Multiple vulnerabilities in several ATEN IP KVM Switches
Jakob Lell from the TU Berlin computer security working group (
http://www.agrs.tu-berlin.de/v-menue/ag_rechnersicherheit/parameter/en/
) has discovered multiple vulnerabilities in several ATEN IP KVM
Switches.
Affected products:
- ATEN KH1516i IP KVM Switch (browser firmware version 1.0.063)
- ATEN KN9116 IP KVM Switch (firmware version 1.1.104)
- Aten PN9108 Power over the NET (only CVE-2009-1477)
The KH1508i uses the same firmware as the KH1516i and is thus most
likely affected as well. The KN9108 uses the same firmware as the
KN9116. It is possible that other devices are affected as well. If you
have access to other similar devices and want to test whether they are
vulnerable as well, please contact me at jakob@xxxxxxxxxxxxxxxx
Impact: Arbitrary code execution on client system, Information
disclosure and man in the middle attacks.
Background:
Aten produces several IP KVM Switches. This devices can be used like a
normal kvm switch with an attached keyboard, mouse and monitor.
However, it is also possible to access the hosts connected to the kvm
switch via a network using an ordinary PC as a client. As this can
also be used via an insecure network, it is very important that this
connection is cryptographically protected against sniffing of
confidential data (e.g. keystrokes, monitor signals) and man in the
middle attacks. The affected products provide an SSL encrypted web
interface. After authenticating to the web interface the user can
download a client program (java or windows). The client program
contains temporary authentication data so that it can connect to the
kvm switch without asking the user for username/password again.
CVE-2009-1477: Same SSL Key for all devices
All tested devices (KH1516i, KN9116 and PN9108) use the same SSL key
for the https web interface. If an attacker manages to extract the
private key from one single device, (s)he can decrypt the https
traffic of all other affected devices. This includes the username and
password used to authenticate to the kvm switch. If the attacker is
able to carry out a man in the middle attack, (s)he can also
compromise client systems by exchanging the windows or java client
software which is downloaded from the kvm switch via https.
Severity: High
CVE-2009-1472: Java client arbitrary code execution
The java client program connects to the kvm switch on port 9002 and
downloads and runs a new java class. This connection is encrypted
using AES. However, the encryption key is hardcoded in the client
program. So a man in the middle attacker can inject an other java
class file which can execute arbitrary java code on the client
computer. This java code is not protected by a sandbox as the client
isn't run as a java applet. It is also possible to use this
vulnerability to do a man in the middle attack to gain access to the
machines connected to the kvm switch.
Severity: High
CVE-2009-1473: Cryptographic weakness in key exchange
When the windows/java client connects to the device, the kvm switch
and the client negotiate a symmetric session key. This key negotiation
uses RSA in an insecure way. An attacker who can monitor the traffic
between the client and the kvm switch is able to repeat client-side
calculations to get the session key. By using this session key an
attacker can decrypt the traffic and reconstruct the keystrokes.
Furthermore it is also possible to carry out a man in the middle
attack and gain access to the machines connected to the KVM switch.
Both the Windows and the Java clients are affected.
Severity: High
CVE-2009-1474: Incomplete encryption
The connection between the client and the kvm switch is not completely
encrypted. The transfer of keystrokes is encrypted. However, mouse
events are not protected in any way. So a man in the middle attacker
can inject arbitrary mouse movements and press mouse buttons.
Depending on the operating system and setup this may be used to
compromise computers attached to the kvm switch.
Severity: Medium
CVE-2009-1474: Session ID Cookie not secure-only
When the user connects to the device via http on port 80, the device
redirects the user to the same device on port 443 (https). There the
user logs in and gets a session id cookie. However, this cookie does
not contain the secure option as specified in rfc2109. When the user
goes back to http for any reason, an attacker can sniff the session
id. Using this session ID it is possible to download the Windows/Java
client program (which contains authentication data) and then access
the computers connected to the KVM Switch. As the first connection via
http to the kvm switch is not protected, a man in the middle attacker
can inject some dynamic content so that the browser automatically
reloads the http site after logging in.
Severity: Low
The vendor has been notified about CVE-2009-1473 on 5.3.2009 and about
the other issues on 30.4.2009. Up to now we didn't receive a firmware
upgrade.
Suggested workaround: Avoid connecting to the KVM Switch via untrusted
networks.