Technical Advisory: Administrative Passcode Recovery and Authenticated Remote Buffer Overflow Vulnerabilities in Gigaset DX600A Handset (CVE-2021-25309, CVE-2021-25306)

Current Vendor: Gigaset
Vendor URL: https://www.gigaset.com/es_es/gigaset-dx600a-isdn/
Versions affected: V41.00-175.00.00-SATURN-175.00
Systems Affected: DX600A
Authors: Manuel Ginés - manuel.gines[at]nccgroup[dot]com
Admin Service Weak Authentication
CVE Identifier: CVE-2021-25309
Risk: 8.8 (High) - AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AT Command Buffer Overflow
CVE Identifier: CVE-2021-25306
Risk: 4.5 (Medium) - AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

Summary

According to the oficial documentation, the Gigaset DX600A is a high-end ISDN desktop phone with bluetooth support, an efficient contact management and multiple answering machines. The latest version of the official firmware was affected by two vulnerabilities that allowed unauthenticated users to retrieve the administrative password due to a weak authentication mechanism or compromise its availablity through low traffic Denial of Service attacks.

Impact

Successful exploitation of the first vulnerability would lead to unauthorized administrative access to the device. Achieving this level of privilege results in access to confidential information such as contacts, recent phone calls or messages, and allows to completely change its configuration. An attacker’s controlled configuration could cause, for example, to route the device’s traffic through an attacker’s controlled machine.

In addition, the abuse of the AT Command Buffer Overflow vulnerability would lead to Denegation of Service conditions by triggering device’s system reboot.

Details

Administrative Service Weak Authentication Mechanism (CVE-2021-25309)

The telnet remote administration service running on port 650/tcp of Gigaset DX600A v41.00-175 devices does not implement any lockout or throttling mechanisms. In conjunction with the extremely poor password policy that restricts its complexity to just 4 digits, allows remote attackers to easily obtain administrative access via brute-force attacks in a short period of time.

AT Command Buffer Overflow (CVE-2021-25306)

The buffer overflow vulnerability discovered in the AT command interface of Gigaset DX600A v41.00-175 devices allows remote attackers to force a device reboot by sending specially crafted long AT commands.

Recommendation

Due to the fact that vendor do not expect any software changes for this device, it is recommended to restrict external access to the affected ports in order to minimize the attack surface. This includes the telnet TCP port and the Bluetooth communications with serial port. 

Vendor Communication

  • 22 Jan 2021 – NCC Group notified Gigaset of the vulnerabilities found.
  • 26 Jan 2021 – Gigaset answered that there are no plans to update the device anymore but it will be considered for future projects.
  • 26 Jan 2021 – Provided technical details of the vulnerabilities and notified the plans to publish this advisory.
  • 28 Feb 2021 – Advisory published.

About NCC Group

NCC Group is a global expert in cybersecurity and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape. With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate & respond to the risks they face. We are passionate about making the Internet safer and revolutionizing the way in which organizations think about cybersecurity.

Published date: 28/02/2021
Written by: Manuel Ginés Rodríguez