Advisory Details

November 26th, 2018

(ODay) Juuko DATA Packet Command Injection Remote Code Execution Vulnerability

ZDI-18-1362
ZDI-CAN-6462

CVE ID
CVSS SCORE 7.5, (AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
AFFECTED VENDORS Jukko
AFFECTED PRODUCTS J808 Transmitter
VULNERABILITY DETAILS

This vulnerability allows remote attackers to issue commands on vulnerable installations of Juuko equipment. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the processing of communication between the transmitter and receiver. By using a fixed control code that is used to encode data sent over RF, an attacker can forge unauthorized commands to the receiver. An attacker can leverage this vulnerability to issue commands to the physical equipment controlled by the device.

ADDITIONAL DETAILS

This vulnerability is being disclosed publicly without a patch in accordance with the ZDI 120 day deadline.

07/19/18 - ZDI reported vulnerability to ICS-CERT
07/24/18 - ICS-CERT provided ZDI with ICS-VU and requested additional detail
07/25/18 - ZDI provided ICS-CERT the additional information
11/02/18 - ZDI contacted ICS-CERT requesting a status update
11/02/18 - ICS-CERT replied they had been regularly contacting the vendor without a response for months
11/16/18 - ZDI contacted ICS-CERT requesting a new status update
11/16/18 - ICS-CERT replied they had received a reply from the vendor but no details or deadline for the fix
11/21/18 - ZDI notified ICS-CERT the case will 0-day on 26 November


DISCLOSURE TIMELINE
  • 2018-06-26 - Vulnerability reported to vendor
  • 2018-11-26 - Coordinated public release of advisory
CREDIT Federico Maggi, Marco Balduzzi, Stephen Hilt, Philippe Lin, Akira Urano, Rainer Vosseler of Trend Micro Security Research
BACK TO ADVISORIES