Kapsch TrafficCom RIS-9160 and RIS-9260 Roadside Units EEPROM Access Control Vulnerability Allows Privilege Escalation to Root

A vulnerability in the EEPROM component of Kapsch TrafficCom RIS-9160 and RIS-9260 Roadside Units (RSUs) in versions 3.2.0.829.23, 3.8.0.1119.42, and 4.6.0.1211.28, allows attackers to exploit incorrect access control by replacing password hashes stored in the EEPROM with their own. This manipulation leads to unauthorized escalation of privileges to root. The EEPROM write access is not properly restricted, enabling the modification of sensitive data that is critical for maintaining secure user authentication.

Impact

Exploitation of this vulnerability allows for persistent root access on the affected RSUs, as the unauthorized password hash modifications are retained across reboots. This elevated access could be used to manipulate V2X communications or disrupt connected infrastructure applications, such as those supporting pedestrian safety or emergency vehicle operations.

Reproduction

The vulnerability can be reproduced by physically accessing the RSU and using a Bus Pirate device to modify the EEPROM. After overwriting the password hash with one that grants root access, the changes persist through reboots, allowing for unauthorized access via SSH. Alternatively, the 'infotool' application, which is pre-installed on the RSUs, can be used to manually change EEPROM values, including those related to user passwords.