{"id":18484,"date":"2022-06-14T15:56:33","date_gmt":"2022-06-14T13:56:33","guid":{"rendered":"https:\/\/herolab.usd.de\/security-advisories\/usd-2021-0010\/"},"modified":"2022-06-23T09:45:22","modified_gmt":"2022-06-23T07:45:22","slug":"usd-2021-0010","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2021-0010\/","title":{"rendered":"usd-2021-0010"},"content":{"rendered":"

[et_pb_section fb_built=\"1\" _builder_version=\"4.16\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\" global_colors_info=\"{}\"][et_pb_row _builder_version=\"4.16\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_column type=\"4_4\" _builder_version=\"4.16\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_text _builder_version=\"4.17.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" global_colors_info=\"{}\"]<\/p>\n

usd-2021-0010 | Vodafone Station<\/h1>\n

Advisory ID<\/strong>: usd-2021-0010
Product<\/strong>: Vodafone Station
Affected Version<\/strong>: Firmware version: 01.02.068.11.EURO.SIP
Vulnerability Type<\/strong>: Improper Access Control
Security Risk<\/strong>: Medium (CVSS:3.0\/AV:A\/AC:L\/PR:N\/UI:N\/S:U\/C:L\/I:L\/A:N)
Vendor URL<\/strong>: https:\/\/www.vodafone.de\/
Vendor acknowledged vulnerability<\/strong>: Yes
Vendor Status<\/strong>: Fixed<\/p>\n

Description<\/h3>\n

The Vodafone Station<\/em> is a home Internet router distributed by Vodafone GmbH and manufactured by ARRIS Group, Inc. A broken access control vulnerability in the management web interface of the Vodafone Station<\/em> allowed an attacker with access to the router's network to disable the Transport Layer Security (TLS) encryption used for communication between the router's web interface and a web browser without authentication. As a consequence, the management interface could not be reached using an encrypted connection anymore, forcing a legitimate user to use the unencrypted protocol. This means that data, such as user credentials, must be transferred without encryption and therefore can be intercepted within the network.<\/p>\n

Proof of Concept<\/h3>\n

The request for disabling TLS-encrypted communication can be triggered using a simple curl<\/strong> command. To disable the TLS encryption for the router's web interface, the value HttpsEnable<\/strong> needs to be set to false<\/strong>. The request will be answered using the string \"PASS\". For a router having the IP address 192.168.0.1 the requests looks as follows:<\/p>\n

\n
<\/span>$ <\/span>curl 'http:\/\/192.168.0.1\/php\/ajaxSet_settings_device_data.php?_n=12354'<\/span> --data-raw '{\"LedEnable\":\"false\",\"HttpsEnable\":\"false\",\"Action_Select\":\"storeDeviceData\"}'<\/span>
\"PASS\"<\/span><\/pre>\n<\/div>\n
<\/h3>\n
Fix<\/h3>\n
It is recommended to restrict access to sensitive functions or information by default. Required access privileges should be granted explicitly by a global access control mechanism. This is already implemented for most parts of the application and was adjusted for this functionality as well.<\/p>\n
Timeline<\/h3>\n