By Sharon Brizinov and Amir Preminger | Dec 13, 2021

Executive Summary

  • Claroty’s Team82 continues its research into the growing union of cloud computing and operational technology with a look into cloud-based controllers and long-range Bluetooth gateways.
  • Offline industrial internet of things devices often communicate over Bluetooth to a gateway that sends data to cloud-based controllers for centralized monitoring, improved analytics, and security.
  • Team82 uncovered and privately disclosed a vulnerability in the Cassia Networks Cassia IoT Access Controller, which affected multiple solutions including ABB Ability Smart Sensor.
  • The directory traversal vulnerability allows an attacker to read any file from the application server, which is running in a Docker container. The vulnerability could allow attackers to read configuration files, application source code, logs, hashed passwords, and more.
  • The vulnerability exists only in release 1.4 of the Cassia IoT Access Controller software. Cassia Networks delivered version 2.0 in early 2021 to fix this issue. Customers who could not upgrade to release 2.0 were patched earlier this year.
  • Dozens of vulnerable cloud instances using this solution were vulnerable before patching, and end devices were at risk of being compromised via the cloud controller.

Introduction

Team82 has emphasized the importance of researching the potential risks introduced by bringing cloud computing to operational technology (OT) and the industrial internet of things (IIoT). Recent research led us to cloud-based controllers and the world of exposed non-IP-based devices that transmit data through long-range Bluetooth gateways.

One of the common centralized cloud-based management platforms for IoT devices is Cassia Networks’ IoT Access Controller (AC). Cassia Networks is a leader in Bluetooth-based IoT device connectivity. AC is an IoT network management system that allows businesses to deploy and manage hundreds of Bluetooth gateways, as well as monitor thousands of enterprise devices from one console.

Cassia IoT Access Controller login page.

Team82 uncovered a directory traversal vulnerability (CVE-2021-22685) in the Cassia IoT Access Controller’s cloud-based management instance. This vulnerability—patched earlier this year by Cassia—enables attackers to read any file from the Cassia server—which runs inside a container—including configuration files, application source code, logs, hashed passwords, and more.

CVE-2021-22685 can be exploited to steal secret information from the cloud-based instance.

Furthermore, Team82 was able to identify dozens of vulnerable cloud instances belonging to various companies that use this solution. This means that attackers can potentially gain control of these networks by compromising end devices through the cloud.

Technical Details

Cassia Networks’s IoT Access Controller (AC) allows organizations to connect offline devices to a centralized cloud-based infrastructure for monitoring, maintenance, and other management functionality. This solution consists of three components:

  • Edge Device:

    An IoT device incapable of accessing the internet.

  • Cassia Bluetooth Gateway:

    A gateway that collects data from edge devices using Bluetooth technology and transmits this data to the cloud instance.

  • Access Controller Cloud-Based Instance:

    A web-based Access Controller server that collects data from the various Cassia Bluetooth gateways.

Diagram showing how AC connects offline devices to cloud-based infrastructure. Image courtesy of Cassia Networks.

Bluetooth connectivity enables offline devices to communicate with the AC cloud server via the gateway. This helps to control and maintain the edge devices and also enables them to constantly transmit data to a remote server for data collection and analytics purposes. Later, engineers can enter the management console to perform actions such as upgrading device firmware or commissioning new devices.

Spotting the Vulnerabilities

Team82 visited a cloud-based Access Controller instance and noticed something interesting in the webpage source code: CSS and JavaScript resources were retrieved via a special route: minify.

Cassia Networks IoT Access Controller webpage source code.

The minify route receives from the client a relative path on the server and returns its minified version, which means it returns the same file but with newlines and other characters removed in order to save bandwidth. The issue is that this route does not verify nor sanitize input.

Exploitation is simple: An attacker could use the minify route with a relative path to read any file from the application server that is running inside a Docker container without authentication.

For example:

http://example.com/minify?css=/../../../../../../../../server/index.js

Leaked server index.js source code.

 

Recommendations

Cloud-based services have improved efficiency for businesses, opened doors to new performance analytics, and have helped enterprises worldwide innovate and improve profits. These centralized services may also introduce new risks and expand the attack surface available to threat actors, in particular as the cloud is brought to OT and IIoT.

Team82 understands these dynamics and will continue to examine and research these platforms to ensure threats to public safety, and economic and national security are minimized.

In addition to updating vulnerable instances of the Cassia IoT Access Controller, other organizations should understand their exposure to this vulnerability. Gain proper visibility into what’s running on your OT and IIoT networks, properly segment operational networks from business networks, and deploy secure remote connections.

Vulnerability Information

CVE-2021-22685
Vendor:

Cassia Networks

Product:

Cassia IoT Access Controller

CVSS v3:

6.2

CWE-22:

Path Traversal:
An attacker may be able to use a minified route with a relative path to view any file on the server.

ICS-CERT advisory
ABB advisory
Cassia patch