############################################################# # # SWISSCOM CSIRT ADVISORY # https://www.swisscom.ch/en/about/company/portrait/network/security/bug-bounty.html # ############################################################# # # CVE ID: CVE-2020-16134 # Product: Swisscom Internet-Box # Vendor: Swisscom # Subject: Privilege escalation # CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (base score 8.0) # Finder: Martin Jindra - digi.ch GmbH (Martin.Jindra _at_ digi.ch) # Coord: Stéphane Grundschober (csirt _at_ swisscom.com) # Date: August 04 2020 # Advisory URL: https://www.swisscom.ch/content/dam/swisscom/de/about/nachhaltigkeit/digitale-schweiz/sicherheit/bug-bounty/files/cve-2020-16134.txt # ############################################################# Description ----------- Given the user-configurable credentials to access the local Web-Interface or physical access to the devices’ plus or reset button, it is possible to create a user with elevated privileges on the Sysbus-API which can then be used to modify local or remote SSH access, thus allowing the login as the superuser. Affected Product ---------------- The following Swisscom Internet Box are affected: - Internet Box 2, Internet Box Standard, Internet Box Plus prior to 10.04.38 (July 2020) - Internet Box 3 prior to 11.01.20 (July 2020) - Internet Box light prior to 08.06.06 (July 2020) Vulnerability ------------- Misconfigured ACL on the sysbus API of the Internet Box. This allows a user with admin credentials (or with physical access to the box to reset the admin password) to interact with the sysbus API on the local LAN and create a new user and group with elevated priviledges. This user is then able, through the API, to switch on SSH access. Access via SSH provides full access to the Linux system of the box. Remediation ----------- Update the Swisscom router (Internet-Box) firmware to the most recent version. Online routers have received the update since the last week of July 2020. Milestones ---------- 2020-05-06 Details communicated with Swisscom CSIRT 2020-05-07 Vulnerability confirmed by the manufacturer 2020-05-29 Patched firmware available and rollout to trial users 2020-07-22 Start roll-out of updated firmware 2020-07-29 CVE id requested (MITRE) 2020-08-03 Mass roll-out of updated firmware completed 2020-08-04 Advisory published Credits ------- We would like to thank Martin Jindra of digi.ch GmbH for his research and responsible disclosure through Swisscom's Bug Bounty program https://www.swisscom.ch/en/about/company/portrait/network/security/bug-bounty.html