After I heard a Maxon NPort 5600 server is used to remotely read/write a repeater, I did some research on the security and vulnerability of the Nport 5600 series.
At first everything looks Okish, the server is password protected, no one can get access neither through the browser nor through the command line interface. But does an intruder, who at long last would like to gain access to a RS232 device connected to the Nport really needs access to the server ? The answer is no, we can assume that if one is using a Nport server, that everything is working and configured just fine, otherwise it would not be in service. So let us focus on connecting to the server. Let us further assume we have no inside information and we don’t know the brand and model that is used, in this case for example the Hamnetdb only says RS232 Controller. If the IP address is accessed through a browser, only a password input field is shown, but over telnet there is way more :
Connected to target.ip
Escape character is ‘^]’.
Model name : NPort 5610-16
MAC address : 00:90:E5:05:61:B5
Serial No. : 231
Firmware version : 3.5 Build 11080114
System uptime : 22 days, 06h:47m:28s
And this is, im my opinion, a first very weak point of the device, this is shown before the password promt, everyone gets the exact model, firmware and up-time, without authentication. This is not necessary and makes no sens to me. With this crumb, we can gain a lot more information, because we can download the manual, which gives us all information on how it works an what software tools are needed to access the RS232 ports. The software can also be loaded from the manufacturer without obstacles and for free, thank you very much. With the DSU the device search utility the server shows the same info as with a telnet connect, directly after entering a IP address. Same with the NPort Search Tool, the firmware upgrade ability is blocked, as it shut be. The admin tool is in my personal opinion just bat shit crazy, one has immediately access to the COM port mappings and they can be mapped to our local machine, without any password or other security mechanisms.
Now that the ports are available on the remote machine, they can be used to access the connected RS232 devices, in this case a repeater. It’s possible for everyone to read/write and manipulate the repeater.
In this case it is “only” a repeater. I searched the intwebs and found the addresses of a few NPort 5610, all with the same behavior, only god and maybe the owners know what is connected to the ports, I hope for them that it’s nothing critical…
A first workaround could be to restrict the IP addresses that are forwarded to the RS232 server, or shut down the port(s) via web-interface and only activate them when you need a connection. It should only be possible to map the remote ports and start using them after a password check. The current behavior is in my opinion not acceptable, every man and his dog can get access, the IP address is no barrier whatsoever, just a quick shodan.io search is enough to find a few NPorts…