Eisbär SCADA - Persistent Software Vulnerability in Visualization Software

Eisbär SCADA - Persistent Software Vulnerability in Visualization Software

Today security researchers of the vulnerability laboratory team disclosed an application-side vulnerability in the SCADA Eisbär software. EisBär KNX is a modern, affordable software for visualization and automation of intelligent buildings or machinery.

The researcher setup a secure environment that was able to execute scada controlled functions in our company by an android, ios and windows mobile device. Due to the implementation we discovered that the server configuration input impacts a common security risk.

The vulnerability is located in the `server name` value of the main network server settings module. Local attackers with physical device access are able to manipulate the `netzwerk server name` input to compromise the mobile application or connected eisbär scada services. The attacker includes a own script code payload to the servername and is able to execute the function in the server index listing and edit mode.

The attacker can prepare a qr code with a final configuration that impact a malicious injected server name. The execution of the payload occurs after the scan or on review of the server listing. The servername value is also in use by the Eisbär Solutions section with the DoorPhone-Knoten service. We verified that the main server name component can be used to unauthorized execute a function in the connected scada service. The servername can be changed by the app or in the node directly to manipulate the communication permanently.

The connection to the Polar Bear SCADA server is multi-client capable and configuration data required for the network settings of the app can be automatically transferred via QR code. In polar bears v2.1 there are also refer to a QR code component.

The security risk of the application-side web vulnerabilities are estimated as medium with a cvss (common vulnerability scoring system) count of 5.2.  Exploitation of the persistent input validation web vulnerability requires a low privilege application user account and low user interaction (click). Successful exploitation of the persistent web vulnerability results in mobile application/device compromise or connected service component manipulation.

Request Method(s):
[+] [Sync]

Vulnerable Module(s):
[+] Home > Server (Netzwerk)

Vulnerable Parameter(s):
[+] servername (name)

Affected Module(s):
[+] Home Index Server Listing
[+] Edit Server Entries

The core team security researchers explains in an advisory how to reproduce the vulnerability by manual steps.

Manual steps to reproduce the vulnerability ...
1. Install the mobile application to your windows phone, ios or android mobile device
2. Start the application
3. Configure a service that is successful connected with functions
4. Surf to the existing server home index listing
5. Change the internal or external server with existing address and payload
6. Save the input
7. The execution occurs in the main index server listing
8. Click the arrow next to the injected code
9. The second execution occurs in the header section were the servername description becomes visible
10. Successful reproduce of the security vulnerability!

Note: Include as payload a server that exists and attach your payload for a successful execution! The connection to the Polar Bear SCADA server is multi-client capable and configuration data required for the network settings of the app can be automatically transferred via QR code. In polar bears v2.1 there are also refer to a QR code component.

Advisory: http://www.vulnerability-lab.com/get_content.php?id=1456