Milesight UG67: Privileged Access Using USB Console

Attackers with physical access to the Milesight UG67 Outdoor LoRaWAN Gateway are able to gain full control over the installed operating system using an unprotected USB console.

Details

• Product: Milesight UG67 Outdoor LoRaWAN Gateway
• Affected Versions: 60.0.0.42-r5, likely others
• Fixed Versions: 60.0.0.44
• Vulnerability Type: Unprotected Local Console
• Security Risk: medium
• Vendor URL: https://www.milesight.com/iot/product/lorawan-gateway/ug67
• Vendor Status: fixed version released
• Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2024-001
• Advisory Status: published
• CVE: CVE-2024-47859
• CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47859

Introduction

The Milesight UG67 is a robust outdoor LoRaWAN® gateway designed for outdoor deployments.

More Details

The Milesight UG67 Outdoor LoRaWAN Gateway provides a USB-C socket marked ‘Console’ below the lower right transparent screw cap. This socket provides a serial interface to the gateway’s main CPU via a built-in Silicon Labs CP2102 USB-to-serial converter.

Proof of Concept

With physical access, it is possible to connect the gateway to an attacker’s system via USB, and use a serial TTY tool (’tio’ in the following) to interact with the device.

During power on or reboot (which can for example be achieved by cutting power for a few minutes) it is possible to observe system startup messages:

# tio </path/to/device>
 Connected

U-Boot SPL 2018.03 (Sep 15 2020 - 15:46:58 +0800)
[...]
Starting kernel ...

Booting Linux on physical CPU 0x0
Linux version 4.14.98 (root@andy) #305 SMP Thu Oct 26 21:01:07 2023
Sotfware : linux-ug6x-2.1.3
[...]
Press the [f] key and hit [enter] to enter failsafe mode
Press the [1], [2], [3] or [4] key and hit [enter] to select the debug level
f
- failsafe -
[...]

root@(none)

BusyBox v1.25.1 (2023-11-01 14:45:57 CST) built-in shell (ash)

================= FAILSAFE MODE active ================
special commands:
* firstboot          reset settings to factory defaults
* mount_root     mount root-partition with config files

after mount_root:
* passwd                         change root's password
* /etc/config               directory with config files

By using the ‘f’ key when prompted it is possible to enter the failsafe mode of the underlying OpenWRT system. This allows to mount the root filesystem:

root@(none):/# mount_root

At this point, an attacker has full access to the system. That way, stored account information and password hashes from ‘/overlay/upper/etc/shadow’, or, if present, VPN credentials can be extracted for analysis. With ‘root’ privileges, it is also possible to freely modify the system, including disabling the firmware upgrade mechanism to prevent future updates from cleaning the device. See rt-sa-2024-002 for an analysis of the password hashes of the default user accounts.

Workaround

Mount the UG67 Outdoor LoRaWAN Gateway at a physically secure location, for example indoors, to protect it from physical access.

Fix

Failsafe mode should be disabled in the OpenWRT configuration using

Preinit configuration options -> Disable failsafe

as described in the patch https://github.com/openwrt/openwrt/commit/b4e33a1c08f7e0b980b14687ef601bd30634464a

Security Risk

With physical access to the Milesight UG67 Outdoor LoRaWAN Gateway, it is possible to gain full control over the installed operating system by briefly attaching a USB interface, rebooting the system and typing the ‘f’ key. While the requirement for physical access limits possible attackers, the Milesight UG67 Outdoor LoRaWAN Gateway is intended to be mounted outdoors, which exposes it. Due to the precondition of physical access the unprotected USB console is deemed to pose a medium risk despite the grave consequences for the device.

Timeline

• 2024-04-25 Vulnerability identified
• 2024-04-29 Customer approved disclosure to vendor
• 2024-05-14 Vendor notified
• 2024-06-28 asked Vendor for update
• 2024-07-03 Vendor will provide Update until end of July
• 2024-07-24 asked Vendor for update
• 2024-07-30 Vendor stated: Work in Progress
• 2024-08-09 Vendor stated: Fix expected Q3/24
• 2024-09-24 CVE ID requested
• 2024-09-24 asked Vendor for update
• 2024-09-24 Vendor stated: Fix in 60.0.0.44
• 2024-10-04 CVE ID assigned
• 2024-10-07 asked Vendor for update
• 2024-10-08 Vendor stated: Fix will be available mid-October
• 2024-10-18 asked Vendor for update
• 2024-10-21 Vendor stated: Fix will be available mid-November
• 2024-11-04 Vendor released fixed version for testing
• 2024-11-05 Vendor released fixed version
• 2024-12-10 Customer approved public release of vulnerabiltiy details
• 2024-12-10 Advisory released

RedTeam Pentesting GmbH

RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories.

More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/

Working at RedTeam Pentesting

RedTeam Pentesting is looking for penetration testers to join our team in Aachen, Germany. If you are interested please visit: https://jobs.redteam-pentesting.de/