KeySight RF Sensor Vulnerability

October 28, 2022

Overview:

  SonicWall Capture Labs Threat Research Team has observed the following threat:

  KeySight N6854A Geolocation server software and the N6841A RF Sensor software provide an easy way to configure all of the RF Sensors in a network. It provides diagnostic and firmware update tools, along with a color coded health status indicator for each sensor. A user can upload and geo-align maps to show sensor placement and geolocation results via a heat-map overlay, pinpointing the location of unknown RF emitters. Additionally, users can create launchers to quickly start software applications on one or multiple sensors at the same time. The Geolocation server software is tightly integrated with the N6820ES Surveyor 4D software making a spectrum monitoring and emitter location system.

  An SQL injection exists in KeySight N6854A and N6841A RF Sensor. The vulnerability is due to insufficient input validation when restoring databases from arbitrary network locations.

  A remote, unauthenticated attacker can exploit this vulnerability by sending maliciously crafted packets to the target server. Successful exploitation could result in execution of arbitrary code on the target server in the context of SYSTEM.

  Vendor Homepage

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2022-38130.

  CVE Listing

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 8.7 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C).

  Base score is 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is none.
    • Scope is changed.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 8.7 (E:U/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is unproven.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

  CVSS Calculator Metrics

Technical Overview:

  The vulnerability is due to a lack of authentication controls for accessing the exposed Spring HTTP Invoker endpoints and allowing retrieval of the ZIP file from a remote attacker-controlled server. When a user clicks on the “Tools->Database->Restore Database” button, an HTTP request to the “/server/service/smsConfigServiceHttpInvoker” is sent over localhost on port 8080 to KeysightSMS.exe. This request will invoke the handleRequest() method of the Spring Framework HttpInvokerServiceExporter class, which deserializes a RemoteInvocation object from the serialized data received in the request. An attacker can provide a serialized object that invokes the method smsRestoreDatabaseZip() in Java class WEBINF.classes.com.keysight.tentacle.config.ResourceManager. This method takes as an input the path to the ZIP archive file.

  The code specifically looks for the file tentacle.script in the ZIP archive which after extraction is then passed as an argument in a call when executing MigrateDatabase.bat script. This batch script executes all of the SQL commands present in the given tentacle.script file to update/restore the HSQLDB database which is part of the SMS tool. However, the code does not prevent an attacker from supplying a UNC path and thereby downloading an arbitrary ZIP archive (and tentacle.script file) to be used in restoring the database on the target machine. The attacker can therefore execute arbitrary SQL commands on the target machine with any authentication. Since the SMS tool utilizes HSQLDB and this database allows execution of arbitrary Java static methods, an attacker can craft a malicious tentacle.script file which can, for instance, create files on the target machine at arbitrary locations and with arbitrary data. For instance, executing the following SQL commands, will result in the creation of a short-link file in the directory “C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp” that opens a calculator on the target machine whenever Windows is restarted:

Triggering the Problem:

  • The target must have the vulnerable software installed.
  • The attacker must have network connectivity to the target server.

Triggering Conditions:

  The attacker sends an HTTP request containing a malicious serialized Java object to the target server that downloads the malicious ZIP file from an attacker-controlled server. The vulnerability is triggered when the server processes the downloaded file.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTP
    • HTTPS

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 3323 KeySight N6854A/N6841A Insecure Deserialization 3

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Upgrading the product to a non-vulnerable version.
    • Detecting and filtering malicious traffic using the signature above.
  The vendor has released the following advisory regarding this vulnerability:
  Vendor Advisory