漏洞概述 SCHUTZWERK-SA-2025-001: SafeLine SL6 和 SL6+ 的身份验证绕过 SafeLine SL6 和 SL6+ 设备集成在电梯紧急对讲系统中,存在身份验证绕过漏洞。该漏洞允许攻击者通过蓝牙低功耗(BLE)接口绕过身份验证要求,访问设备的配置服务。因此,攻击者可以在无线范围内未经授权地访问设备配置。 影响范围 受影响产品: SafeLine SL6/SL6+ 受影响版本: 在版本 4.82 中引入,在版本 4.97 中修复 供应商: SafeLine 问题类型: CWE-362 主要弱点中的身份验证绕过 CVE ID: CVE-2025-4994 CVSS 4.0 评分: 8.1 修复方案 临时措施: 禁用“自动启用 BLE”设置。这确保 BLE 接口在初始时间窗口后停用,防止通过无线访问配置接口。 解决方案/缓解措施: 固件版本 4.97 中提供了补丁,应立即应用。此版本完全移除了 BLE 中的 PIN 身份验证功能。通过蓝牙访问配置接口仅在重启后的短暂时间窗口内可能,类似于禁用“自动启用 BLE”时的当前行为。如果无法对已部署的设备进行补丁,则应应用上述临时措施。 时间线 2025-03-28: 发现漏洞 2025-04-14: 与供应商首次联系 2025-04-16: 向供应商技术支持报告漏洞 2025-05-08: 取消后续会议 2025-05-16: 与供应商 CTO 首次联系 2025-05-28: 向供应商 CTO 展示漏洞 2025-06-16: 供应商通知 SCHUTZWERK 补丁正在测试 2025-07-03: 后续会议被 SCHUTZWERK 取消 2025-07-31: 后续会议被 SCHUTZWERK 请求 2025-08-21: 供应商通知 SCHUTZWERK 补丁已推迟 2025-08-20: 供应商通知 SCHUTZWERK 补丁正在测试 2025-12-19: 供应商通知 SCHUTZWERK 补丁已发布 2025-12-19: 披露延迟 180 天,以允许在计划维护窗口期间修补受影响设备 2026-06-19: SCHUTZWERK 发布公告 信用 漏洞由 Jan Hüber 发现,来自 SCHUTZWERK GmbH。 代码块 ```plaintext -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Authentication Bypass for SafeLine SL6 and SL6+ The SafeLine SL6 and SL6+ devices integrated into elevator emergency intercom systems are vulnerable to an authentication bypass. This vulnerability allows attackers to bypass authentication requirements and access the device's configuration service via the Bluetooth Low Energy (BLE) interface. Consequently, an attacker within wireless range can gain unauthorized administrative access to the device configuration. Metadata -------- Affected product: SafeLine SL6/SL6+ Affected version: Introduced in version 4.82, patched in version 4.97 Vendor: SafeLine Problem type(s): CWE-362 Authentication bypass by primary weakness CVE ID: CVE-2025-4994 CVE URL: https://www.cve.org/CVERecord?id=CVE-2025-4994 CVSS 4.0 score: 8.1 Advisory URL: https://www.schutzwerk.com/blog/schutzwerk-sa-2025-001/ Details ------- The SafeLine SL6 and SL6+ act as communication gateway devices that use 4G VoLTE to facilitate emergency calls for elevators. The device supports configuration via its Bluetooth Low Energy (BLE) interface, typically managed using the SafeLine LVNX mobile application for configuring settings such as the phone numbers to be dialed when the elevator emergency button is pressed. The device operates in two modes regarding the BLE interface, depending on the "Auto Enable BLE" configuration setting: Auto Enable BLE enabled: When active, the BLE interface remains enabled and is secured by a configurable PIN. Auto Enable BLE disabled: After a device reboot, the BLE interface is available only for a short window without authentication. Afterwards, BLE is disabled and can only be enabled via a reboot. By default, "Auto Enable BLE" is enabled. The vulnerability lies in the implementation of the authentication functionality, which allows an attacker to successfully bypass PIN protection and access the configuration interface wirelessly without knowledge of the configured PIN code. The discovered vulnerability requires only a small number of requests to the target device and is fully reproducible. Risk ---- This vulnerability poses a severe risk to the operational integrity of the SafeLine SL6 and SL6+. By accessing the configuration interface, an attacker can manipulate critical device settings, specifically emergency contact phone numbers. In the context of elevator emergency intercom systems, this potentially allows attackers to hijack communication channels, preventing emergency services or building management from being notified during an incident. Workaround ---------- The "Auto Enable BLE" setting should be disabled. This ensures that the BLE interface is deactivated after the initial time window, preventing wireless access to the configuration interface. Solution/Mitigation ------------------- A patch is available in firmware version 4.97 and should be applied immediately. This version removes the PIN authentication feature in BLE entirely. Access to the configuration interface via Bluetooth is only possible for a brief time window following a reboot, which is similar to the current behavior when disabling "Auto Enable BLE". If patching is not possible for currently deployed devices, the workaround described above should be applied. Timeline -------- 2025-03-28 Vulnerability discovered 2025-04-14 Initial contact with vendor 2025-04-16 Vulnerability reported to technical support of vendor 2025-05-08 Follow-up meeting was cancelled by vendor 2025-05-16 Initial contact with CTO of vendor 2025-05-28 Vulnerability presented to CTO of vendor 2025-06-16 Vendor informed SCHUTZWERK that the patch is currently tested 2025-07-03 Follow-up meeting was cancelled by vendor 2025-07-31 Follow-up meeting was requested by SCHUTZWERK 2025-08-21 Vendor informed SCHUTZWERK that the patch was postponed 2025-08-20 Vendor informed SCHUTZWERK that the patch is currently tested 2025-12-19 Vendor informed SCHUTZWERK that the patch was released 2025-12-19 Disclosure delayed for 180 days t