#############################################################
#
# SWISSCOM CSIRT ADVISORY
# https://www.swisscom.ch/en/about/company/portrait/network/security/bug-bounty.html
#
#############################################################
#
# CVE ID:   CVE-2018-16596
# Product:  Swisscom Internet-Box
# Vendor:   Swisscom
# Subject:  Remote Code Execution
# CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H (base score 7.5)
# CVSS:2.0/AV:A/AC:L/Au:N/C:C/I:C/A:C (base score 8.3)
# Finder:   Michael Mazzolini - GoldNetwork (mm _at_ gold-network.ch)
# Coord:    Stéphane Grundschober (csirt _at_ swisscom.com)
# Date:     November 01 2018
# Advisory URL: https://www.swisscom.ch/content/dam/swisscom/de/about/nachhaltigkeit/digitale-schweiz/sicherheit/bug-bounty/files/CVE-2018-16596.txt
# Finder's advisory: https://www.gold-network.ch/security/advisories 
#
#############################################################


Description
-----------
A remote code execution from the LAN side has been identified 
in the UPnP implementation of the Star family of Swisscom routers.

Affected Product
----------------
The following Star* platforms are affected:
- Internet Box 2, Internet Box Standard, Internet Box Plus prior to 09.04.00 (August 2018)
- Internet Box light prior to 08.05.02 (August 2018).


Vulnerability
-------------
A stack overflow in the LAN UPnP service running on UDP port 1900 of 
Swisscom Internet-Box devices allows remote code execution.
No authentication is required to exploit this vulnerability. Sending a 
simple UDP packet to port 1900 will allow an attacker to execute code on a 
remote device. However, this is only possible if the attacker is inside the LAN.
Because of ASLR the success rate is not 100% and lead instead to a DoS of the UPnP 
service. Remaining functionality of the Internet Box is not affected. A reboot
of the Internet Box is necessary to attempt the exploit again.


Remediation
-----------
Update the Swisscom router (Internet-Box) firmware to the most recent version.
Online routers have started receiving the updated firmware since August 2018.


Milestones
----------
2018-06-04   Details communicated with Swisscom CSIRT
2018-06-15   Vulnerability confirmed by the manufacturer
2018-07-09   Patched firmware available
2018-08-01   Start roll-out of updated firmware
2018-09-04   CVE id requested (MITRE)
2018-10-31   Mass roll-out of updated firmware completed
2018-11-01   Advisory published


Credits
-------
We would like to thank Michael Mazzolini of GoldNetwork for his research
and responsible disclosure through Swisscom's Bug Bounty program
https://www.swisscom.ch/en/about/company/portrait/network/security/bug-bounty.html