CVE-2024-47943

Improper signature verification of firmware upgrade files

CVSS 9.8 CRITICALEPSS 0.6%CWE-347

In short

The Rittal device accepts firmware updates with fake signatures because the signing key is publicly available in the downloadable firmware. An attacker can create malicious updates that the device will execute, gaining complete control.

Technical detail

The firmware upgrade mechanism uses HMAC-based signature verification with a hardcoded key exposed in publicly available firmware files. An unauthenticated attacker can forge valid signatures for arbitrary patch files containing malicious run.sh scripts, achieving remote code execution on the device.

Summary generated and translated by AI from the official description.

The firmware upgrade function in the admin web interface of the Rittal IoT Interface & CMC III Processing Unit devices checks if the patch files are signed before executing the containing run.sh script. The signing process is kind of an HMAC with a long string as key which is hard-coded in the firmware and is freely available for download. This allows crafting malicious "signed" .patch files in order to compromise the device and execute arbitrary code.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

RITTAL GmbH & Co. KG · IoT Interface & CMC III Processing Unit

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

http://seclists.org/fulldisclosure/2024/Oct/4 https://r.sec-consult.com/rittaliot https://www.rittal.com/de-de/products/deep/3124300