Megvii Koala 2.9.1-c3s architectural vulnerability on network relays
DESCRIPTION
Lack of authentication in the network relays used in MEGVII Koala 2.9.1-c3sallows attackers to grant physical access to anyone by sending packet data to UDP port 5000 of any network relays connected to doors.
The vulnerability has been submitted to ZDI on March 20, 2020 as ZDI-CAN-10793.
The vendor has acknowledged and confirmed the vulnerability and said the production has reached end-of-line while a patch is available in newer products. We are not able to confirm the vendor's statement.The vendor has published a public advisory and asks the customers to upgrade the software when it is available. Product lines impacted by similar vulnerability will have patches in August 2020.Details
Megvii Koala is a facial recognition system sold by Megvii. It is marketed towards factory, company concierge, apartment complex, etc. There are several hardware configurations, depending on the system integrator.
The weakness is in the architecture of the Megvii Koala system. The weakest link is the network relay, which has to be either HHT-NET2D or TCP-KP-I404. When an adversary has access to the internal network, one has only to send the string "on1" to UDP port 5000 of all the devices in the network to open all the doors.
The architecture, according to the instruction manual provided by the vendor, is like,
---------------------------- UDP 5000 COM/ON/OFF
| --------- ------ | --------------> HHT-NET2D ------------> Door
| | Backend | <---> | Edge | |
| --------- ------ | <--- HTTP ----> Samsung Tablet
---------------------------- USB-C Cable
To our best knowledge, no firewall is recommended in user instruction manuals.
Vulnerability Type
CWE-862: Missing Authorization
Attack Type: Remote
Attack Vectors
To exploit vulnerability, attackers have to have access to LAN of the facial recognition access controller.
Mitigation
Deploy a firewall in front of network relays and allow UDP 5000 from Megvii edge server only.
Deny all other connections.
Discoverer
Roel Reyes, Joey Costoya, Philippe Lin, Vincenzo Ciancaglini, Morton Swimmer
Reference
Public advisory from the vendor: http://techsupport.megvii.com/hc/kb/article/1401343/
Featured Stories
Abusing Argo CD, Helm, and Artifact Hub: An Analysis of Supply Chain Attacks in Cloud-Native ApplicationsWe provide an overview of cloud-native tools and examine how cybercriminals can exploit their vulnerabilities to launch supply chain attacks.Read more
Trends and Shifts in the Underground N-Day Exploit MarketOur two-year research provides insights into the life cycle of exploits, the types of exploit buyers and sellers, and the business models that are reshaping the underground exploit market.Read more
The Nightmares of Patch Management: The Status Quo and BeyondWe discuss the challenges that organizations face in managing endpoint and server patches.Read more
Identifying Weak Parts of a Supply ChainMalicious attacks have consistently been launched on weak points in the supply chain. Like all attacks, these will evolve into more advanced forms. Software development, with multiple phases that could be placed at risk, is particularly vulnerable.Read more