[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] RRX IOB LP v1.0 - DNS Cache Snooping Vulnerability

To: fulldisclosure@xxxxxxxxxxxx
Subject: [FD] RRX IOB LP v1.0 - DNS Cache Snooping Vulnerability
From: "info@xxxxxxxxxxxxxxxxxxxxx" <info@xxxxxxxxxxxxxxxxxxxxx>
Date: Mon, 17 Oct 2022 10:01:57 +0200

Document Title:
===============
RRX IOB LP v1.0 - DNS Cache Snooping Vulnerability


References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2261

Article:https://www.vulnerability-db.com/?q=articles/2022/10/11/rhein-ruhr-express-rrx-dns-cache-snooping-vulnerability-wifi-hotspot


Release Date:
=============
2022-10-11


Vulnerability Laboratory ID (VL-ID):
====================================
2261


Common Vulnerability Scoring System:
====================================
5.3


Vulnerability Class:
====================
Multiple


Current Estimated Price:
========================
2.000€ - 3.000€


Product & Service Introduction:
===============================
This product, solution or service ("Product") contains third-party software 
components listed in this document. These components are Open Source
Software licensed under a license approved by the Open Source Initiative 
(www.opensource.org) or similar licenses as determined by SIEMENS ("OSS")
and/or commercial or freeware software components. With respect to the OSS 
components, the applicable OSS license conditions prevail over any other
terms and conditions covering the Product. The OSS portions of this Product are 
provided royalty-free and can be used at no charge.

If SIEMENS has combined or linked certain components of the Product with/to OSS 
components licensed under the GNU LGPL version 2 or later as per the
definition of the applicable license, and if use of the corresponding object file is not 
unrestricted ("LGPL Licensed Module", whereas the LGPL
Licensed Module and the components that the LGPL Licensed Module is combined with or 
linked to is the "Combined Product"), the following additional
rights apply, if the relevant LGPL license criteria are met: (i) you are 
entitled to modify the Combined Product for your own use, including but not
limited to the right to modify the Combined Product to relink modified versions 
of the LGPL Licensed Module, and (ii) you may reverse-engineer the
Combined Product, but only to debug your modifications. The modification right 
does not include the right to distribute such modifications and you
shall maintain in confidence any information resulting from such 
reverse-engineering of a Combined Product.

Certain OSS licenses require SIEMENS to make source code available, for 
example, the GNU General Public License, the GNU Lesser General Public License
and the Mozilla Public License. If such licenses are applicable and this 
Product is not shipped with the required source code, a copy of this source
code can be obtained by anyone in receipt of this information during the period 
required by the applicable OSS licenses by contacting the following address.


Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a dns snooping 
vulnerability in the Rhein Ruhr Express (RRX IOB Landing Page 1.0 - Open Source 
Software) with Hotspot Siemens Portal.


Vulnerability Disclosure Timeline:
==================================
2020-08-03: Researcher Notification & Coordination (Security Researcher)
2020-08-04: Vendor Notification (Security Department)
2020-08-27: Vendor Response/Feedback #1 (Security Department)
2020-11-10: Vendor Response/Feedback #2 (Security Department)
2021-01-30: Security Acknowledgements (Security Department)
2022-10-09: Vendor Fix/Patch by Check (Service Developer Team)
2022-10-11: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium


Authentication Type:
====================
Restricted Authentication (Guest Privileges)


User Interaction:
=================
No User Interaction


Disclosure Type:
================
Responsible Disclosure


Technical Details & Description:
================================
A dns cache snooping vulnerability has been discovered in the official Rhein 
Ruhr Express (RRX IOB Landing Page 1.0 - Open Source Software) with Hotspot 
Siemens Portal.
The vulnerability allows remote attackers to determine resolved sites and name 
servers to followup with manipulative interactions.

The vulnerability allows remote attackers to determine which domains have 
recently been resolved via this name server, and therefore which hosts have 
been recently visited.
For instance, if an attacker was interested in whether your company utilizes 
the online services of a particular financial institution, they would be able 
to use this attack
to build a statistical model regarding company usage of that financial 
institution. Of course, the attack can also be usead to find B2B partners, 
web-surfing patterns, external
mail servers, and more. If this is an internal DNS server not accessible to 
outside networks, attacks would be limited to the internal network. This may 
include employees,
consultants and potentially users on a guest network or WiFi connection if 
supported.


Proof of Concept (PoC):
=======================
The dns cache snooping vulnerability can be exploited by remote attackers with 
wifi guest access without user interaction or privileged user account.
For security demonstration or to reproduce the vulnerability follow the 
provided information and steps below to continue.


--- PoC Session Logs ---
Sent a non-recursive query for test.com
and received 1 answer: dnsmasq-2.75
93.184.216.34

Hosts
53 / udp / dns  
192.168.44.1


Solution - Fix & Patch:
=======================
Improve the cache management via dns to ensure no manipulations can take place.
Contact the manufacturer siemens to resolve the issue by an automated or manual 
patch.
2022-10-09: Vendor Fix/Patch by Check (Service Developer Team)
The patching process will be delivered by siemens during train maintenance and 
will take at least until 2022 Q2-Q3 to be rolled out on all trains (40+).


Security Risk:
==============
The security risk of the web vulnerability in the siemens hotspot rxx wifi is 
estimated as medium.


Credits & Authors:
==================
Vulnerability-Lab [Research Team] 
-https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and 
capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct, 
indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been 
advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or 
incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies, deface 
websites, hack into databases or trade with stolen data.

Domains:www.vulnerability-lab.com               www.vuln-lab.com                
                www.vulnerability-db.com
Services:   magazine.vulnerability-lab.com      paste.vulnerability-db.com      
                infosec.vulnerability-db.com
Social:     twitter.com/vuln_lab                facebook.com/VulnerabilityLab   
                youtube.com/user/vulnerability0lab
Feeds:      vulnerability-lab.com/rss/rss.php   
vulnerability-lab.com/rss/rss_upcoming.php      
vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php    
vulnerability-lab.com/register.php  
vulnerability-lab.com/list-of-bug-bounty-programs.php

Any modified copy or reproduction, including partially usages, of this file 
requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is 
granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All 
pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the 
specific authors or managers. To record, list, modify, use or
edit our material contact (admin@ or research@) to get a ask permission.

                                    Copyright © 2022 | Vulnerability Laboratory - 
[Evolution Security GmbH]™



--
VULNERABILITY LABORATORY (VULNERABILITY LAB)
RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE

Attachment: OpenPGP_0x95DC813F243F1D61.asc
Description: OpenPGP public key

Attachment: OpenPGP_signature
Description: OpenPGP digital signature

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Prev by Date: [FD] MapTool v1.11.5 - Cross Site Scripting Vulnerabilities
Next by Date: [FD] Backdoor.Win32.Redkod.d / Weak Hardcoded Credentials
Previous by thread: [FD] MapTool v1.11.5 - Cross Site Scripting Vulnerabilities
Next by thread: [FD] Backdoor.Win32.Redkod.d / Weak Hardcoded Credentials
Index(es):
- Date
- Thread