The Sicon-8, a hardware device manufactured by CircuitWerkes used for managing electrical devices such as lights and door locks, ships with a web-based front-end controller and implements an authentication mechanism in JavaScript that is run in the context of a user’s web browser. This is an instance of CWE-603: Use of Client-Side Authentication, and can be trivially bypassed by unauthorized users by interrupting the execution of the security mechanism. This issue has a CVSSv3 score of 5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) (accounting for the read-only nature of the bypass), and Rapid7 has assigned CVE-2019-5616 to it.

Product description

CircuitWerkes’ Sicon-8 is described as a “dial-up remote control” that features both an interactive voice response (IVR) and web-based interface and is used in electrical facilities management and environmental controls. Product specifications are described at the vendor’s website.

Credit

This issue was discovered by independent researcher Ph055a, and is being disclosed in accordance with Rapid7's vulnerability disclosure policy.

Exploitation

The following anonymous function controls access to “index.htm,” the web application that both checks for access privileges and renders the primary web interface to the Sicon-8:

$(function() {
    pw = gc("pw")
    if (pw == null) {
        window.location = "login.htm"
    }
    acclvl = i$(gc("ut"))
    $('#txtdelay').val(gc("ui"))
    if ($('#txtdelay').val() == '') {
        $('#txtdelay').val('2000')
    }
    gTimeout = i$($('#txtdelay').val())
    $("#ut").html(["Reader ", "Controller ", "Administrator ", "Super-Administrator "][acclvl - 1]);
    $("#copy").html('CircuitWerkes Sicon-8<br>Web Server Interface v' + wimaj + '.' + wimin + ', Web Server Firmware v' + gc("wmaj") + '.' + gc("wmin") + ', Sicon-8 Firmware v' + gc("mmaj") + '.' + gc("mmin") + '. ©Copyright 2012, CircuitWerkes, Inc.')
    g = 0
    drawTable()
    execCmd('L')
    requestMtrs()
});

Because this control is implemented as a JavaScript function that merely redirects the user away from the web app interface, rather than relying on session tokens or other more modern access controls, an attacker can navigate to http://address:port/index.htm using a standard web browser, and just before the page is fully rendered, hit the “ESC” button to prevent the window.location redirect from executing. This is most easily accomplished by being redirected back to login.htm from index.htm, and then using the “Forward” history navigation button in a Firefox browser, quickly followed by hitting the “ESC” key.

Once the page is rendered, the attacker can read all of the configured labels of a Sicon-8 device and retrieve the status of the labeled interfaces. It’s important to note that the attacker cannot change or otherwise manipulate functions that normally require administrator access—this vulnerability appears to be merely a read-only bypass.

Impact

While attackers cannot manipulate the interface without first learning the password, they can glean whatever information is configured to be displayed in the Sicon-8 web interface, which typically includes voltage and amperage readings to radio broadcast towers. Given this nominally private, specialized information, an attacker could conceivably use this to further a social-engineering pretext against the operator of the equipment, since the attacker would have possession of up-to-the-minute data regarding internal operations of the attacked site.

Remediation

In most cases, these devices are not exposed to the internet. Currently, however, internet scanning indicates that a handful of these devices (less than 40) appear to be exposed. As of this publication, the vendor has not provided a patch for CVE-2019-5616. Even if a patch is provided by the vendor, however, users should not expose these devices to networks where there are untrusted users, which would include the internet.

Even with a patch provided by the vendor, users of the Sicon-8 should still not expose this device directly to the internet, as this device does not enforce modern SSL/TLS connections. Private information (such as passwords) is exposed at every hop between the user and the device and is recoverable using common packet-sniffing techniques. Therefore, it is possible to intercept and and alter requests and responses between the clients and the web server.

Disclosure timeline

  • Thursday, Jan. 3, 2019: Issue discovered by Ph055a and reported to Rapid7
  • Monday, Jan. 7, 2019: Issue validated by Rapid7 and initial contact made to CircuitWerkes
  • Tuesday, Jan. 22, 2019: Disclosed to CERT/CC (VU#794939)
  • Wednesday, Jan. 23, 2019: Issue acknowledged by the vendor
  • Monday, Feb. 25, 2019: CVE-2019-5616 reserved for assignment
  • Tuesday, March 12, 2019: Public disclosure via publication of this blog post