Share
## https://sploitus.com/exploit?id=PACKETSTORM:180350
-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512  
  
Advisory ID: SYSS-2024-035  
Product: DiCal-RED  
Manufacturer: Swissphone Wireless AG  
Affected Version(s): Unknown  
Tested Version(s): 4009  
Vulnerability Type: Missing Authentication for Critical Function (CWE-306)  
Risk Level: High  
Solution Status: Open  
Manufacturer Notification: 2024-04-16  
Solution Date: None  
Public Disclosure: 2024-08-20  
CVE Reference: CVE-2024-36445  
Author of Advisory: Sebastian Hamann, SySS GmbH  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Overview:  
  
DiCal-RED is a radio module for communication between emergency vehicles and  
control rooms. It provides Ethernet, Wi-Fi and cellular network connectivity  
and runs a Linux- and BusyBox-based operating system.  
  
The manufacturer describes the product as follows (see [1]):  
  
"The DiCal-Red radio data module reliably guides you to your destination. This  
is ensured by the linking of navigation (also for the transmission of position  
data) and various radio modules."  
  
Due to missing authentication checks, the device is vulnerable to remote code  
execution as root.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Vulnerability Details:  
  
The device provides a Telnet service on TCP port 23. This service grants  
access to an interactive shell as the system's root user and does not require  
authentication.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Proof of Concept (PoC):  
  
$ telnet <IP or hostname>  
root@DiCal-RED:~# id  
uid=0(root) gid=0(root) groups=0(root)  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Solution:  
  
The manufacturer recommends not running the device in an untrusted network.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Disclosure Timeline:  
  
2024-02-29: Vulnerability discovered  
2024-04-16: Vulnerability reported to manufacturer  
2024-05-10: Manufacturer states that the vulnerability will not be fixed  
2024-05-14: Vulnerability reported to CERT-Bund  
2024-08-13: CERT-Bund informs us that the vendor declared the product EOL  
2024-08-20: Public disclosure of vulnerability  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
References:  
  
[1] Product website for DiCal-RED  
https://www.swissphone.com/solutions/components/terminals/radio-data-module-dical-red/  
[2] SySS Security Advisory SYSS-2024-035  
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-035.txt  
[3] SySS Responsible Disclosure Policy  
https://www.syss.de/en/responsible-disclosure-policy  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Credits:  
  
This security vulnerability was found by Sebastian Hamann of SySS GmbH.  
  
E-Mail: sebastian.hamann@syss.de  
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Sebastian_Hamann.asc  
Key ID: 0x9CE0E440429D8B96  
Key Fingerprint: F643 DF21 62C4 7C53 7DB2 8BA1 9CE0 E440 429D 8B96  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Disclaimer:  
  
The information provided in this security advisory is provided "as is"  
and without warranty of any kind. Details of this security advisory may  
be updated in order to provide as accurate information as possible. The  
latest version of this security advisory is available on the SySS website.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Copyright:  
  
Creative Commons - Attribution (by) - Version 3.0  
URL: http://creativecommons.org/licenses/by/3.0/deed.en  
  
-----BEGIN PGP SIGNATURE-----  
  
iQIzBAEBCgAdFiEE9kPfIWLEfFN9souhnODkQEKdi5YFAmbEQgMACgkQnODkQEKd  
i5a+RA//U6KMckje2e155lbDDv0WKneeJ6Csa/DIjLVibgavlbtaXQwkV1AkRFUm  
waN/PLm5nI6Ish3jssLT86Y6HJxaosbijdPuUT5pPfcrvMl0Hh0qvEblAkXxK0VE  
CcfQeiiAsWeHxMpOp2a3P1qHk8TM1aoqsc+IQlZwO1QBCfKP6kXiuJE2tqjKcevf  
nl3O9MQ3x+gDpzQfVndbUWT8eTwnZ0tmL6a6xCbOznqnFuOpIpINbvy9p3Yn2PWe  
F4o2BOIxB+r8jOChSewBPXIzx+qJbunT3x/lhBj764a7qxnIdgN+Bvyl1dTC3l+g  
LvdKNDoRsmRVkZJtkRHVjGeEzoEus15DlWYqZcRKxSjQC24Cp2KYM5bGTM1jTDbE  
AZF6Ax/ECPRkU4HnP4HVHDYokY9Xl2sidFpRikCyAGEQsrKFgN9+ncqqg18kfWEX  
dWWVybcDKZ2DqgGYomVWS9CWRaG/TWZbW9Ys1Yo3WYs8BRbMYzPVJGsZsj7UI7Bu  
SrBkCvwXZVw6moQfl90dlLp56Ri3z8KVaiexHjYrFez84LoXm98M6/Ea4HIaf8HP  
ZrF6NPsAG+BNLR8kq8Ad3a1GbT7GJgecxt2pSEVpYAFS0131gAL/EEDWKYli6G81  
f10KSC5fLBiVO2zQCIDvymmhbgpLSlF+s4llHXlrcOG2oVGkEBI=  
=3bUQ  
-----END PGP SIGNATURE-----