Dutch researcher finds critical leak in Fibaro-domotic system

[fkruis 14]

Dutch researcher finds critical leak in Fibaro-domotic system

The Dutch DearBytes researcher Wesley Neelen discovered leaks in the Home Center 2 and lite of Fibaro, allowing remote malicious people to perform random code. A patch has now been issued. Domoticz was also found close by the investigator found leaks.

Neelen 

Please login or register to see this link.

 that Fibaro vulnerabilities made it possible to access root access via the web interface. He examined a physical copy of the Home Center 2, revealing that it is an x86 computer with the operating system on a usb drive. The investigator was able to obtain limited rights on the system via command injection . Subsequently, it was possible to increase the privileges to root through a prepared update.

The application provided a php page without authentication. This page validated input insufficient before it was used in a php systemcall. This injection yielded limited rights. Subsequently, it was possible to increase the rights by providing an update file with a reverse shell . By executing a manual update, it was possible to rotate the shell in this way with root privileges. Neelen tells Tweakers that he was able to find about 185 Home Centers through search engine Shodan. For example, he could take over and execute the same actions that a normal user could also perform.

The manufacturer's website shows that the software can be used to control cameras, thermostats, alarm systems and media players. The researcher therefore says that accessing the web interface of a domotica controller makes the necessary risks involved. By using a vpn this could be solved, for example. Networking should also be recommended so that there is no further way in the network. He also found other systems on the Internet, including mis-configured and therefore open Domoticz installations, he says. He also found 

Please login or register to see this link.

 services to see if a company had the alarm and whether there were people.

Neelen reported to the manufacturer at the end of February. Then nothing happened until he spoke to management in June on LinkedIn. At the end of that month, the patch was finally ready, after which Neelen could verify in July that the leaks were indeed poached. The patch came about a week ago. Neelen also investigated Domoticz on leaks and found among other things a sql injection gel and a  buffer overflow  that were quickly remedied.

 

Please login or register to see this link.

 

[diedvdyk 9]

So this means that all systems prior to 4.140 are vulnerable ?

[Bodyart 231]

hi @fkruis,

 

I was just about to post something about this article.

This leak was apparently solved in fw 1.140, but in the changelog there is not one word about this critical leak (remote command execution (RCE)

 

Fibaro, shouldn't you inform us about this?

 

Here you find the whole

Please login or register to see this link.

in English

@diedvdyk,

 

Apparently  YES...

[Landshark 8]

Never heard of that search engine but it is indeed quit easy to get a list of fibaro devices:  

Please login or register to see this link.

. Hopefully the patch will work. Would be appreciated if Fibaro is communicating this.

[szmyk 52]

This is the reason why we shouldn't publish our HC over public Internet. It definitely must be behind NAT, firewall, etc.

If we want to connect with our HC from Internet, VPN is the solution or

Please login or register to see this link.

[jimicr 90]

Okay, so all the phantom associations where just random people playing tricks on us? 

[petergebruers 1,268]

15 hours ago, jimicr said:

Okay, so all the phantom associations where just random people playing tricks on us? 

 That reminds me... I still have to post something on the "phantom menace" topic

 

[MaTi 29]

Things that stunned me:

 

- The lack of reply to the guy when he first raised this epic vulnerability

- The fact a fix took more than half a year

- The fact that Fibaro waited 2 months before implementing the fix, once the patch was ready and tested (July)

- The fact Fibaro did not release an emergency patch/update and put this into a general update

- The fact Fibaro did not mention ANYTHING about this in the changelog of the 4.140 FW or anywhere for that matter

- The fact Fibaro has not sent out alerts to users still on older firmware versions

- The fact Fibaro has not replied to anything anywhere about this yet. The hush-hush method isn't going to do the trick.

- The fact Fibaro sends a t-shirt to the guy.. Really? A t-shirt?

- The fact Fibaro clearly has no (good) security procedure and policies in place

- The fact Fibaro does not send out a mailing to it's users explaining what happened, what the risks are/were, what to do, etc. An official statement in the form of a press release would make sense.

 

22 hours ago, szmyk said:

This is the reason why we shouldn't publish our HC over public Internet. It definitely must be behind NAT, firewall, etc.

If we want to connect with our HC from Internet, VPN is the solution or

Please login or register to see this link.

 

This is the very reason why I do not use the remote services Fibaro offers, all over VPN.

Also the HC2 has SSH keys on it, so I had to do some extra firewall ruling . Nobody touches anything but me..

[T.Konopka 8]

Hello, users!

It is true that the vulnerability was discovered by Wesley. We are grateful that we have such amazing users and contributors. We always appreciate users' feedback and this time it was essential! Together in cooperation we solved a potential threat.

Everything was under our control. We ensured safety and we can assure you that there was no instances of data corruption.

The issue has been fixed with the new version of software. We admit that it took a bit, but the patch release was scheduled and we kept it accordingly.

We apologize for inconveniences. And again, we can assure you that the patch fixed the vulnerability and users are not exposed to this threat anymore.

[Robert Folbigg 22]

@T.Konopka, (Please don't take this personally)

 

While I appreciate your response I find your statement somewhat "thin" for detail. I have succsesfully worked within the IT Managed Service & Security industry for the last 20 years with a global client base, and can assure you that if I were to uncover a serious security flaw in any of my clients systems and then failed to notify my clients about this in a timely manner I would loose their trust and most likely their business in the long run.

 

This issue was potentially a critical incident in which Fibaro has failed its customers massively and while you say there was no data corruption how can you be sure? We need to understand how you can be confident of this.

Why did Fibaro not immediately notify its entire client base when you became aware so we could assure our HC's were not vulnerable to this attack by employing our own countermeasures? Personally I would like to understand your logic for keeping this quiet because it seems that Fibaro valued their reputation over the security of their client base in this instance.

 

Please update us on the above mentioned points and some advice I would offer Fibaro moving forward:

 

Fibaro need to change their path and focus heavily on customer service moving forward, specifically the focus should be client communications. Failure to do so will result in loss of market share due to your clients loosing their faith in your abilities to provide safe, secure and stable platforms on which to control their homes.

 

I really do hope my feedback is helpful and Fibaro can improve on their performance over the previous quarter.

 

13 minutes ago, T.Konopka said:

Hello, users!

It is true that the vulnerability was discovered by Wesley. We are grateful that we have such amazing users and contributors. We always appreciate users' feedback and this time it was essential! Together in cooperation we solved a potential threat.

Everything was under our control. We ensured safety and we can assure you that there was no instances of data corruption.

The issue has been fixed with the new version of software. We admit that it took a bit, but the patch release was scheduled and we kept it accordingly.

We apologize for inconveniences. And again, we can assure you that the patch fixed the vulnerability and users are not exposed to this threat anymore.

 

[AutoFrank 372]

36 minutes ago, Robert Folbigg said:

Everything was under our control. We ensured safety and we can assure you that there was no instances of data corruption.

 

@T.Konopka (as a spokesperson for Fibaro)

 

I am a little lost for words.... and truth be told I am also very disappointed with this revelation  

 

with regard to the above statement, I agree with Robert on the thinness of the explanation of this serious issue.

Could you expand on how you ensured safety and how you know there were no issues of data corruption and more important data theft ?  

 

[1152 33]

I´m at home and my HC2 is updated to 4.1.40 - so safe home. I´m about to travel and it is not to my summer house which has an other HC2-system running an older sw-version. Fibaro, am I right to assume I´m still safe and there are no rush - as there are still some months until the summer of 2018...? 

[tinman 1,070]

you can run what ever version you wish, as long you are using official remote access or vpn - but when you forwarded the port 80 to be accessible from outside, then you should do an update or shutdown your HC2.

[1152 33]

Thanks tinman, house safe then

[AutoFrank 372]

Hi @tinman   -
sent a pm 

 

Thanks

Edited September 29, 2017 by AutoFrank

[T.Konopka 8]

Hi, guys!

Thank you all for feedback in the thread. I am gathering information from the team that dealt with the vulnerability and prepared the patch. As you know, it is weekend so it'll take some time. I will come back to this thread with the details as soon as possible.

As for now, I have been assured that all gateways that were updated are safe and there is no threat.

 

@1152, what version of software do you have on the gateway in your summer house?

[MaTi 29]

@T.Konopka Thanks for the feedback. Although not very extensive, it is appreciated. Thanks!

I'd just like to stress out the importance of Fibaro informing it's users, as the exploit is public now.

 

IF there is a way where you can see which users are on which FW level, please DO inform them for obvious reasons.

ie Can you push notifications to users in the app on versions <4.140 ?

[Bodyart 231]

@MaTi  +1

 

[T.Konopka 8]

Guys, I received necessary information.

The vulnerability was detected in Lili's scripts that set commands in both gateways - HC2 and HCL (the scripts were deleted as this gateway does not use Lili).

 

The vulnerability could be used to get access to the gateway from outside the local network, but only when the gateway had open ports and using public IP.

If a user used only remote access offered by our service then user’s system was safe.

 

However, if someone had access to the local network in which the gateway operated - a neighbor for example - then the attack was still possible.

That's why we recommend that any gateway currently using public IP should be connected via VPN.

 

The scripts responsible for the vulnerability have been corrected and before releasing the patch we sent the patch to the blogger first to get necessary feedback. The patch solved the issue and at the moment we did not find any other vulnerabilities (yes, we additionally checked).

 

When verifying the vulnerability we estimated that the possibility of any attack using the vulnerability is very low.

Additionally, we did not get any signals from users that something unexpected is going on with the system, so we deduced that no system has been exposed.

In that case, we decided not to inform about the vulnerability as the reactions might be worse than the vulnerability itself.

We understand that you would like to know about such works, but it would be unwise to officially inform that our system had the vulnerability before we prepared the patch.

Moreover, as you can see the blogger informed about his finding after the threat was eliminated. We knew that he will post about it.

 

The preparation of the patch needed time as we had to slightly rebuilt some parts of the system (not much, but mainly the ones responsible for Lili). As we had our planned tasks already scheduled we had to adjust our works and plan the release of the patch in the best way possible.

 

Hopefully, this explanation is satisfying. The most important part is that the threat was eliminated

[Sankotronic 2,370]

Thank you @T.Konopka for the explanation.

 

BTW I'm happy with it!