Insufficient UART Protection Mechanisms
A malicious actor with physical access to the device is able to connect to the UART port via a serial connection, login with default credentials, and execute commands as the root user. These default credentials are "ngroot":"ngbase".
With physical access, connecting to the serial port is relatevily trivial as it immediately drops the user to a login prompt. While the UART credentials (UART_username and UART_passwd) are encrypted in the nvram entries, the encryption key is hardcoded on the device via the PASS_ENC (GEARNET) environment variable (which is cleared after the initial boot and nvram encryption).
The base station contains two networking interfaces: an interface reserved for the internal camera network and an interface reserved for connection to the external LAN (typically the home network the base station operates from).
When connected to the same LAN as the base station, when specifying the base station as our gateway (or by adding the appropriate route to our routing table), we are able to hit the interface used for the internal camera network. This allows an attacker to probe additional services bound to this interface. In particular, the default http listener deployed by "vzdaemon" contains a "passthru" api endpoint that allows the arbitrary download or upload of files on the device. For example, simply calling "http://<internal ip of interface>/passthru/tmp/system-log" allows an attacker to download the primary logfile used for the device. While this proof of concept doesn't illustrate the most significant impact this issue can have, it nicely illustrates the functionality and demonstrates an easy test case when patching.
As "vzdaemon" runs as root, the capabilities of this passthru api endpoint could allow an attacker to completely take over the device.
Hardcoded Private Key in Firmware Decryption
The "fwupgrade" utility on the base station contains hardcoded RSA private/public key pairs and the decryption process is now easily reversed.
BEGIN RSA PRIVATE KEY----
END RSA PRIVATE KEY----
BEGIN PUBLIC KEY----
END PUBLIC KEY----
All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.
Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.
For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.
If you have questions or corrections about this advisory, please email [email protected]