The firmware upgrade function in the admin web interface of the Rittal IoT Interface & CMC III Processing Unit devices checks if \nthe patch files are signed before executing the containing run.sh \nscript. The signing process is kind of an HMAC with a long string as key\n which is hard-coded in the firmware and is freely available for \ndownload. This allows crafting malicious \"signed\" .patch files in order \nto compromise the device and execute arbitrary code.
"}],"value":"The firmware upgrade function in the admin web interface of the Rittal IoT Interface & CMC III Processing Unit devices checks if \nthe patch files are signed before executing the containing run.sh \nscript. The signing process is kind of an HMAC with a long string as key\n which is hard-coded in the firmware and is freely available for \ndownload. This allows crafting malicious \"signed\" .patch files in order \nto compromise the device and execute arbitrary code."}],"exploits":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"SEC Consult has published proof of concept code for this vulnerability."}],"value":"SEC Consult has published proof of concept code for this vulnerability."}],"impacts":[{"capecId":"CAPEC-186","descriptions":[{"lang":"en","value":"CAPEC-186 Malicious Software Update"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-347","description":"CWE-347 Improper Verification of Cryptographic Signature","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"551230f0-3615-47bd-b7cc-93e92e730bbf","shortName":"SEC-VLab","dateUpdated":"2024-10-15T08:57:05.068Z"},"references":[{"tags":["third-party-advisory"],"url":"https://r.sec-consult.com/rittaliot"},{"tags":["patch"],"url":"https://www.rittal.com/de-de/products/deep/3124300"}],"solutions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"The vendor provides a patched version V6.21.00.2 which can be downloaded from the following URL: www.rittal.com/de-de/products/deep/3124300