Schneider Electric C-Bus Automation Controller (5500SHAC) 1.10 Remote Root Exploit

Title: Schneider Electric C-Bus Automation Controller (5500SHAC) 1.10 Remote Root Exploit
Advisory ID: ZSL-2022-5707
Type: Local/Remote
Impact: System Access, DoS
Risk: (4/5)
Release Date: 29.05.2022
Summary
The C-Bus Network Automation Controller (5500NAC) and the Wiser for C-Bus Automation Controller (5500SHAC)) is an advanced controller from Schneider Electric. It is specifically designed to unite the C-Bus home automation solution with common household communication protocols, from lighting and climate control, to security, entertainment and energy metering. The Wiser for C-Bus Automation Controller manages and controls C-Bus systems for residential homes or zones within a building and integrates functions such as heating/cooling, energy/load monitoring and remote control for C-Bus and Modbus.
Description
The automation controller suffers from an authenticated arbitrary command execution vulnerability. An attacker can abuse the Start-up (init) script editor and exploit the 'script' POST parameter to insert malicious Lua script code and execute commands with root privileges that will grant full control of the device.
Vendor
Schneider Electric SE - https://www.se.com
Affected Version
CLIPSAL 5500SHAC (i.MX28)
CLIPSAL 5500NAC (i.MX28)
SW: 1.10.0, 1.6.0
HW: 1.0
Potentially vulnerable (alternative products/same codebase?): 5500NAC2 and 5500AC2
SpaceLogic C-Bus
Tested On
CPU model: ARM926EJ-S rev 5 (v5l)
GNU/Linux 4.4.115 (armv5tejl)
LuaJIT 2.0.5
FlashSYS v2
nginx
Vendor Status
[12.03.2022] Vulnerability discovered.
[15.03.2022] Sent details to vendor.
[17.03.2022] Vendor creates case SE-6201, starts investigation.
[25.03.2022] Asked vendor for status update.
[26.03.2022] Vendor responds, assessment is still ongoing.
[30.03.2022] Vendor cannot reproduce with provided info, requests proof of execution.
[31.03.2022] Sent encrypted PoC script to the vendor.
[31.03.2022] Vendor receives PoC, starts analysis.
[11.04.2022] Asked vendor for confirmation and status update.
[11.04.2022] Vendor is still analyzing the vulnerability. Will let us know once the case is confirmed.
[20.04.2022] Asked vendor for confirmation and scheduled patch release date.
[21.04.2022] Vendor confirms SE-6201, working on action plan.
[22.04.2022] Vendor responds: The product team has not accepted this report as a valid vulnerability due to the following analysis:
The python script mentioned in the report uses the /scada-main/scripting/ editor to execute the lua script to gain remote access to the controller. However, to achieve this, the attacker needs to provide the administrator credentials to execute the script. So, this can be done only when the attacker has the administrator credentials with him. In order to prevent attackers from obtaining administrator credentials, the product implements the following measures to make passwords difficult to brute force.
Force a user to change the default password the very first time they log in to the controller.
Uses of a strong password (Combination of characters with uppercase letter, lowercase letter and digit)
Block access to the controller after certain wrong login attempts.
[22.04.2022] Replied to the vendor. Asked vendor to assign SeeVeeE.
[30.04.2022] Asked vendor for status update.
[02.05.2022] Vendor closes SE-6201 (not a vuln).
[29.05.2022] Public security advisory released.
PoC
c-bus.py
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] https://packetstormsecurity.com/files/167304/
[2] https://exchange.xforce.ibmcloud.com/vulnerabilities/227554
[3] https://cxsecurity.com/issue/WLB-2022050095
[4] https://www.exploit-db.com/exploits/50949
Changelog
[29.05.2022] - Initial release
[31.05.2022] - Added reference [1], [2] and [3]
[07.06.2022] - Added reference [4]
Contact
Zero Science Lab

Web: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk