New vulnerabilities have been discovered in Fortress S03 Wi-Fi Home Security System that could be potentially abused by a malicious party to gain unauthorized access with an aim to alter system behavior, including disarming the deceives without the victim’s knowledge.
The two unpatched issues, tracked under the identifiers CVE-2021-39276 (CVSS score 5.3) and CVE-2021-39277 (CVSS score 5.7), were discovered and reported by cybersecurity firm Rapid7 in May 2021 with a 60-day deadline to fix the weaknesses. In a recent blog, Rapid7 revealed that no patches were deployed by the company behind the Fortress S03 system to address the vulnerabilities.
In a detailed analysis published Wednesday, August 15, Rapid7 researchers Yossef Oren and Harry Sverdlove say the first vulnerability (CVE-2021-39276) enables a remote attacker to obtain an encrypted administration password from a device over HTTPS without needing valid credentials.
As noted in the analysis titled ‘We Have You By The Wi-Fi,’ it is possible to retrieve three other passwords from a device without authentication by exploiting CVE-2021-39276.
“These three passwords are used to decrypt the other password hashes stored in the device, which are needed by other internal services to authenticate to the other internal services. The first two of these internal services are also affected by the other two vulnerabilities, so it is possible to achieve remote code execution without authentication if one can decrypt these passwords,” Rapid7 researchers said.
The second vulnerability (CVE-2021-39277) is another plaintext recovery flaw that can be used by an attacker to reset the admin password via a “valid action” request over HTTPS. Once an attacker has reset the admin password, they can use CVE-2021-39276 and gain full access to all users’ Wi-Fi credentials.
“This allows a remote attacker to reset the admin password from a single malicious request, which then enables the attacker to exploit CVE-2021-39276 and carry out further attacks,” Rapid7 researchers said.
“Firmware is now available that includes and expedites the fixes and we’re very grateful for the support and flexibility. We’d like to say thanks to Fortress, as they have been a pleasure to work with,” Rapid7 analysts said.
Rapid7 said it had been “working with the technical teams of both Fortress and Rapid 7 to address some critical security vulnerabilities discovered in Wi-Fi Home Security System.”
“This matter was resolved amicably, so we will not be releasing any further details of this situation at this time,” Rapid7 said. “Once the vulnerabilities have been fully remediated, we will provide a full technical report of what happened. We will also provide an update on any other relevant topics at that time.”
Fortress S03 is a home security alarm system that includes Wi-Fi connectivity and is designed to connect with a plethora of smart-home devices, such as smoke detectors, motion sensors, and other home appliances.
Since the Fortress S03 is poorly secured and easy to access, experts believe the device may be abused to create a botnet for DDoS attacks. According to Rapid7 experts, even if a malicious attacker has no intention of launching a DDoS attack with the Fortress S0X Wi-Fi Home Security System, they can still abuse it to their advantage due to the presence of vulnerabilities.
“Some applications allow the admin password for an administrative account to be set via HTTP POST, which is normally used for updating configuration settings. However, there is a bug in the way the admin password is setup which causes it to be stored as plaintext in a file called /etc/config/ssh instead of requiring a password,” Rapid7 said.
A proof-of-concept (PoC) code has been released by Rapid7 researchers that can help security researchers and hackers analyze and exploit the vulnerabilities found in Fortress S03 Wi-Fi Home Security System. The vulnerability was discovered and published on May 2021, but no patches were released by Fortress S03 vendor before closing its doors due to financial problems.
In conclusion, Rapid7 recommends users to disable HTTPS as a default option as it is known that Fortresses S03 works only over HTTP, and has been formally supported by the company.
“While you can still manually configure admin credentials via a web interface, we recommend disabling HTTPS as a default option for all device ports to avoid accidentally exposing admin credentials on connections made via a vulnerable port,” Rapid7 researchers said. “In any case, always update your device with the latest firmware available from Fortress.”
If you would like liquidvideotechnologies.com to discuss developing your Home Security System, Networking, Access Control, Fire, IT consultant, or PCI Compliance, please do not hesitate to call us at 864-859-9848 or you can email us at deveren@liquidvideotechnologies.com.
Recent Comments