CVE-2024-36439
📋 TL;DR
This vulnerability allows remote attackers to bypass authentication on Swissphone DiCal-RED 4009 devices by using the device password's hash value instead of the actual password. Attackers can gain administrative access to the web interface without legitimate credentials. Organizations using these radio data modules for emergency communications are affected.
💻 Affected Systems
- Swissphone DiCal-RED 4009
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of emergency communication infrastructure, allowing attackers to disrupt critical communications, intercept sensitive data, or deploy ransomware on connected systems.
Likely Case
Unauthorized administrative access leading to configuration changes, service disruption, or data exfiltration from the affected devices.
If Mitigated
Limited impact if devices are isolated in secure networks with strict access controls, though authentication bypass remains possible.
🎯 Exploit Status
Exploitation requires obtaining the password hash, which may be accessible through other vulnerabilities or default configurations. Public disclosures include technical details.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check with Swissphone for specific firmware version
Vendor Advisory: https://www.swissphone.com/en-us/solutions/components/terminals/radio-data-module-dical-red/
Restart Required: Yes
Instructions:
1. Contact Swissphone for latest firmware. 2. Backup device configuration. 3. Apply firmware update via web interface or console. 4. Verify authentication now requires actual password.
🔧 Temporary Workarounds
Network Isolation
allPlace devices in isolated VLAN with strict firewall rules limiting access to authorized management stations only.
Disable Web Interface
allIf web management is not required, disable the administrative web interface entirely.
🧯 If You Can't Patch
- Implement network segmentation with strict access controls to limit which systems can communicate with the devices.
- Monitor authentication logs for unusual access patterns and implement intrusion detection for hash-based authentication attempts.
🔍 How to Verify
Check if Vulnerable:
Attempt to access administrative interface using password hash instead of password. If access is granted, device is vulnerable.Check Version:
Check firmware version via web interface or console. Command varies by device configuration.Verify Fix Applied:
After patching, verify that authentication now requires the actual password and rejects hash-based authentication attempts.📡 Detection & Monitoring
Log Indicators:
- Authentication attempts using hash-like strings
- Multiple failed login attempts followed by successful admin access
- Unusual source IPs accessing administrative interface
Network Indicators:
- HTTP requests to admin endpoints with hash parameters
- Traffic to devices from unexpected networks
SIEM Query:
source="dical-red" AND (event_type="authentication" AND (message="*hash*" OR status="success" AFTER multiple failures))🔗 References
- https://www.swissphone.com/en-us/solutions/components/terminals/radio-data-module-dical-red/
- https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-038.txt
- http://seclists.org/fulldisclosure/2024/Aug/32
- http://seclists.org/fulldisclosure/2024/Aug/39
- http://seclists.org/fulldisclosure/2024/Aug/40
