Vulnerability Note VU#428280
CSL DualCom GPRS CS2300-R alarm signalling boards contain multiple vulnerabilties
CSL DualCom GPRS CS2300-R alarm signalling boards, firmware versions v1.25 to v3.53, contain multiple vulnerabilties.
CSL DualCom GPRS CS2300-R alarm signalling boards are secure premises transmitters (SPT) that notify alarm receiving centers (ARC) when an alarm system is tripped. According to researcher Andrew Tierney, CS2300-R boards are vulnerable to signal spoofing and tampering due to the vendor's use of a weak communications protocol and proprietary encryption scheme. The vendor has generally disputed the researcher's findings with the following statement:
- As with all our products, this product has been certified as compliant to the required European standard EN-50136
CWE-255: Credentials Management - CVE-2015-7287
CS2300-R SPTs make use of a non-unique, default PIN code to restrict users from issuing remote commands via SMS. An attacker may use the default PIN to issue remote commands to vulnerable devices.
CWE-912: Hidden Functionality - CVE-2015-7288
CS2300-R SPTs contain multiple undocumented SMS commands that can be used to alter the configuration of devices.
The CVSS score reflects CVE-2015-7286.
A remote, unauthenticated attacker may be able to decrypt communications and spoof messages between SPTs and ARCs, resulting in denial of service, false alarms, suppressed alarms, and a general inability to trust communications bilaterally.
The CERT/CC is currently unaware of a practical solution to this problem. According to the researcher, hardware limitations may render a cryptographic solution difficult while maintaining current functionality. Note that the vendor has generally disputed the researcher's findings with the following statement:
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|CSL DualCom||Unknown||26 Oct 2015||20 Nov 2015|
CVSS Metrics (Learn More)
Thanks to Andrew Tierney for reporting these vulnerabilities.
This document was written by Joel Land.
- CVE IDs: CVE-2015-7285 CVE-2015-7286 CVE-2015-7287 CVE-2015-7288
- Date Public: 23 Nov 2015
- Date First Published: 23 Nov 2015
- Date Last Updated: 23 Nov 2015
- Document Revision: 28
If you have feedback, comments, or additional information about this vulnerability, please send us email.