CVE-2022-41636: Cleartext Communication Vulnerability in Haas Controller "Ethernet Q Commands" Service

CVE-2022-41636 is a critical vulnerability affecting the "Ethernet Q Commands" service in Haas Controller version 100.20.000.111, commonly used in CNC machines. The issue arises due to the transmission of sensitive information in cleartext. Specifically, an attacker is able to obtain critical data being passed to and from the controller, presenting significant security risks.

In this post, we will highlight the reasons behind this vulnerability, provide a code snippet to demonstrate the problem, reference original sources, and share details about the exploit.

Exploit Details

Haas Controller, which is primarily employed for managing CNC machines, regularly routes communication traffic through the "Ethernet Q Commands" service. The main function of this service is to ensure seamless connectivity between the controller and other devices on the network. Unfortunately, due to the issue laid out in CVE-2022-41636, data being sent to and from the controller is exposed in cleartext. This can be easily intercepted and analyzed by attackers, allowing them to view sensitive information.

Let's take a closer look at the vulnerability by examining a code snippet that shows how the "Ethernet Q Commands" service fails to encrypt communication traffic.

import socket

# Haas Controller IP address and port
ip_address = "192.168..10"
port = 901

# Create a socket and connect to Haas Controller "Ethernet Q Commands" service
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((ip_address, port))

# Commands to be sent to Haas Controller
commands = ["Q100", "Q104", "Q500", "Q600"]

# Send commands and read responses in cleartext
for command in commands:
    sock.sendall(command.encode("utf-8"))
    response = sock.recv(1024)
    print(f"Command: {command}, Response: {response.decode('utf-8')}")

sock.close()

In the code snippet above, we connect via a socket to a Haas Controller, which is identified by its IP address and the "Ethernet Q Commands" service's port number (in this case, 192.168..10 and 901, respectively). We then send various commands to the Haas Controller in cleartext using the socket. Similarly, the responses from the Haas Controller are also received in cleartext. As a result, critical information is exchanged in an unencrypted format, making it vulnerable to eavesdropping attacks.

More information about CVE-2022-41636 can be found in the following official references

1. National Vulnerability Database (NVD) - CVE-2022-41636
2. Common Vulnerabilities and Exposures (CVE) - CVE-2022-41636

At the time of writing this post, no official patch has been released by Haas Automation to address this vulnerability. It is crucial for organizations using Haas Controller version 100.20.000.111 or similar versions to keep a close eye on the updates and apply patches as soon as they are available. Meanwhile, organizations can take necessary precautions to limit system access and employ network traffic encryption mechanisms like VPNs and TLS to protect sensitive information.

Conclusion

CVE-2022-41636 presents a high-risk vulnerability in the "Ethernet Q Commands" service of the Haas Controller version 100.20.000.111. Communication traffic containing critical data is transmitted in cleartext, which can be easily intercepted by malicious actors. To minimize exposure, users should keep their software up-to-date and follow industry-standard security practices.

Timeline

Published on: 10/28/2022 18:15:00 UTC
Last modified on: 11/01/2022 20:27:00 UTC