Deep Sea Electronics DSE855 Remote Authentication Bypass
Title: Deep Sea Electronics DSE855 Remote Authentication Bypass
Advisory ID: ZSL-2024-5825
Type: Local/Remote
Impact: Security Bypass, Privilege Escalation, System Access, DoS, Exposure of System Information, Exposure of Sensitive Information, Manipulation of Data
Risk: (5/5)
Release Date: 03.07.2024
Software version: 1.0.26
Module version: 1.0.78
Bootloader version: 1.0.3
Firmware version: 1.1.0
[14.11.2023] Vendor communicated via Trend Micro's Zero Day Initiative program.
[13.06.2024] ZDI-24-671 advisory released.
[03.07.2024] Public security advisory released.
[18.09.2024] Vendor releases updated firmware to address this issue.
[2] https://www.cve.org/CVERecord?id=CVE-2024-5947
[3] https://nvd.nist.gov/vuln/detail/CVE-2024-5947
[4] https://packetstormsecurity.com/files/179342/
[5] https://pentest-tools.com/vulnerabilities-exploits/deep-sea-electronics-dse855-authentication-bypass_22935
[6] https://www.zerodayinitiative.com/blog/2024/7/25/multiple-vulnerabilities-in-the-deep-sea-electronics-dse855
[7] https://www.deepseaelectronics.com/genset/remote-communications-overview-displays/dse855/software
[8] https://www.cisa.gov/news-events/ics-advisories/icsa-24-298-03
[26.07.2024] - Added reference [4], [5] and [6]
[18.09.2024] - Added vendor status and reference [7]
[24.10.2024] - Added reference [8]
Web: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2024-5825
Type: Local/Remote
Impact: Security Bypass, Privilege Escalation, System Access, DoS, Exposure of System Information, Exposure of Sensitive Information, Manipulation of Data
Risk: (5/5)
Release Date: 03.07.2024
Summary
The DSE855 communications device allows monitoring of a single DSE controller with USB connectivity over a LAN or WAN connection. To achieve this the DSE855 utilises its in-built web server or MODBUS TCP. In order to use over a LAN connection the on-site router must be configured to be accessible from any global location.Description
The device is vulnerable to configuration disclosure when direct object reference is made to the Backup.bin file using an HTTP GET request. This will enable an attacker to disclose sensitive information and help her in authentication bypass, privilege escalation and full system access.Vendor
Deep Sea Electronics plc - https://www.deepseaelectronics.comAffected Version
Model: DSE855Software version: 1.0.26
Module version: 1.0.78
Bootloader version: 1.0.3
Firmware version: 1.1.0
Tested On
embOS/IPVendor Status
[10.11.2023] Vulnerability discovered.[14.11.2023] Vendor communicated via Trend Micro's Zero Day Initiative program.
[13.06.2024] ZDI-24-671 advisory released.
[03.07.2024] Public security advisory released.
[18.09.2024] Vendor releases updated firmware to address this issue.
PoC
dse855_auth.txtCredits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>References
[1] https://www.zerodayinitiative.com/advisories/ZDI-24-671/[2] https://www.cve.org/CVERecord?id=CVE-2024-5947
[3] https://nvd.nist.gov/vuln/detail/CVE-2024-5947
[4] https://packetstormsecurity.com/files/179342/
[5] https://pentest-tools.com/vulnerabilities-exploits/deep-sea-electronics-dse855-authentication-bypass_22935
[6] https://www.zerodayinitiative.com/blog/2024/7/25/multiple-vulnerabilities-in-the-deep-sea-electronics-dse855
[7] https://www.deepseaelectronics.com/genset/remote-communications-overview-displays/dse855/software
[8] https://www.cisa.gov/news-events/ics-advisories/icsa-24-298-03
Changelog
[03.07.2024] - Initial release[26.07.2024] - Added reference [4], [5] and [6]
[18.09.2024] - Added vendor status and reference [7]
[24.10.2024] - Added reference [8]
Contact
Zero Science LabWeb: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk
