-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2023-013 Product: Miniserver Go Gen.2 Manufacturer: Loxone Affected Version(s): <14.0.3.28 Tested Version(s): 14.0.3.28, 13.1.11.17 Vulnerability Type: Use of Hard-coded Cryptographic Key (CWE-321) Risk Level: Low Solution Status: Fixed Manufacturer Notification: 2023-05-03 Solution Date: 2023-06-20 Public Disclosure: 2023-06-30 CVE Reference: CVE-2023-36623 Author of Advisory: Tobias Jäger, SySS GmbH Moritz Abrell, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: The Loxone Miniserver Go is a smart home hub. The manufacturer describes the product as follows (see [1]): "The Loxone Miniserver Go serves as central control unit for all kinds of automation tasks." Due to the use of hardcoded keys, the root password can be derived from the MAC address. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The Loxone Miniserver is calculating the root password using the command "miniserverinit setpwd". The root password is derived from the MAC address of the Miniserver, using hardcoded cryptographic keys. The root password is calculated by encrypting the MAC address of the device using the AES256-CBC algorithm. The encryption key and initialization vector are hardcoded in the binary "miniserverinit". The ciphertext is then Base64-encoded and, additionally, some characters are substituted. The root password is then the 20 character long substring, starting with the 10th character. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): # python3 calc_root_pw.py 50:4f:94:a5:b1:e4 Root password: VRuM10yZrBRMuC1gi7qy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Install firmware version 14.2. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2023-04-21: Vulnerability discovered 2023-05-03: Vulnerability reported to manufacturer 2023-06-20: Patch released by manufacturer 2023-06-30: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for the Loxone Miniserver Go https://www.loxone.com/dede/kb/miniserver-go/ [2] SySS Security Advisory SYSS-2023-013 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2023-013.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Tobias Jäger and Moritz Abrell of SySS GmbH. E-Mail: tobias.jaeger@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Tobias_Jaeger.asc Key Fingerprint: 5C9F 5312 F37E B9AB E87B 1212 ABF0 CF2F 4D02 20F9 E-Mail: moritz.abrell@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz_Abrell.asc Key Fingerprint: 2927 7EB6 1A20 0679 79E9 87E6 AE0C 9BF8 F134 8B53 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEXJ9TEvN+uavoexISq/DPL00CIPkFAmSdKbQACgkQq/DPL00C IPlXXw//bpc3+DF/bmWwfuy1kdbeVGah0VHL6+an1qDEL42U+cV5mJIJ152WJ78i or+M9HqLb/NN5h/I9enF9Ae8qcUdW2Gj7q3uqs2/JH3vAQFdHDl74Gdl2g3S+tuP 2+l/FB3G/e4dp8jLdI5WQOFiU1R6qkvFqpIwDb5KCtbKFLaPzYFV5I56Q1NSkxVh I8F4T5qZVLeXmemz/Q8rW9vNDWqBIORVu/DDkSoPj09YBzD/jMYZ4Iu3HMWWDBiQ midddnOFW7R1of4k7kthx5DItWA3qz1ZGpupC+0RFxr5SxzKmpVY/3tErjWeHBG+ suBH+e8FHr5NOvZFd4VSsQSe+mlkNYQEbBf3vURidXwBfOLEco0j+tNDyv4U25GL ClxEb2tSpdXwu11u2GvN2KspPrhM7qJKjj27ld9d4fb8U/3cIpLMOUPYson6BFnd JkisH34zMzssjSrtOyJJKW8v8bBLbifjtzMtjlkFsE6PtZu0W3Wz8+kSZ8j9qI4n zfoRtGHCgq/lXufGNYwbRy5/aZL66osn+PK2kRCiZRCYnA+g/RVheyBo9Xc76YuU 6UT7Y2m3xCWKrmnugjvVQv8DFay8VYUC/KNbi6OSwXiluhLIJZQUjq9K8RUWtUlK OMXoVRtz5YzJGKUpIUugQqcX9SYrFVsdBk0uL8VasITV8Zjzrkg= =hBut -----END PGP SIGNATURE-----