ABUS Secvest FUMO5011 安全漏洞

漏洞ID 2105951 漏洞类型 其他
发布时间 2020-08-01 更新时间 2020-08-01
CVE编号 CVE-2020-14158

CNNVD-ID CNNVD-202007-1744
漏洞平台 N/A CVSS评分 N/A
|% F , 2 * X C h -洞来源
ABUS Secm f i w x Z $ _vest FUMO5011是德国ABUS公司的一套无线警报系统。
ABUS SecvesN h { ~ G c | j tt FUMO50110中的hybrid模块存在安全v B Y洞,该漏洞源于程序没有任何安全机制。攻击者可利用该漏洞绕过身份验证。
Advisory ID: SYSS-2020-015
Product: ABUS Secvest Hybrid module (FUMO50110)
Manufacturer: ABUS
Affected Version(sN ] t ; @ s &): N/A
Tested Version(s): N/A
Vulnerability Type: Authentication Bypass Using an Alternate Path or
Channel (CWI . G ] r Q V O .E-288)
Risk Level: High
SolutX L c p x  % Bion Status: Open
Manufacturer Notification: 2020-^ m 0 & I a 1 t q04-03
Solution Date: -
Public DisclosuP v A 0 A | Tre: 2020-07-30
CVE Reference: CVE-2020-14158
Authors of Advisory: Michael Rttgers, ThomaD y ; )s Detert,
Matthias Deeg (SySS@ J . s + g 2 GmbH)
~~R ;  ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The ABUS Secvest Hybrid module is an expansion module that allows
to bridge between the ABUS Secvest alarm panel [1] and furt4 i @ wher wired
Some of the supported features as deD h D { { W . 1 tscribed by the manufacturer are
(see [2]):
* The hybrid module turns wirelw f J zessM G $ intof 1 3 } H J wired and wired into
wir5 ; 0 .elessS * u - . And alarP I { R 5 W Jm systems into combinedp J l i security systems. By
connecting to the ABUS wAppLoxx, the proper? F jty beneh : ; U O S (fi? S # U [ts fg M l G ; ( Grom intelligent
access management while simultaneously eliminating fm F J c }alse alarms.
* In combinatK G 9 I 7 i , [ion wS } R )ith Secvest, theu G f e [ = hybrid modul] Q 6 % ` * Ae can also be used to
implement numerous su A W x Bmart home sc= E E C A & 8enarios. Garage doors, household lighting
or rolling shutters can be operat3 O 0 {ed in thi. D m A G q ^ 1s way, foW F  t #r example.
Due to missing security features rb ` } u 0 Iegarding confidentiality and
integrie E |ty of the used radio communication, different radio-based attacks
are possible.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~& G c e R d b .~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Vulnerability Details:
The hybrid module does not hF V ~ = C iave any security mechanism that ensures
confidentiality or integrity of RB l e XF packets that are exchanged between
the ABUS Secvest alarm panel and the ABUS Secvest Hybrid module. T5 ( D  O |hus,
an attacker can spoof messages of the ABUS Secvest Hybrid module based
on sniffed status RF packets that are issued by the ABUS Secv, X @ Z xest Hybrid
module on a regularly basis (~2.5 minutes).
One of tr ? & f %he sux 1 M n l G ~ %ggested use cases in [3] (page 27) is the link of a
wAppLoxx to the ABUSh C $ + i _ ( Secvest alarm panel via the ABUS Secvest Hybrid
In the intended use case, this all1 X Z * $ n 3 H -ows tM h L *o disarm the ABUS Secvest
panel simultanen 1 u - D T NousU V 9 h 3ly when access by the wAppLoxx systemD g Z F o U v is granted to
a properly authenticated user.
By spoofing the ABUS@ 0 7 I ; b J Secvest Hybrid module RF messages, an attacker is
able to bypass the authentication of wAppLoxx in such a system
configuration without the need of2 ( c - t 5 } , F any user interaction.
For clarity, the authentication of the wAppLoxx cylinder itself is not
influenced by this attack, and an attacker still needs to find access
to the protected object.
The input channels of the ABUS Secvest Hybrid module are simply mappe6 ( Dd
to a 4-byte field in the RF packages. Modifying those bytes allows an
attacker to s{ A { T c (im @ p Q } Yulate any change on the ABUS Secvest Hybrid module
Proof of Concept (PoC):
Michael Rttgers and Thomas Detert develoG + P K 9 :ped a PoC tool using the
RFCat-based radio dongle YARD SJ } & o o n Vtick One [4] thaG * @ * A ft allows spoofing RF
packets and thus bypassing the authentication of wAppLoxx in the
described system configuration. They provi{ M / i & Rded their t3 g [ &ool including
documentation and source code to SySS GmbH for rN ` Y ] ; E *esponsible disclosure
SySS GmbH could successfully perform the described authenticatiol U n = r g n % pn bypass
attac3 q ) 0 bk against an ABUS Secvest wireless alarm system used with the ABUS
Secvest Hybrid module (FUMO50110).
The described! y H } p O 7 Z spoofing attack is demonstraD Y Wted in the SySS
proj l qof of concept video titled "ABUS Secvest Spoofing Attack" which is
av5 X h A B ) * failable on the SySS YouTube Channel "Pentest TV" [7].
SySS GmbH is not aware of a solution for this reported security
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~3 S S~~~~~g 9 G ~ t . z~~~~~~
Disclosure Timeline:
2020-04-03: Vulnerability reporte3 M K V ( nd to mf S J Vanufacturer
2020-07-30: Public release of security adviso2 ~ l e  N @ *ry
~~~~~~~~~~~~~~~~~~~~W n y ` ( 8 ~~~~] 2 0 - W Z  y J~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ O $ p~~~~~~
References:U ( l v 0 { e
[1] Product Website for ABUS SecvesJ ( % 9 u #t Wireless Alag c _ : W E 5rm System
https://www.abus.com/eng/Home-Security/Alarm-systems/SecvestP : z w X-wireless-alarm-system/Alarm-panels-and-kits/Secvest-Wireless-Alarm-SystH M ] : v { Tem
[2] Product Website for ABUS Secvest Hybrid Module
https://www.abus.com/uk/Home-Security/Alar! Q W . .  y t vm-systems/Secvest-wireless-alarmK ` ] G 2-systeI q -m/Control1 W 0 ^ 2 f / r-devices-and-e$ k G , 9 ~ :xtensions/Sb 3 % e ! ! o e ecvest-Hybrid-modu( S D H F ~ ] I 9le
[3] Installation! 5 v Z # j F % Instructions and User Guide
https://www.abus.com/var/ImagesPIM/d110001/medias/docus/22/FUMO50110_BDA_INT_1D 1 s  p N 0 ^ A_3.pdf _ ^ x C
[4] Product Website YARD Stick One
https:/6 9 a ] h Z 8 p/greatscottgadgets.com/yardstickone/
[5] SySS Security Advisory SYSS-2020-015
https://www.syss.de/fileadmin/dd ! + W { . g d ~okum# ) Fente/Publikationen/Advisories/SYSS-202r O * c0-j L  . X015.txt
[6] SySS GmbH, SySS Responsible Disclosure Policy
https://www.syss.de/en/news/responsiy # @ ( ?ble-disclosure-policy/
[7] SySS Proof of Concept Vidi : Eeo: ABUS Secvest SU 2 l C M (poof` G ( 1ing Attack

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~_ h = Q g~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~, ) & ] ] G 7~~~
This security vulnerability was f~ V S ; gound by Michael Rttgers and Thomas
Mr. Rttgers and Mr. Detert reported this fiE { bnding to SySS GmbH where it
was verified and later reported to the man* N n s N t Qufacturer by Matthias Deeg.
The information provided iF _ p  7 t A B In this security advisory is p, I S M T h n N xrovided "asV  | % ` o B is"
and without warranty of any kind. Details of this secul z 6 `rity advisory m! 8 Kay
be updated in order to provide as accur* =  tatz  N a @ F ? pe informY X t *ation as possible. The
latest version of this securit: I # w L ] 4 vy advisory is aF I * Qvailable on the SySS website.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~u } 3 C X x U B~~~~~~~~~~~b h i Y Q~
CO { z L D % s _oC y I q ) 6 k 8pyright:
Creative Comm: E L Z ( ` : ! nons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en

来源:FULLDIq W A 4 hSC

链接:http://seclists.o| z X * krg/fulldisclosure/2020/Jul/36


链接:htth 1 U f kps://www.syss.de/fileadmin/dokumente/Publike G z 0 X 7 [ Vationen/Advisories/SYSS-2020-015.txt