Kapsch TrafficCom RIS-9160, RIS-9260, and RIS-9360 Roadside Units Unauthenticated EFI Shell Vulnerability Allows Arbitrary Code Execution and Privilege Escalation

A vulnerability exists in Kapsch TrafficCom RIS-9160, RIS-9260, and RIS-9360 Roadside Units (RSUs) in versions 3.2.0.829.23, 3.8.0.1119.42, and 4.6.0.1211.28. The issue arises from an unauthenticated EFI shell that allows attackers to execute arbitrary code or escalate privileges during the boot process. This vulnerability takes advantage of missing access controls, as Secure Boot is disabled, enabling the execution of unsigned bootloaders and operating system kernels. The flaw can be exploited to gain root access on the device, with potential implications for manipulating V2X systems and connected infrastructure.

Impact

Exploitation of this vulnerability leads to unauthorized access and control over the affected RSUs, allowing for persistent root access that can be maintained across reboots. This access could be used to modify critical system components, including firmware and EEPROM data, which are not protected by the lock bit mechanism.

Reproduction

The vulnerability can be reproduced by accessing the EFI shell on the affected RSUs. After gaining access to the EFI shell, the microSD card can be used to transfer files and modify the embedded operating system. Once the modifications are made, the altered files can be copied back to the RSU, effectively overwriting the original system files. This process can include adding SSH keys for remote access or changing EEPROM values to insert custom password hashes, thereby achieving persistent root access.