Vulnerability Note VU#428280
CSL DualCom GPRS CS2300-R alarm signalling boards contain multiple vulnerabilties
CSL DualCom GPRS CS2300-R alarm signalling boards, firmware versions v1.25 to v3.53, contain multiple vulnerabilties.
CSL DualCom GPRS CS2300-R alarm signalling boards are secure premises transmitters (SPT) that notify alarm receiving centers (ARC) when an alarm system is tripped. According to researcher Andrew Tierney, CS2300-R boards are vulnerable to signal spoofing and tampering due to the vendor's use of a weak communications protocol and proprietary encryption scheme. The vendor has generally disputed the researcher's findings with the following statement:
- As with all our products, this product has been certified as compliant to the required European standard EN-50136
For the full vendor statement, refer to the Vendor Information section below.
For full details about the vulnerabilities and their discovery, refer to the researcher's disclosure.
CWE-287: Improper Authentication - CVE-2015-7285
Communications between CS2300-R SPTs and ARC polling servers are not mutually authenticated. Consequently, the SPT cannot confirm the authenticity of messages received from ARC servers. An attacker capable of performing man in the middle (MITM) attacks can spoof responses that will be accepted as valid by vulnerable SPTs.
CWE-327: Use of a Broken or Risky Cryptographic Algorithm - CVE-2015-7286
Communications between CS2300-R SPTs and ARC servers are encrypted using a proprietary encryption scheme. A number of issues are identified by the researcher by which messages can be decrypted or otherwise manipulated, resulting in denial of service, false alarms, suppressed alarms, and a general inability to trust communications bilaterally. Combined with the previously described lack of mutual authentication, a capable attacker may be able to bilaterally spoof or block any messages between endpoints.
Specifically, the following issues are described by the researcher:
CWE-255: Credentials Management - CVE-2015-7287
CS2300-R SPTs make use of a non-unique, default PIN code to restrict users from issuing remote commands via SMS. An attacker may use the default PIN to issue remote commands to vulnerable devices.
CWE-912: Hidden Functionality - CVE-2015-7288
CS2300-R SPTs contain multiple undocumented SMS commands that can be used to alter the configuration of devices.
The CVSS score reflects CVE-2015-7286.
A remote, unauthenticated attacker may be able to decrypt communications and spoof messages between SPTs and ARCs, resulting in denial of service, false alarms, suppressed alarms, and a general inability to trust communications bilaterally.
The CERT/CC is currently unaware of a practical solution to this problem. According to the researcher, hardware limitations may render a cryptographic solution difficult while maintaining current functionality. Note that the vendor has generally disputed the researcher's findings with the following statement:
- Our internal review of the report concluded there is no threat to these systems
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|CSL DualCom||Unknown||26 Oct 2015||20 Nov 2015|
CVSS Metrics (Learn More)
Thanks to Andrew Tierney for reporting these vulnerabilities.
This document was written by Joel Land.
- CVE IDs: CVE-2015-7285 CVE-2015-7286 CVE-2015-7287 CVE-2015-7288
- Date Public: 23 Nov 2015
- Date First Published: 23 Nov 2015
- Date Last Updated: 23 Nov 2015
- Document Revision: 28
If you have feedback, comments, or additional information about this vulnerability, please send us email.