Talos Vulnerability Report

TALOS-2019-0926

Moxa AWK-3131A ServiceAgent Use of Hard-coded Cryptographic Key

February 24, 2020
CVE Number

CVE-2019-5137

Summary

The usage of hard-coded cryptographic keys within the ServiceAgent binary allows for the decryption of captured traffic across the network from or to the Moxa AWK-3131A firmware version 1.13.

Tested Versions

Moxa AWK-3131A Firmware version 1.13

Product URLs

http://www.moxa.com/product/AWK-3131A.htm

CVSSv3 Score

7.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE

CWE-321: Use of Hard-coded Cryptographic Key

Details

The Moxa AWK-3131A Industrial IEEE 802.11a/b/g/n wireless AP/bridge/client is a wireless networking appliance intended for use in industrial environments. It is designed to provide wireless communication capabilities to the environments in which it is deployed. Communication with the device is possible using HTTP, Telnet, and SSH.

Hard coded cryptographic keys are used for any traffic on port TCP 5801 or UDP 5800 in which byte 23 (zero-indexed) is between 0 and 5. This marks the packet as a fixed-key encryption packet. The fixed key is passed through AES-ECB to encrypt and decrypt traffic that qualifies (TCP traffic that has an established session).

serviceAgentFixedKeyEncryptData:
0040406c  27bdffc0   addiu   $sp, $sp, -0x40
00404070  afbf003c   sw      $ra, 0x3c($sp) {__saved_$ra}
00404074  afbe0038   sw      $fp, 0x38($sp) {__saved_$fp}
00404078  03a0f021   move    $fp, $sp {var_40}
0040407c  afc40040   sw      $a0, 0x40($fp) {arg_0}
00404080  afc50044   sw      $a1, 0x44($fp) {arg_4}
00404084  afc60048   sw      $a2, 0x48($fp) {arg_8}
00404088  3c020042   lui     $v0, 0x42
0040408c  244377b8   addiu   $v1, $v0, 0x77b8  {key}    ---------Start loading key from memory 0x4277b8---------
00404090  884477b8   lwl     $a0, 0x77b8($v0)
00404094  00804821   move    $t1, $a0
00404098  98690003   lwr     $t1, 3($v1)
0040409c  244377b8   addiu   $v1, $v0, 0x77b8  {key}
004040a0  88640004   lwl     $a0, 4($v1)
004040a4  00804021   move    $t0, $a0
004040a8  98680007   lwr     $t0, 7($v1)
004040ac  244377b8   addiu   $v1, $v0, 0x77b8  {key}
004040b0  88640008   lwl     $a0, 8($v1)
004040b4  00803821   move    $a3, $a0
004040b8  9867000b   lwr     $a3, 0xb($v1)
004040bc  244377b8   addiu   $v1, $v0, 0x77b8  {key}
004040c0  8864000c   lwl     $a0, 0xc($v1)
004040c4  00803021   move    $a2, $a0
004040c8  9866000f   lwr     $a2, 0xf($v1)
004040cc  244377b8   addiu   $v1, $v0, 0x77b8  {key}
004040d0  88640010   lwl     $a0, 0x10($v1)
004040d4  00802821   move    $a1, $a0
004040d8  98650013   lwr     $a1, 0x13($v1)
004040dc  244377b8   addiu   $v1, $v0, 0x77b8
004040e0  88640014   lwl     $a0, 0x14($v1)  {key[0x14]}  {0x258e1b8b}
004040e4  98640017   lwr     $a0, 0x17($v1)
004040e8  244377b8   addiu   $v1, $v0, 0x77b8  {key}
004040ec  886a0018   lwl     $t2, 0x18($v1)
004040f0  01405821   move    $t3, $t2
004040f4  986b001b   lwr     $t3, 0x1b($v1)
004040f8  01601821   move    $v1, $t3
004040fc  244277b8   addiu   $v0, $v0, 0x77b8  {key}
00404100  884a001c   lwl     $t2, 0x1c($v0)
00404104  01405821   move    $t3, $t2
00404108  984b001f   lwr     $t3, 0x1f($v0)
0040410c  01601021   move    $v0, $t3                  ---------End loading key from memory---------
00404110  afc90018   sw      $t1, 0x18($fp) {var_28}   ---------Start storing key for local usage---------
00404114  afc8001c   sw      $t0, 0x1c($fp) {var_24}
00404118  afc70020   sw      $a3, 0x20($fp) {var_20}
0040411c  afc60024   sw      $a2, 0x24($fp) {var_1c}
00404120  afc50028   sw      $a1, 0x28($fp) {var_18}
00404124  afc4002c   sw      $a0, 0x2c($fp) {var_14}  {0x258e1b8b}
00404128  afc30030   sw      $v1, 0x30($fp) {var_10}
0040412c  afc20034   sw      $v0, 0x34($fp) {var_c}    ---------End storing key for local usage---------
00404130  27c20018   addiu   $v0, $fp, 0x18 {var_28}
00404134  00402021   move    $a0, $v0 {var_28}
00404138  8fc50040   lw      $a1, 0x40($fp) {arg_0}
0040413c  8fc60044   lw      $a2, 0x44($fp) {arg_4}
00404140  8fc70048   lw      $a3, 0x48($fp) {arg_8}   
00404144  0c100f7c   jal     __serviceAgentEncryptData ---------Call function to utilize the key---------


004277b8  uint8_t key[32] = 
004277b8  {
004277b8      [0x0] = 0xc5
004277b9      [0x1] = 0xb
004277ba      [0x2] = 0xfe
004277bb      [0x3] = 0x37
004277bc      [0x4] = 0xc6
004277bd      [0x5] = 0xd5
004277be      [0x6] = 0x61
004277bf      [0x7] = 0x67
004277c0      [0x8] = 0x18
004277c1      [0x9] = 0xa1
004277c2      [0xa] = 0x7f
004277c3      [0xb] = 0xd0
004277c4      [0xc] = 0xef
004277c5      [0xd] = 0x20
004277c6      [0xe] = 0x9b
004277c7      [0xf] = 0x45
004277c8      [0x10] = 0x1e
004277c9      [0x11] = 0x49
004277ca      [0x12] = 0x4c
004277cb      [0x13] = 0xce
004277cc      [0x14] = 0x25
004277cd      [0x15] = 0x8e
004277ce      [0x16] = 0x1b
004277cf      [0x17] = 0x8b
004277d0      [0x18] = 0xf3
004277d1      [0x19] = 0xc6
004277d2      [0x1a] = 0xc8
004277d3      [0x1b] = 0xe9
004277d4      [0x1c] = 0x7d
004277d5      [0x1d] = 0x9d
004277d6      [0x1e] = 0xee
004277d7      [0x1f] = 0xa0
004277d7  }

Timeline

2019-10-22 - Vendor Disclosure
2020-02-24 - Public Release

Credit

Discovered by Carl Hurd of Cisco Talos.

TALOS-2019-0927

TALOS-2019-0925