CVE-2019-5137
The usage of hard-coded cryptographic keys within the ServiceAgent binary allows for the decryption of captured traffic across the network from or to the Moxa AWK-3131A firmware version 1.13.
Moxa AWK-3131A Firmware version 1.13
http://www.moxa.com/product/AWK-3131A.htm
7.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE-321: Use of Hard-coded Cryptographic Key
The Moxa AWK-3131A Industrial IEEE 802.11a/b/g/n wireless AP/bridge/client is a wireless networking appliance intended for use in industrial environments. It is designed to provide wireless communication capabilities to the environments in which it is deployed. Communication with the device is possible using HTTP, Telnet, and SSH.
Hard coded cryptographic keys are used for any traffic on port TCP 5801 or UDP 5800 in which byte 23 (zero-indexed) is between 0 and 5. This marks the packet as a fixed-key encryption packet. The fixed key is passed through AES-ECB to encrypt and decrypt traffic that qualifies (TCP traffic that has an established session).
serviceAgentFixedKeyEncryptData:
0040406c 27bdffc0 addiu $sp, $sp, -0x40
00404070 afbf003c sw $ra, 0x3c($sp) {__saved_$ra}
00404074 afbe0038 sw $fp, 0x38($sp) {__saved_$fp}
00404078 03a0f021 move $fp, $sp {var_40}
0040407c afc40040 sw $a0, 0x40($fp) {arg_0}
00404080 afc50044 sw $a1, 0x44($fp) {arg_4}
00404084 afc60048 sw $a2, 0x48($fp) {arg_8}
00404088 3c020042 lui $v0, 0x42
0040408c 244377b8 addiu $v1, $v0, 0x77b8 {key} ---------Start loading key from memory 0x4277b8---------
00404090 884477b8 lwl $a0, 0x77b8($v0)
00404094 00804821 move $t1, $a0
00404098 98690003 lwr $t1, 3($v1)
0040409c 244377b8 addiu $v1, $v0, 0x77b8 {key}
004040a0 88640004 lwl $a0, 4($v1)
004040a4 00804021 move $t0, $a0
004040a8 98680007 lwr $t0, 7($v1)
004040ac 244377b8 addiu $v1, $v0, 0x77b8 {key}
004040b0 88640008 lwl $a0, 8($v1)
004040b4 00803821 move $a3, $a0
004040b8 9867000b lwr $a3, 0xb($v1)
004040bc 244377b8 addiu $v1, $v0, 0x77b8 {key}
004040c0 8864000c lwl $a0, 0xc($v1)
004040c4 00803021 move $a2, $a0
004040c8 9866000f lwr $a2, 0xf($v1)
004040cc 244377b8 addiu $v1, $v0, 0x77b8 {key}
004040d0 88640010 lwl $a0, 0x10($v1)
004040d4 00802821 move $a1, $a0
004040d8 98650013 lwr $a1, 0x13($v1)
004040dc 244377b8 addiu $v1, $v0, 0x77b8
004040e0 88640014 lwl $a0, 0x14($v1) {key[0x14]} {0x258e1b8b}
004040e4 98640017 lwr $a0, 0x17($v1)
004040e8 244377b8 addiu $v1, $v0, 0x77b8 {key}
004040ec 886a0018 lwl $t2, 0x18($v1)
004040f0 01405821 move $t3, $t2
004040f4 986b001b lwr $t3, 0x1b($v1)
004040f8 01601821 move $v1, $t3
004040fc 244277b8 addiu $v0, $v0, 0x77b8 {key}
00404100 884a001c lwl $t2, 0x1c($v0)
00404104 01405821 move $t3, $t2
00404108 984b001f lwr $t3, 0x1f($v0)
0040410c 01601021 move $v0, $t3 ---------End loading key from memory---------
00404110 afc90018 sw $t1, 0x18($fp) {var_28} ---------Start storing key for local usage---------
00404114 afc8001c sw $t0, 0x1c($fp) {var_24}
00404118 afc70020 sw $a3, 0x20($fp) {var_20}
0040411c afc60024 sw $a2, 0x24($fp) {var_1c}
00404120 afc50028 sw $a1, 0x28($fp) {var_18}
00404124 afc4002c sw $a0, 0x2c($fp) {var_14} {0x258e1b8b}
00404128 afc30030 sw $v1, 0x30($fp) {var_10}
0040412c afc20034 sw $v0, 0x34($fp) {var_c} ---------End storing key for local usage---------
00404130 27c20018 addiu $v0, $fp, 0x18 {var_28}
00404134 00402021 move $a0, $v0 {var_28}
00404138 8fc50040 lw $a1, 0x40($fp) {arg_0}
0040413c 8fc60044 lw $a2, 0x44($fp) {arg_4}
00404140 8fc70048 lw $a3, 0x48($fp) {arg_8}
00404144 0c100f7c jal __serviceAgentEncryptData ---------Call function to utilize the key---------
004277b8 uint8_t key[32] =
004277b8 {
004277b8 [0x0] = 0xc5
004277b9 [0x1] = 0xb
004277ba [0x2] = 0xfe
004277bb [0x3] = 0x37
004277bc [0x4] = 0xc6
004277bd [0x5] = 0xd5
004277be [0x6] = 0x61
004277bf [0x7] = 0x67
004277c0 [0x8] = 0x18
004277c1 [0x9] = 0xa1
004277c2 [0xa] = 0x7f
004277c3 [0xb] = 0xd0
004277c4 [0xc] = 0xef
004277c5 [0xd] = 0x20
004277c6 [0xe] = 0x9b
004277c7 [0xf] = 0x45
004277c8 [0x10] = 0x1e
004277c9 [0x11] = 0x49
004277ca [0x12] = 0x4c
004277cb [0x13] = 0xce
004277cc [0x14] = 0x25
004277cd [0x15] = 0x8e
004277ce [0x16] = 0x1b
004277cf [0x17] = 0x8b
004277d0 [0x18] = 0xf3
004277d1 [0x19] = 0xc6
004277d2 [0x1a] = 0xc8
004277d3 [0x1b] = 0xe9
004277d4 [0x1c] = 0x7d
004277d5 [0x1d] = 0x9d
004277d6 [0x1e] = 0xee
004277d7 [0x1f] = 0xa0
004277d7 }
2019-10-22 - Vendor Disclosure
2020-02-24 - Public Release
Discovered by Carl Hurd of Cisco Talos.