Executive Summary

Summary
Title CSL DualCom GPRS CS2300-R alarm signalling boards contain multiple vulnerabilties
Informations
Name VU#428280 First vendor Publication 2015-11-23
Vendor VU-CERT Last vendor Modification 2015-11-23
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Cvss Base Score 7.5 Attack Range Network
Cvss Impact Score 6.4 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#428280

CSL DualCom GPRS CS2300-R alarm signalling boards contain multiple vulnerabilties

Original Release date: 23 Nov 2015 | Last revised: 23 Nov 2015

Overview

CSL DualCom GPRS CS2300-R alarm signalling boards, firmware versions v1.25 to v3.53, contain multiple vulnerabilties.

Description

CSL DualCom GPRS CS2300-R alarm signalling boards are secure premises transmitters (SPT) that notify alarm receiving centers (ARC) when an alarm system is tripped. According to researcher Andrew Tierney, CS2300-R boards are vulnerable to signal spoofing and tampering due to the vendor's use of a weak communications protocol and proprietary encryption scheme. The vendor has generally disputed the researcher's findings with the following statement:

    - As with all our products, this product has been certified as compliant to the required European standard EN-50136
    - Our internal review of the report concluded there is no threat to these systems


For the full vendor statement, refer to the Vendor Information section below.

For full details about the vulnerabilities and their discovery, refer to the researcher's disclosure.

CWE-287: Improper Authentication - CVE-2015-7285

Communications between CS2300-R SPTs and ARC polling servers are not mutually authenticated. Consequently, the SPT cannot confirm the authenticity of messages received from ARC servers. An attacker capable of performing man in the middle (MITM) attacks can spoof responses that will be accepted as valid by vulnerable SPTs.

CWE-327: Use of a Broken or Risky Cryptographic Algorithm - CVE-2015-7286

Communications between CS2300-R SPTs and ARC servers are encrypted using a proprietary encryption scheme. A number of issues are identified by the researcher by which messages can be decrypted or otherwise manipulated, resulting in denial of service, false alarms, suppressed alarms, and a general inability to trust communications bilaterally. Combined with the previously described lack of mutual authentication, a capable attacker may be able to bilaterally spoof or block any messages between endpoints.

Specifically, the following issues are described by the researcher:
  • the encryption algorithm is a polyalphabetic substitution cipher and subject to decryption via common cryptanalytic techniques
  • encryption keys (mapping tables for substitution) are hardcoded in the firmware and have not changed from v1.25 to v3.53
  • effective key length is very short
  • messages do not contain sequence numbers
  • messages do not make use of checksums or hashes
  • messages do not contain message authentication codes (MAC)
  • key material cannot be readily updated
  • sensitive SPT identification information can be obtained by capturing and analyzing single messages

CWE-255: Credentials Management - CVE-2015-7287

CS2300-R SPTs make use of a non-unique, default PIN code to restrict users from issuing remote commands via SMS. An attacker may use the default PIN to issue remote commands to vulnerable devices.

CWE-912: Hidden Functionality - CVE-2015-7288

CS2300-R SPTs contain multiple undocumented SMS commands that can be used to alter the configuration of devices.

The CVSS score reflects CVE-2015-7286.

Impact

A remote, unauthenticated attacker may be able to decrypt communications and spoof messages between SPTs and ARCs, resulting in denial of service, false alarms, suppressed alarms, and a general inability to trust communications bilaterally.

Solution

The CERT/CC is currently unaware of a practical solution to this problem. According to the researcher, hardware limitations may render a cryptographic solution difficult while maintaining current functionality. Note that the vendor has generally disputed the researcher's findings with the following statement:

    - As with all our products, this product has been certified as compliant to the required European standard EN-50136
    - Our internal review of the report concluded there is no threat to these systems

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
CSL DualComUnknown26 Oct 201520 Nov 2015
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

GroupScoreVector
Base9.3AV:N/AC:M/Au:N/C:C/I:C/A:C
Temporal8.0E:POC/RL:U/RC:UR
Environmental2.0CDP:ND/TD:L/CR:ND/IR:ND/AR:ND

References

  • http://www.csldual.com/uk/
  • http://cybergibbons.com/?p=2844
  • https://cwe.mitre.org/data/definitions/287.html
  • https://cwe.mitre.org/data/definitions/327.html
  • https://cwe.mitre.org/data/definitions/255.html
  • https://cwe.mitre.org/data/definitions/912.html

Credit

Thanks to Andrew Tierney for reporting these vulnerabilities.

This document was written by Joel Land.

Other Information

  • CVE IDs:CVE-2015-7285CVE-2015-7286CVE-2015-7287CVE-2015-7288
  • Date Public:23 Nov 2015
  • Date First Published:23 Nov 2015
  • Date Last Updated:23 Nov 2015
  • Document Revision:28

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/428280

CWE : Common Weakness Enumeration

% Id Name
25 % CWE-310 Cryptographic Issues
25 % CWE-287 Improper Authentication
25 % CWE-255 Credentials Management
25 % CWE-254 Security Features

CPE : Common Platform Enumeration

TypeDescriptionCount
Os 2

Alert History

If you want to see full details history, please login or register.
0
1
2
Date Informations
2015-11-25 21:34:03
  • Multiple Updates
2015-11-25 09:29:24
  • Multiple Updates
2015-11-23 17:24:39
  • First insertion