Classification -------------- - CWE-306: Missing Authentication for Critical Function - CWE-940: Improper Verification of Source of a Communication Channel - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor - CVSS 4.0 Score: 8.4 / High CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:H/SC:L/SI:N/SA:H - CVSS 3.1 Score: 8.3 / High CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H Affected systems ---------------- - Piciorgros TMO-100 V3/V4 with software version below 4.20 (discovered in V3.72) Summary ------- The Piciorgros TMO-100 is a data modem for TETRA radio networks. It has an open TFTP service that cannot be disabled, allowing the modem configuration to be read and written without authentication. TFTP access is possible via both LAN and TETRA, meaning that an attacker who has gained access to either of these networks can change the configuration of all modems in the same TETRA data network. This allows the attacker to configure port forwarding to gain access to systems behind the modems, or to delete the dial-in data of the modems, disconnecting critical infrastructure facilities. Starting with software version 4.20, TFTP access is only activated for a 15-minute time window after a web login to prevent attacks during normal operation. Details ------- During a penetration test carried out on behalf of a customer, a Piciorgros TMO-100 data modem was part of the test scope. The documentation and port scans revealed that a TFTP serveice (UDP port 69) was active for uploading the firmware, accessing the configuration ("config.tmo"), voice alarms ("voicealarms.tmo") and another file ("plog.tmo"). Access is possible via the IP Loader software provided by the manufacturer or with a TFTP client: $ atftp 192.168.0.199 tftp> get config.tmo tftp> $ ls -al config.tmo -rw-rw-r-- 1 pentest pentest 157184 Feb 21 16:13 config.tmo This access is possible both via LAN and via the TETRA data network. The retrieved file "config.tmo" contains all configuration parameters of the modem in binary format, but no TETRA key material. It contains sensitive data such as: - TETRA parameters (SSI, TMCC, TMNC) - PPP login data (user and password in plain text) - LAN configuration (IP address, network mask, gateway) - Port forwarding configuration (global forwarding / ports and IPs) Excerpts from the configuration file with marked fields: - Modem LAN IP: c0a800c7 = 192.168.0.199 - Network mask: fffff000 = 255.255.240.0 - Default gateway: c0a80001 = 192.168.0.1 000000a0: 0000 0000 0000 0000 0000 003f 0000 c0a8 ...........?.... 000000b0: 00c7 ffff f000 c0a8 0001 0050 1273 0045 ...........P.s.E PPP access data: "TMO" / "TMO", modem ID: "TMO-100" 000002a0: 0000 0000 0000 0000 0000 0000 544d 4f00 ............TMO. 000002b0: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 000002c0: 544d 4f00 0000 0000 0000 0000 0000 0000 TMO............. 000002d0: 0000 0000 544d 4f2d 3130 3000 0000 0000 ....TMO-100..... This access also allows the configuration file to be downloaded, modified, and uploaded in order to obtain further access. To do this, either the format must be completely reverse-engineered, or a second modem is required on which the configuration can be imported and adjusted as needed via the web interface. Impact ------ An attacker with LAN access to a TMO-100 modem or to the TETRA data network can retrieve and manipulate the configuration of all modems connected to the TETRA data network without needing to know any credentials. By changing the port forwarding configuration, they can gain access to devices connected behind other data modems and, by changing the TETRA parameters, take the modem offline so that a service technician must come on site. Mitigation for operators ------------------------ The modems should be updated to at least software version 4.20 to limit the impact. The TFTP port can be changed to a non-standard value in the web interface to make detection by attackers more difficult. Where possible, TFTP access should be prevented by external firewalls. Timeline -------- - 2025-02-21 Discovery of the vulnerability - 2025-02-27 Reported to the manufacturer - 2025-03-06 Vulnerability confirmed by the manufacturer - 2025-03-11 Release of software version V4.20 by the manufacturer - 2025-08-14 Publication of the vulnerability as part of responsible disclosure -- Dr.-Ing. Georg Lukas rt-solutions.de GmbH Oberl\xE4nder Ufer 190a D-50968 K\xF6ln Mobil: (+49)179 4176591 Fax: (+49)221 93724 50 Zentrale: (+49)221 93724 0 Web : www.rt-solutions.de rt-solutions.de experts you can trust. Sitz der Gesellschaft: K\xF6ln Eingetragen beim Amtsgericht K\xF6ln: HRB 52645 Gesch\xE4ftsf\xFChrer: Prof. Dr. Ralf Schumann, Dr. Stefan Schemmer