knowledge of specific procedures necessary to
initiate a firmware replacement.

We have further strengthened the procedure as of firmware version 5.5.05 to
include the necessity to also enter the administrator password to initiate a
firmware replacement.

To identify which type of protection your keypad has, verify the program
version in the keypad by looking at the printed header at power-up.

To be clear, the SH Designs program that has the vulnerability would normally
only be used by trained service personnel on a very infrequent basis. Field
updates to the firmware in the keypad are not often done. Also, specific
knowledge of the keypad operation is necessary to use the SH Designs program to
perform a firmware update. Furthermore, the knowledge and time investment
necessary to create and install a program that might be able to perform a
malicious action with an embedded processor like the one used in our keypad
creates a very unlikely scenario that it would ever be attempted. Our product
does not even use a standard operating system. The keypad is also normally used
in a secure location that would have UDP access restricted at the router to the
subnet level.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Dataprobe, Inc.

Notified:  April 07, 2017 Updated:  April 07, 2017

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

http://blog.tmcnet.com/blog/tom-keating/computer-hardware/dataprobe-ibootbar-review.asp

Addendum

We have reached out to the vendor regarding the SHDesigns RDM vulnerability.

Additionally, the cookie authentication bypass vulnerability reported in the tmcnet.com blog was assigned CVE IDs as follows:

CVE-2007-6759 = Dataprobe iBootBar (with 2007-09-20 and possibly later
released firmware) allows remote attackers to bypass authentication,
and conduct power-cycle attacks on connected devices, via a DCRABBIT
cookie.

CVE-2007-6760 = Dataprobe iBootBar (with 2007-09-20 and possibly later
beta firmware) allows remote attackers to bypass authentication, and
conduct power-cycle attacks on connected devices, via a DCCOOKIE
cookie.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SHDesigns

Notified:  January 13, 2017 Updated:  January 26, 2017

Statement Date:   January 13, 2017

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Cobham plc

Notified:  December 05, 2016 Updated:  December 05, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Grass Valley

Notified:  January 20, 2017 Updated:  January 20, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

IDC Corporation

Notified:  January 20, 2017 Updated:  January 20, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Maguire

Notified:  January 20, 2017 Updated:  January 20, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C
Temporal 8.0 E:POC/RL:U/RC:UR
Environmental 6 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to Nolan Ray of NCC Group for reporting this vulnerability.

This document was written by Garret Wassermann.

Other Information

CVE IDs: CVE-2016-6567, CVE-2007-6759, CVE-2007-6760
Date Public: 2017-01-31
Date First Published: 2017-01-31
Date Last Updated: 2017-04-07 20:03 UTC
Document Revision: 53

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.