Advisory ID: SYSS-2024-037
Product: DiCal-RED
Manufacturer: Swissphone Wireless AG
Affected Version(s): Unknown
Tested Version(s): 4009
Vulnerability Type: Use of Password Hash With Insufficient Computational Effort (CWE-916)
Risk Level: Medium
Solution Status: Open
Manufacturer Notification: 2024-04-16
Solution Date: None
Public Disclosure: 2024-08-20
CVE Reference: CVE-2024-36440
Author of Advisory: Sebastian Hamann, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

DiCal-RED is a radio module for communication between emergency vehicles and
control rooms. It provides Ethernet, Wi-Fi and cellular network connectivity
and runs a Linux- and BusyBox-based operating system.

The manufacturer describes the product as follows (see [1]):

"The DiCal-Red radio data module reliably guides you to your destination. This
is ensured by the linking of navigation (also for the transmission of position
data) and various radio modules."

Due to a weak password hashing function, the device password is vulnerable to
offline brute-force attacks in order to recover the password.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The device password is stored in the file /etc/deviceconfig as a plain MD5
hash, i.e. without any salt or computational cost function.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

root@DiCal-RED:~# cat /etc/deviceconfig
PasswordActive=1
PasswordHash="2ab96390c7dbe3439de74d0c9b0b1767"
[...]

$ hashcat -m 0 -a 3 2ab96390c7dbe3439de74d0c9b0b1767 ?l?l?l?l?l?l?d
[...]
2ab96390c7dbe3439de74d0c9b0b1767:hunter2

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

The manufacturer recommends not running the device in an untrusted network.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2024-02-29: Vulnerability discovered
2024-04-16: Vulnerability reported to manufacturer
2024-05-10: Manufacturer states that the vulnerability will not be fixed
2024-05-14: Vulnerability reported to CERT-Bund
2024-08-13: CERT-Bund informs us that the vendor declared the product EOL
2024-08-20: Public disclosure of vulnerability

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for DiCal-RED
https://www.swissphone.com/solutions/components/terminals/radio-data-module-dical-red/
[2] SySS Security Advisory SYSS-2024-037
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-037.txt
[3] SySS Responsible Disclosure Policy
https://www.syss.de/en/responsible-disclosure-policy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Sebastian Hamann of SySS GmbH.

E-Mail: [email protected]
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Sebastian_Hamann.asc
Key ID: 0x9CE0E440429D8B96
Key Fingerprint: F643 DF21 62C4 7C53 7DB2 8BA1 9CE0 E440 429D 8B96

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS website.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE9kPfIWLEfFN9souhnODkQEKdi5YFAmbEQgMACgkQnODkQEKd
i5YLLw/+KOVlJj9SE7BMWl9H9zO9YcNZPUvuC62/iAtn82r0bOTQAUjx3eSzxx01
BGqHEVozMOb4PHC1hTPGp+WHMaFNlcLgiyciFhckh4PpeIwtCCccg3+8BlJRmVPb
pO+IWo16KcW/fYnqpu5fvHeKnC7UkauWBJiC5a72kjBqJeKreHjTJ3+lAOuMp5nt
wTJAEVvlog+MNJzXipMTDzYlaw6YrMr5ukgou0iDKKNJpwMBwJpga0IvJGmubNOU
YchVnsZOC7cXWqPBRFpNzKJifMZJ2rWPzoryIniR+ZdJn/M/wXr4IKZZJ0Oag/UT
li1LdUlNby7QnPCB9T0TfAhS3uGn9tSulPG51Ei9COuKFcpGWqEBM+NZ5QHy/+7o
6uo8tHV34XV4ztsWWHp6Mjd9qDI/7iPFsSR4k+Zio5/5rPqOfhp2LuBFfnuLCuqY
RLZnZ+eDuyUk4fsDLPP/2mRjfVf9+dskYBVqGbgjzNvgb2teTBxD3t31cdgyRNc7
LurHmE4h+h+qLT78E2i/iuRyvZFzAQ6miDNgFqDoTrp9XENtXSicmy0ABMPGMjCw
jg0dzFT4AA7zhNN0HuPNX2fE0+dmy5g9t8HdNFJeG52uTMs6/CYGlu573oErlUru
lr2Y2f3O06EHFnrR05OVM4TXuQF5VF5lHY/WmTCsOTWOYED2pjg=
=tMX8
-----END PGP SIGNATURE-----