MAJOR security vulnerability in HeaterMeter firmware (dnsmasq)

[Bryan Mayland]

I'm sure you've all been waiting anxiously since Monday's security disclosure about dnsmasq's many Critical and Important security vulnerabilities. These are remotely exploitable issues and some allow malicious code execution. While the majority of Internet of Things devices (any smart device with network capabilities) shrug off security, we HeaterMetererers take security seriously and will not stand for having a HeaterMeter turned into a botnet drone like some cheap baby monitor, home thermostat, or smart television.

Note that this vulnerability does require someone to have network access to your HeaterMeter, but all users are strongly encouraged to update their firmware to the v14 Release which includes patches to close this security hole. For more information and a comprehensive list of the security vulnerabilities, visit the RedHat security brief.

HeaterMeter can be updated without re-imaging the SD card by using the webui and navigating to System -> Backup / Flash Firmware and pasting the appropriate URL for your Raspberry Pi model into the "Image URL (.gz)" box:
Raspberry Pi 2 / 3 - https://heatermeter.com/devel/release/bcm2708/14/openwrt-rpi3.gz
Raspberry Pi A / B / Zero - https://heatermeter.com/devel/release/bcm2708/14/openwrt-rpi.gz

Refs: CVE-2017-14491, CVE-2017-14492, and CVE-2017-14493, CVE-2017-14494, CVE-2017-14495, CVE-2017-14496, CVE-2017-13704

EDIT: Updated links to point to v14 release, which includes this fix.

 

[Steve_M]

The risk is pretty low as the only 2 things the HM is making DNS requests for is heatermeter.com and ntp.org, drastically limiting the attack surface.

 

[Bryan Mayland]

I agree, the chance is pretty low considering HeaterMeter isn't a router or anything. I was more concerned with folks who have their HeaterMeters on the internet and there might be a reverse lookup that happens somewhere in dropbear or uhttpd or something that could pull the attacker's DNS entry in. That would be a pretty targeted attack and we don't really have that many devices out there which pretty much completely mitigates the vulnerability. That said, I have a strong stance on IoT security and felt this needed to be addressed rather than just letting it remain exploitable for another year until the next release.

 

[JKalchik]

:beer: for Bryan.

Far too few people pay attention to IoT security.

 

[Steve_M]

Agreed. Always good to keep up on things. I just wanted to point out that for the HM, this vulnerability is pretty low on the risk scale.

As it's Thanksgiving weekend here in Canada and being the resident family IT guy, I'll be spending a good chunk of time doing computer / electronics updates on my parents and in-laws devices!

 

[RalphTrimble]

Thanks for your hard work and attention to security Bryan! I just updated without issue on a zero-w and model B.

A note to others... When you copy the link from Bryan's post above, don't just highlight and copy the link, you'll get a bad URL with "......." in it. Right click the link and select "copy link address" to dl the complete URL.

 

[Mike Smith DFW]

thanks for the information bryan. will be updating my unit today since I do have mine port forwarded.

 

[JHalasz]

damnit, my brisket just got hacked!!

 

[JKalchik]

damnit, my brisket just got hacked!!

Personally, I prefer mine sliced, rather than hacked or chopped......

 

[Mark Lowpensky]

Failure - I just tried applying this and failed. The main monitor page comes up, but if I click any of the links along the bottom (Login, Alarms, Archive or Configuration) I get the following error:
/usr/lib/lua/luci/dispatcher.lua:354: Access Violation
The page at 'admin/lm/home/' has no parent node so the access to this location has been denied. (The URI in this line changes depending on the link I click.)
This is a software bug, please report this message at https://github.com/openwrt/luci/issues
stack traceback:
[C]: in function 'assert'
/usr/lib/lua/luci/dispatcher.lua:354: in function 'dispatch'
/usr/lib/lua/luci/dispatcher.lua:121: in function </usr/lib/lua/luci/dispatcher.lua:120>

Ideas?
Thanks,
-Mark

I was upgrading from 20161230B.
http://heatermeter.com/devices/ shows my device and version 20170916B

 

[Bryan Mayland]

This fix is in the v14 release, so use that instead because it works, unlike the current snapshot.

 

[Mark Lowpensky]

How do I recover, or do I just need to re-image the SD?

 

[Bryan Mayland]

You can try going to http://.../luci/admin/system/flashops and see if the flashing page works, but if not then you'll have to re-image the SD card.

 

[Mark Lowpensky]

That link failed with the same error, so I put a fresh image on another SD card. What is the best way (if there is one) to recover the various configs from the old one (alarms, e-mail, etc). Or do I just start over and keep a backup elsewhere going forward?

NOTE: I DID generate a backup before I had my failure, I would just need to know where to look for the proper files. Is this info on the Wiki?

Thanks,
-Mark
The great news is that my jerky and smoked pork chops tuned out great yesterday, I just had to do it without the web interface, not a huge deal. Thanks Bryan!!!

 

[Bryan Mayland]

If you have a backup you can just restore the backup to restore your config, but the system configuration is in /etc/config/* and the CSS and Alarm scripts are in /usr/share/linkmeter/*

 

[Mark Lowpensky]

OK, I wasn't sure if the backup configs were safe across versions.
Thanks!