The vulnerable system is not bound to the network stack and the attacker’s path is via read/write/execute capabilities. Either: the attacker exploits the vulnerability by accessing the target system locally (e.g., keyboard, console), or through terminal emulation (e.g., SSH); or the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., using social engineering techniques to trick a legitimate user into opening a malicious document).
Attack Complexity
Low
AC
The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Attack Requirements
Present
AT
The successful attack depends on the presence of specific deployment and execution conditions of the vulnerable system that enable the attack. These include: A race condition must be won to successfully exploit the vulnerability. The successfulness of the attack is conditioned on execution conditions that are not under full control of the attacker. The attack may need to be launched multiple times against a single target before being successful. Network injection. The attacker must inject themselves into the logical network path between the target and the resource requested by the victim (e.g. vulnerabilities requiring an on-path attacker).
Privileges Required
Low
PR
The attacker requires privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources.
User Interaction
None
UI
The vulnerable system can be exploited without interaction from any human user, other than the attacker. Examples include: a remote attacker is able to send packets to a target system a locally authenticated attacker executes code to elevate privileges
Scope
Unchanged
S
An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality
Low
C
There is some impact on confidentiality, but the attacker either does not gain control of any data, or the information obtained does not have a significant impact on the system or its operations.
Integrity
Low
I
Modification of data is possible, but the attacker does not have control over what can be modified, or the extent of what the attacker can affect is limited. The data modified does not have a direct, serious impact on the system.
Availability
None
A
There is no impact on the availability of the system; the attacker does not have the ability to disrupt access to or use of the system.
Below is a copy: RRX IOB LP 1.0 DNS Cache Snooping
Document Title:
===============
RRX IOB LP v1.0 - DNS Cache Snooping Vulnerability
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2261
Article:https://www.vulnerability-db.com/?q=articles/2022/10/11/rhein-ruhr-express-rrx-dns-cache-snooping-vulnerability-wifi-hotspot
Release Date:
=============
2022-10-11
Vulnerability Laboratory ID (VL-ID):
====================================
2261
Common Vulnerability Scoring System:
====================================
5.3
Vulnerability Class:
====================
Multiple
Current Estimated Price:
========================
2.000 - 3.000
Product & Service Introduction:
===============================
This product, solution or service ("Product") contains third-party software components listed in this document. These components are Open Source
Software licensed under a license approved by the Open Source Initiative (www.opensource.org) or similar licenses as determined by SIEMENS ("OSS")
and/or commercial or freeware software components. With respect to the OSS components, the applicable OSS license conditions prevail over any other
terms and conditions covering the Product. The OSS portions of this Product are provided royalty-free and can be used at no charge.
If SIEMENS has combined or linked certain components of the Product with/to OSS components licensed under the GNU LGPL version 2 or later as per the
definition of the applicable license, and if use of the corresponding object file is not unrestricted ("LGPL Licensed Module", whereas the LGPL
Licensed Module and the components that the LGPL Licensed Module is combined with or linked to is the "Combined Product"), the following additional
rights apply, if the relevant LGPL license criteria are met: (i) you are entitled to modify the Combined Product for your own use, including but not
limited to the right to modify the Combined Product to relink modified versions of the LGPL Licensed Module, and (ii) you may reverse-engineer the
Combined Product, but only to debug your modifications. The modification right does not include the right to distribute such modifications and you
shall maintain in confidence any information resulting from such reverse-engineering of a Combined Product.
Certain OSS licenses require SIEMENS to make source code available, for example, the GNU General Public License, the GNU Lesser General Public License
and the Mozilla Public License. If such licenses are applicable and this Product is not shipped with the required source code, a copy of this source
code can be obtained by anyone in receipt of this information during the period required by the applicable OSS licenses by contacting the following address.
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a dns snooping vulnerability in the Rhein Ruhr Express (RRX IOB Landing Page 1.0 - Open Source Software) with Hotspot Siemens Portal.
Vulnerability Disclosure Timeline:
==================================
2020-08-03: Researcher Notification & Coordination (Security Researcher)
2020-08-04: Vendor Notification (Security Department)
2020-08-27: Vendor Response/Feedback #1 (Security Department)
2020-11-10: Vendor Response/Feedback #2 (Security Department)
2021-01-30: Security Acknowledgements (Security Department)
2022-10-09: Vendor Fix/Patch by Check (Service Developer Team)
2022-10-11: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Authentication Type:
====================
Restricted Authentication (Guest Privileges)
User Interaction:
=================
No User Interaction
Disclosure Type:
================
Responsible Disclosure
Technical Details & Description:
================================
A dns cache snooping vulnerability has been discovered in the official Rhein Ruhr Express (RRX IOB Landing Page 1.0 - Open Source Software) with Hotspot Siemens Portal.
The vulnerability allows remote attackers to determine resolved sites and name servers to followup with manipulative interactions.
The vulnerability allows remote attackers to determine which domains have recently been resolved via this name server, and therefore which hosts have been recently visited.
For instance, if an attacker was interested in whether your company utilizes the online services of a particular financial institution, they would be able to use this attack
to build a statistical model regarding company usage of that financial institution. Of course, the attack can also be usead to find B2B partners, web-surfing patterns, external
mail servers, and more. If this is an internal DNS server not accessible to outside networks, attacks would be limited to the internal network. This may include employees,
consultants and potentially users on a guest network or WiFi connection if supported.
Proof of Concept (PoC):
=======================
The dns cache snooping vulnerability can be exploited by remote attackers with wifi guest access without user interaction or privileged user account.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
--- PoC Session Logs ---
Sent a non-recursive query for test.com
and received 1 answer: dnsmasq-2.75
93.184.216.34
Hosts
53 / udp / dns
192.168.44.1
Solution - Fix & Patch:
=======================
Improve the cache management via dns to ensure no manipulations can take place.
Contact the manufacturer siemens to resolve the issue by an automated or manual patch.
2022-10-09: Vendor Fix/Patch by Check (Service Developer Team)
The patching process will be delivered by siemens during train maintenance and will take at least until 2022 Q2-Q3 to be rolled out on all trains (40+).
Security Risk:
==============
The security risk of the web vulnerability in the siemens hotspot rxx wifi is estimated as medium.
Credits & Authors:
==================
Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.
Domains:www.vulnerability-lab.comwww.vuln-lab.comwww.vulnerability-db.com
Services: magazine.vulnerability-lab.compaste.vulnerability-db.com infosec.vulnerability-db.com
Social: twitter.com/vuln_labfacebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or
edit our material contact (admin@ or research@) to get a ask permission.
Copyright 2022 | Vulnerability Laboratory - [Evolution Security GmbH]
--
VULNERABILITY LABORATORY (VULNERABILITY LAB)
RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum