MBS: Several security vulnerabilities in the UGW web GUI

The MBS Universal Gateways (UGW-A-Series, UGW-X-Series) connect devices using various digital communication protocols within the field of building automation. Several security vulnerabilities have been identified in the UGW web GUI and the underlying firmware, affecting version V6_0_0_5 and earlier.

Among other things, several CGI methods are affected by insufficient input validation and a lack of bounds checking. These flaws allow authorized attackers to perform arbitrary file deletion, include local files, or terminate system processes. Furthermore, multiple stack-based buffer overflows were discovered that can be exploited to execute arbitrary code with root privileges, leading to a full system compromise. Additionally, the firmware contains a hardcoded default password for a service account, which significantly lowers the barrier for unauthorized access.

Exploitation of these vulnerabilities may allow an authenticated attacker to read or delete arbitrary local files on the affected UGW devices, terminate system processes, or gain unauthorized access through a known service account password. Most significantly, stack-based buffer overflows in several CGI endpoints can be leveraged to execute arbitrary code with root privileges, potentially resulting in a full system compromise. In addition, these flaws can be abused to cause a denial of service or to access confidential configuration data.

Update the affected products to firmware version V6_0_0_7.

These are available at en.mbs-solutions.de/firmwareupdate

MBS GmbH thanks the following parties for their efforts:

• CERT@VDE for coordination (see https://certvde.com )
• Adrien Rey from Cyber Defense Campus Zurich for reporting (see https://www.cydcampus.admin.ch )
• Daniel Hulliger from Armasuisse for reporting (see https://www.ar.admin.ch )