Buffalo BS-GS Series - Vulnerability Report

Product Description

The BS-GS2008, BS-GS2016, BS-GS2024, BS-GS2048, BS-GS2008P, BS-GS2016P and BS-GS2024P devices from Buffalo are multi-Port gigabit smart switches and provide a host of comprehensive HTTP/HTTPS web-based network management features including VLAN, SNMP, port trunking/link aggregation, DHCP snooping, STP support and 802.1p QoS.

Affected Products

All Buffalo BS-GS2008, BS-GS2016, BS-GS2024, BS-GS2048, BS-GS2008P, BS-GS2016P and BS-GS2024P devices from version 1.0.10.01 and under.

Vulnerability Summary

[CVE-2023-24464] - Persistent Cross-site Scripting (CWE-79).

The Buffalo BS-GS2008, BS-GS2016, BS-GS2024, BS-GS2048, BS-GS2008P, BS-GS2016P and BS-GS2024P series devices are affected by a persistent cross-site scripting (stored XSS) vulnerability due to a lack of sanitation in the POST parameter CertFilePath when an SSL certificate is uploaded (/action/formCertUL). A successful exploit could allow the attacker to inject and store malicious JavaScript code in the web management interface. This issue affects all Buffalo BS-GS2008, BS-GS2016, BS-GS2024, BS-GS2048, BS-GS2008P, BS-GS2016P and BS-GS2024P devices from version 1.0.10.01 and under.

[CVE-2023-26588] - Use of Hard-coded Cleartext Password (CWE-798).

The Buffalo BS-GS2008, BS-GS2016, BS-GS2024, BS-GS2048, BS-GS2008P, BS-GS2016P and BS-GS2024P series devices contain hard-coded, clear text credentials for a hidden debug user account. A malicious actor can extract hard-coded strings from the firmware image and have access to the hidden UI web page. This issue affects all Buffalo BS-GS2008, BS-GS2016, BS-GS2024, BS-GS2048, BS-GS2008P, BS-GS2016P and BS-GS2024P devices from version 1.0.10.01 and under.

[CVE-2023-24544] - Improper Access Control (CWE-284).

The Buffalo BS-GS2008, BS-GS2016, BS-GS2024, BS-GS2048, BS-GS2008P, BS-GS2016P and BS-GS2024P series devices are affected by an insecure design vulnerability due to an improper directory access restriction. An unauthenticated remote attacker can exploit this by sending a crafted URI that contains the path of the download the device configuration file and download the device SSL certificate file. This issue affects all Buffalo BS-GS2008, BS-GS2016, BS-GS2024, BS-GS2048, BS-GS2008P, BS-GS2016P and BS-GS2024P devices from version 1.0.10.01 and under.

Reproduction Steps

1. Persistent Cross-site Scripting (CWE-79).

The page certificate.asp allows users to upload and store their own SSL certificate. In addition to the SSL certificate, a second POST parameter (CertFilePath) allows an attacker the ability to give a name to the certificate sent to the server. As there is no sanitation on this second parameter, it is possible to inject JavaScript code that will be stored in the device and will be triggered each time a user accesses the page certificate.asp.

When a legitimate user accesses the certificate.asp page of the web management interface, the JavaScript payload will be triggered.

2. Use of Hard-coded Cleartext Password (CWE-798).

After extracting the firmware image and reverse engineering it, it was discovered that the password to access the hidden engineer page enginhidlogin.asp was hard coded in clear text in the firmware image.

We can now login to the hidden engineer page.

3. Improper Access Control (CWE-284).

The endpoints /config.bin and /certificate.crt can be called remotely without user authentication as there is no cookie verification for Cookie: SID= to check if the request is legitimate. This vulnerability allows any malicious actor the ability to download the device configuration and the SSL certificate.

Config file, no authentication required:

SSL Certificate, no authentication required:

Recommendation Fixes / Remediation

Vulnerability 1: Sanitize user input and validate against potentially malicious user-provided input. Encode output to prevent potentially malicious user-provided data from triggering automatic load-and-execute behavior by a browser. Please see the following link for more details: https://cwe.mitre.org/data/definitions/79.html

Vulnerability 2: Need to generate a different password for each device. For example, a randomly generated, unique password should be generated for each device during the manufacturing process. Risk: Since passwords are shared among devices, an attacker would be able to crack the password once (e.g. with physical access to the device) and can then access all reachable devices. Please see the following link for more details: https://cwe.mitre.org/data/definitions/1188.html

Vulnerability 3: Make sure that all requests sent to the back end are authenticated properly. Please see the following link for more details https://cwe.mitre.org/data/definitions/284.html

Vulnerable Devices Found

As of 21Aug2022, there were 465 Buffalo BS-GS2008, BS-GS2016, BS-GS2024, BS-GS2048, BS-GS2008P, BS-GS2016P and BS-GS2024P devices exposed to the internet and were affected by the vulnerabilities discovered.

Reference

https://www.buffalo.jp/news/detail/20230306-01.html

Security researchers