Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Arlo Basestation Firmware Multiple Vulnerabilities

High

Synopsis


Insufficient UART Protection Mechanisms


A malicious actor with physical access to the device is able to connect to the UART port via a serial connection, login with default credentials, and execute commands as the root user. These default credentials are "ngroot":"ngbase".

With physical access, connecting to the serial port is relatevily trivial as it immediately drops the user to a login prompt. While the UART credentials (UART_username and UART_passwd) are encrypted in the nvram entries, the encryption key is hardcoded on the device via the PASS_ENC (GEARNET) environment variable (which is cleared after the initial boot and nvram encryption).

(AV:L/AC:L/Au:N/C:C/I:C/A:C)


Networking Misconfiguration


The base station contains two networking interfaces: an interface reserved for the internal camera network and an interface reserved for connection to the external LAN (typically the home network the base station operates from).

When connected to the same LAN as the base station, when specifying the base station as our gateway (or by adding the appropriate route to our routing table), we are able to hit the interface used for the internal camera network. This allows an attacker to probe additional services bound to this interface. In particular, the default http listener deployed by "vzdaemon" contains a "passthru" api endpoint that allows the arbitrary download or upload of files on the device. For example, simply calling "http://<internal ip of interface>/passthru/tmp/system-log" allows an attacker to download the primary logfile used for the device. While this proof of concept doesn't illustrate the most significant impact this issue can have, it nicely illustrates the functionality and demonstrates an easy test case when patching.

As "vzdaemon" runs as root, the capabilities of this passthru api endpoint could allow an attacker to completely take over the device.

(AV:A/AC:L/Au:N/C:C/I:C/A:C)


Hardcoded Private Key in Firmware Decryption


The "fwupgrade" utility on the base station contains hardcoded RSA private/public key pairs and the decryption process is now easily reversed.


----BEGIN RSA PRIVATE KEY----
MIIEpQIBAAKCAQEAxqsUswSN425Toar394cE3hf//+XlBfR5cZwpODHBj+X6UZRe
kJNlZoRH0c72D27blNf8dG2TjxsJOHm+gkoCbBz0a9ORenGNrZGZECJYDLH0MVcm
klyyh/z8cyBrMtqRiPoWzYaPN48snuUHFsF/JOVu3OIavFdu7MAGLRQ32dJeQ8Ou
ljlUK/hALVzzGseYuXHdVsj8TNIFqIvKlfMOB7T9biI8NxIoDNb8v3riHmkgSFbs
<...snipped...>
4r9QexyyduTLUQIn6MWvosMj8eG4Qp8yaLROmkb+OcJVSAX4uCp7xFNv2dT3OW++
yHcjHyECgYEAtQYGaDBpyjIgEJvAVSy0awv3zik3Ks/c5Wz4nHBV/kTB0xo5SzvM
InLrrHPVa/7oa3NMzZ5140pWuwS62rvrF7JX2kRaJ7vi3UVqmwGxGf2s9MoocS98
iSAZXhQ21meqgu5KMiLIpshrEubd3CPtq6to+yicoqXvOQ0v3DaMndU=
----END RSA PRIVATE KEY----

----BEGIN PUBLIC KEY----
MIIDRjCCAjkGByqGSM44BAEwggIsAoIBAQCPJ9cjoVgpXihsTEvSM2Murt7KBLhd
+qE0YReJWuY2JD3KbHOv6iTXSIjFKmlUR31NGhJ1FTvak5c01/mt88OXkdzRhoFy
iM49kWyx0NRntnHk8gcJFKZ29/+c+2kCHR3H2qA9ldhPEgP5xuLttui8Bd2FNKla
<...snipped...>
zZIlO6sNqrjnGBdcjmaU1N/pabNNsxwxFY/NtT5l3xInJEKUwBC/m0dUrOYqQ3pm
ljupxzfME60EEmitRXAPvgPcDyUYGqXpj9+P1vL2ANHT2tjNYk+dJJokgYmLryHs
kfHPzmcDKe0K3A7Ik/JN08TFeZZ1jkVGfwkU2Mygnkg+TU5Nc/S0irwavNf0yPdM
zv82QkIx0KB7c8mEoUTlHAnmP+cJN6yncpVAHEDgK+s+EHRHF6tYkN6V1bDgWbSd
e3jhuLWvHUjC+O9CWvekug/JjdkHJw40bUE=
----END PUBLIC KEY----

Solution

To correct the networking misconfiguration, verify that your basestation has been updated to the latest available version.

Disclosure Timeline

March 11, 2019 - Disclosed to Arlo’s 3rd party security partner (managed security disclosures for Arlo)
March 13, 2019 - Arlo’s 3rd party security partner confirms report.
March 16, 2019 - Arlo’s 3rd party security partner confirms Arlo's openness to the coordinated disclosure.
March 21, 2019 - Arlo’s 3rd party security partner states that Arlo is investigating the issues.
March 29, 2019 - Tenable requests status update.
March 29, 2019 - Arlo’s 3rd party security partner requests that specific vulnerabilities be created as separate submissions (Network Misconfiguration, Credentials and sensitive info, GPL code release). Other reported issues are considered duplicates.
March 29, 2019 - Tenable creates 3 new submissions for the above.
March 29, 2019 - Arlo’s 3rd party security partner acknowledges all 3 submissions and closes out the initial report.
April 4, 2019 - Arlo’s 3rd party security partner marks the 3 new submissions as "Triaged."
April 4, 2019 - Arlo’s 3rd party security partner marks original submission as "Not applicable."
April 8, 2019 - Tenable requests status update.
April 9, 2019 - Arlo’s 3rd party security partner/Arlo assign identifiers to two submissions (GPL code and Network Misconfiguration).
April 9, 2019 - Arlo’s 3rd party security partner/Arlo mark GPL code submission as "Not applicable."
April 19, 2019 - Our researcher finds out that Arlo has patched one of the vulnerabilities.
April 19, 2019 - Tenable requests updates on all issues.
April 22, 2019 - Arlo appears to have rolled back patch. Tenable requests updates again.
April 29, 2019 - Tenable requests updates for all issues.
May 3, 2019 - Tenable requests updates on all submissions.
May 10, 2019 - No response from Arlo’s 3rd party security partner or vendor, sent a reminder.
May 17, 2019 - Tenable reaches out to Arlo directly based on the note from Arlo’s 3rd party security partner.
May 21, 2019 - Tenable reaches out to Arlo directly based on the note from Arlo’s 3rd party security partner.
May 21, 2019 - Arlo’s 3rd party security partner marks credentials issue as duplicate.
May 21, 2019 - Arlo’s 3rd party security partner acknowledges Network Misconfiguration issue and valid finding.
May 21, 2019 - It appears Arlo has patched one of the vulnerabilities again that had the fix rolled back.
May 23, 2019 - Tenable meets with Arlo representative. Tenable transitions disclosure from Arlo’s 3rd party security partner to direct communication.
May 23, 2019 - Arlo unable to review latest communication due to PGP confusion.
May 24, 2019 - Tenable confirms PGP key used.
May 28, 2019 - Arlo is unable to decrypt. Provides Onedrive link to upload to.
May 29, 2019 - Tenable uploads disclosure information.
May 30, 2019 - Arlo requests clarification of an issue.
May 30, 2019 - Tenable provides clarification.
June 3, 2019 - Tenable responds to meeting invite.
June 4, 2019 - Arlo and Tenable discuss disclosure timeline
June 11, 2019 - Arlo CIO requests meeting.
June 12, 2019 - Arlo CIO and Tenable CTO discuss disclosure.
June 25, 2019 - Arlo and Tenable meet again.
July 1st, 2019 - Arlo releases their advisory ahead of agreed upon date

All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.

Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.

For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.

If you have questions or corrections about this advisory, please email [email protected]

Try for Free Buy Now

Try Tenable.io

FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

$2,275

Buy Now

Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, email, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 30 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 30 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try for Free Contact Sales

Try Tenable Lumin

FREE FOR 30 DAYS

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.