Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Arlo Basestation Firmware Multiple Vulnerabilities

High

Synopsis


Insufficient UART Protection Mechanisms


A malicious actor with physical access to the device is able to connect to the UART port via a serial connection, login with default credentials, and execute commands as the root user. These default credentials are "ngroot":"ngbase".

With physical access, connecting to the serial port is relatevily trivial as it immediately drops the user to a login prompt. While the UART credentials (UART_username and UART_passwd) are encrypted in the nvram entries, the encryption key is hardcoded on the device via the PASS_ENC (GEARNET) environment variable (which is cleared after the initial boot and nvram encryption).

(AV:L/AC:L/Au:N/C:C/I:C/A:C)


Networking Misconfiguration


The base station contains two networking interfaces: an interface reserved for the internal camera network and an interface reserved for connection to the external LAN (typically the home network the base station operates from).

When connected to the same LAN as the base station, when specifying the base station as our gateway (or by adding the appropriate route to our routing table), we are able to hit the interface used for the internal camera network. This allows an attacker to probe additional services bound to this interface. In particular, the default http listener deployed by "vzdaemon" contains a "passthru" api endpoint that allows the arbitrary download or upload of files on the device. For example, simply calling "http://<internal ip of interface>/passthru/tmp/system-log" allows an attacker to download the primary logfile used for the device. While this proof of concept doesn't illustrate the most significant impact this issue can have, it nicely illustrates the functionality and demonstrates an easy test case when patching.

As "vzdaemon" runs as root, the capabilities of this passthru api endpoint could allow an attacker to completely take over the device.

(AV:A/AC:L/Au:N/C:C/I:C/A:C)


Hardcoded Private Key in Firmware Decryption


The "fwupgrade" utility on the base station contains hardcoded RSA private/public key pairs and the decryption process is now easily reversed.


----BEGIN RSA PRIVATE KEY----
MIIEpQIBAAKCAQEAxqsUswSN425Toar394cE3hf//+XlBfR5cZwpODHBj+X6UZRe
kJNlZoRH0c72D27blNf8dG2TjxsJOHm+gkoCbBz0a9ORenGNrZGZECJYDLH0MVcm
klyyh/z8cyBrMtqRiPoWzYaPN48snuUHFsF/JOVu3OIavFdu7MAGLRQ32dJeQ8Ou
ljlUK/hALVzzGseYuXHdVsj8TNIFqIvKlfMOB7T9biI8NxIoDNb8v3riHmkgSFbs
<...snipped...>
4r9QexyyduTLUQIn6MWvosMj8eG4Qp8yaLROmkb+OcJVSAX4uCp7xFNv2dT3OW++
yHcjHyECgYEAtQYGaDBpyjIgEJvAVSy0awv3zik3Ks/c5Wz4nHBV/kTB0xo5SzvM
InLrrHPVa/7oa3NMzZ5140pWuwS62rvrF7JX2kRaJ7vi3UVqmwGxGf2s9MoocS98
iSAZXhQ21meqgu5KMiLIpshrEubd3CPtq6to+yicoqXvOQ0v3DaMndU=
----END RSA PRIVATE KEY----

----BEGIN PUBLIC KEY----
MIIDRjCCAjkGByqGSM44BAEwggIsAoIBAQCPJ9cjoVgpXihsTEvSM2Murt7KBLhd
+qE0YReJWuY2JD3KbHOv6iTXSIjFKmlUR31NGhJ1FTvak5c01/mt88OXkdzRhoFy
iM49kWyx0NRntnHk8gcJFKZ29/+c+2kCHR3H2qA9ldhPEgP5xuLttui8Bd2FNKla
<...snipped...>
zZIlO6sNqrjnGBdcjmaU1N/pabNNsxwxFY/NtT5l3xInJEKUwBC/m0dUrOYqQ3pm
ljupxzfME60EEmitRXAPvgPcDyUYGqXpj9+P1vL2ANHT2tjNYk+dJJokgYmLryHs
kfHPzmcDKe0K3A7Ik/JN08TFeZZ1jkVGfwkU2Mygnkg+TU5Nc/S0irwavNf0yPdM
zv82QkIx0KB7c8mEoUTlHAnmP+cJN6yncpVAHEDgK+s+EHRHF6tYkN6V1bDgWbSd
e3jhuLWvHUjC+O9CWvekug/JjdkHJw40bUE=
----END PUBLIC KEY----

Solution

To correct the networking misconfiguration, verify that your basestation has been updated to the latest available version.

Disclosure Timeline

March 11, 2019 - Disclosed to Arlo’s 3rd party security partner (managed security disclosures for Arlo)
March 13, 2019 - Arlo’s 3rd party security partner confirms report.
March 16, 2019 - Arlo’s 3rd party security partner confirms Arlo's openness to the coordinated disclosure.
March 21, 2019 - Arlo’s 3rd party security partner states that Arlo is investigating the issues.
March 29, 2019 - Tenable requests status update.
March 29, 2019 - Arlo’s 3rd party security partner requests that specific vulnerabilities be created as separate submissions (Network Misconfiguration, Credentials and sensitive info, GPL code release). Other reported issues are considered duplicates.
March 29, 2019 - Tenable creates 3 new submissions for the above.
March 29, 2019 - Arlo’s 3rd party security partner acknowledges all 3 submissions and closes out the initial report.
April 4, 2019 - Arlo’s 3rd party security partner marks the 3 new submissions as "Triaged."
April 4, 2019 - Arlo’s 3rd party security partner marks original submission as "Not applicable."
April 8, 2019 - Tenable requests status update.
April 9, 2019 - Arlo’s 3rd party security partner/Arlo assign identifiers to two submissions (GPL code and Network Misconfiguration).
April 9, 2019 - Arlo’s 3rd party security partner/Arlo mark GPL code submission as "Not applicable."
April 19, 2019 - Our researcher finds out that Arlo has patched one of the vulnerabilities.
April 19, 2019 - Tenable requests updates on all issues.
April 22, 2019 - Arlo appears to have rolled back patch. Tenable requests updates again.
April 29, 2019 - Tenable requests updates for all issues.
May 3, 2019 - Tenable requests updates on all submissions.
May 10, 2019 - No response from Arlo’s 3rd party security partner or vendor, sent a reminder.
May 17, 2019 - Tenable reaches out to Arlo directly based on the note from Arlo’s 3rd party security partner.
May 21, 2019 - Tenable reaches out to Arlo directly based on the note from Arlo’s 3rd party security partner.
May 21, 2019 - Arlo’s 3rd party security partner marks credentials issue as duplicate.
May 21, 2019 - Arlo’s 3rd party security partner acknowledges Network Misconfiguration issue and valid finding.
May 21, 2019 - It appears Arlo has patched one of the vulnerabilities again that had the fix rolled back.
May 23, 2019 - Tenable meets with Arlo representative. Tenable transitions disclosure from Arlo’s 3rd party security partner to direct communication.
May 23, 2019 - Arlo unable to review latest communication due to PGP confusion.
May 24, 2019 - Tenable confirms PGP key used.
May 28, 2019 - Arlo is unable to decrypt. Provides Onedrive link to upload to.
May 29, 2019 - Tenable uploads disclosure information.
May 30, 2019 - Arlo requests clarification of an issue.
May 30, 2019 - Tenable provides clarification.
June 3, 2019 - Tenable responds to meeting invite.
June 4, 2019 - Arlo and Tenable discuss disclosure timeline
June 11, 2019 - Arlo CIO requests meeting.
June 12, 2019 - Arlo CIO and Tenable CTO discuss disclosure.
June 25, 2019 - Arlo and Tenable meet again.
July 1st, 2019 - Arlo releases their advisory ahead of agreed upon date

All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.

Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.

For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.

If you have questions or corrections about this advisory, please email [email protected]

Risk Information

Tenable Advisory ID: TRA-2019-30
Credit:
Jimi Sebree
CVSSv2 Base / Temporal Score:
8.3 / 7.2
CVSSv2 Vector:
AV:A/AC:L/Au:N/C:C/I:C/A:C
Affected Products:
Arlo Basestation firmware 1.12.0.1_27940 and prior
Risk Factor:
High

Advisory Timeline

July 1, 2019 - Initial release.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training