Siklu EtherHaul Series - Unauthenticated Remote Command Execution

Published on 6 min read

Executive Summary

The Ceragon/Siklu EtherHaul series devices are vulnerable to an unauthenticated remote command execution (RCE) vulnerability. This critical security flaw allows remote attackers to execute arbitrary commands on affected devices without any authentication, potentially leading to complete device compromise.

Severity: Critical
CVSS Score: Pending
CVE ID: Pending
Affected Versions: Firmware 7.4.0 - 10.7.3 (likely all versions since 7.4.0)

Vulnerability Details

Description

The vulnerability exists in the rfpiped service listening on TCP port 555. Despite a previous patch attempt in 2017 for a similar vulnerability, the current implementation’s encryption scheme can be bypassed, allowing attackers to craft malicious packets that execute privileged commands remotely.

Impact

  • Remote Command Execution: Attackers can execute arbitrary CLI commands
  • Network Compromise: Affected devices can serve as entry points into protected networks
  • No Authentication Required: Exploitation requires no credentials or prior access

Technical Root Cause

The vulnerability stems from weak cryptographic implementation in the inter-device communication protocol. While encryption was added as a mitigation for CVE-2017-7318, the implementation uses:

  • Static encryption keys hardcoded in the binary
  • Predictable initialization vectors (IVs)
  • No authentication mechanism for command packets

Investigation Timeline

Background

Building upon research by Ian C Lang (late 2016) who disclosed a similar vulnerability affecting firmware versions <7.4.0, this investigation examined whether the vendor’s patch adequately addressed the underlying security issues.

Technical Analysis (Summary)

Note: This section provides a high-level overview of the vulnerability discovery process. A comprehensive technical deep-dive, including detailed methodology, reverse engineering steps, and cryptographic analysis will be published once a patch becomes available to ensure responsible disclosure practices are maintained.

  1. Service Discovery
    • Confirmed rfpiped still listens on TCP port 555
    • Service binds to all IPv4 and IPv6 addresses (tcp6 *:555)
    • Inter-device communication occurs over link-local IPv6 addresses
  2. Packet Analysis
    • Initial packet captures showed encrypted payloads
    • Repeated packets suggested replay attack potential
    • Successfully replayed sensitive actions on devices running firmware versions 10.6.2 and 10.7.3
  3. Encryption Analysis
    • Reverse engineering revealed AES-256 encryption implementation
    • Located hardcoded encryption key in rfpiped binary
    • Recovered static IV through cryptographic analysis
    • Confirmed packet structure remained unchanged from pre-patch versions
  4. Exploitation
    • Developed proof-of-concept demonstrating arbitrary command execution
    • Verified ability to add administrative users remotely
    • Confirmed vulnerability across multiple firmware versions

Affected Products

Confirmed Vulnerable

  • Product: Ceragon/Siklu EtherHaul Series devices (Tested on 8010 and 1200)
  • Versions: 10.6.2, 10.7.3 (tested)
  • Likely Affected: All EtherHaul series devices running firmware 7.4.0 or later

Patch Status

No patch available at the time of this disclosure.

Mitigation Recommendations

Immediate Actions

  1. Network Isolation: Isolate affected devices from untrusted networks
  2. Firewall Rules: Block TCP port 555 traffic to/from EtherHaul devices
  3. Access Control Lists: Implement strict ACLs limiting device communication

Long-term Recommendations

  1. Device Replacement: Consider replacing affected devices until patches are available
  2. Network Segmentation: Implement proper network segmentation for critical infrastructure
  3. Monitoring: Enable logging and monitor for suspicious activities on port 555

Responsible Disclosure Timeline

  • Initial Discovery: 2025-04-12
  • Vendor Notification: 2025-04-16
  • 90-Day Disclosure Notice: 2025-04-28
  • Extension Offer: 2025-05-28 (No response received)
  • Public Disclosure: 2025-08-02

Vendor Response

When asked for an estimated patch timeline, the vendor stated:

Although we cannot estimate an ETA at this stage, the topic is already under review as part of our continuous improvement approach, and steps toward enhancing it are being considered.

Proof of Concept

Due to the critical nature of this vulnerability and the lack of available patches, the encryption key and full exploit code are being withheld at this time. A redacted version demonstrating the cryptographic recovery process for the IV is shown below:

from Crypto.Cipher import AES

# Known values (redacted)
key_hex = "<REDACTED>"
p0_hex  = "0000000000000000000000ad00000000"
c0_hex  = "3d6f17eec0524870dac244fe2e357952"

# Convert to bytes
key = bytes.fromhex(key_hex)
p0 = bytes.fromhex(p0_hex)
c0 = bytes.fromhex(c0_hex)

# Decrypt first block with AES-ECB
cipher = AES.new(key, AES.MODE_ECB)
intermediate = cipher.decrypt(c0)

# XOR with plaintext to recover IV
iv = bytes([a ^ b for a, b in zip(intermediate, p0)])

print("Recovered IV:", iv.hex())

References

Acknowledgments

Thanks to Ian C Lang for the original research that provided the foundation for this investigation.

Disclaimer: This disclosure is provided for educational and defensive purposes. The author is not responsible for any misuse of this information.

research   cve   security   siklu   ceragon   etherhaul   disclosure   vulnerability