{"id":23733,"date":"2025-02-26T13:58:42","date_gmt":"2025-02-26T12:58:42","guid":{"rendered":"https:\/\/herolab.usd.de\/security-advisories\/usd-2024-0014\/"},"modified":"2025-03-06T11:51:14","modified_gmt":"2025-03-06T10:51:14","slug":"usd-2024-0014","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2024-0014\/","title":{"rendered":"usd-2024-0014"},"content":{"rendered":"

[et_pb_section fb_built=\"1\" _builder_version=\"4.21.0\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\" global_colors_info=\"{}\"][et_pb_row _builder_version=\"4.25.2\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_column type=\"4_4\" _builder_version=\"4.21.0\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_text _builder_version=\"4.27.4\" _module_preset=\"default\" custom_padding=\"||13px|||\" hover_enabled=\"0\" global_colors_info=\"{}\" sticky_enabled=\"0\"]<\/p>\n

usd-2024-14 | Cubro EXA48200<\/h1>\n

<\/h1>\n

Product<\/strong>: Cubro EXA48200 Web GUI
Affected Version<\/strong>: Build 20231025055018
Vulnerability Type<\/strong>: Broken Access Control
Security Risk<\/strong>: Critical
Vendor<\/strong>: Cubro Network Visibility
Vendor URL<\/strong>: https:\/\/www.cubro.com<\/a>
Vendor acknowledged vulnerability<\/strong>: Yes
Vendor Status<\/strong>: Fixed in Firmware Version V5.0R14.5P4-V3.3R1
CVE number<\/strong>: CVE-2024-55570
CVE Link<\/strong>: https:\/\/www.cve.org\/CVERecord?id=CVE-2024-55570<\/a>
Advisory ID<\/strong>: usd-2024-14<\/p>\n

Description<\/h3>\n

A broken access control vulnerability in the web GUI for the Cubro EXA48200<\/em> network packet broker (build no. 20231025055018) allows remote authenticated users of the application to increase their privileges to administrator<\/em> by sending a single HTTP PUT request.<\/p>\n

Proof of Concept<\/h3>\n

As seen in the following screenshot, the user pentester_usd<\/strong> has low privileges. No administrative functionality can be accessed in the sidebar.<\/p>\n

\"\"<\/p>\n

By sending an HTTP PUT request to the regular API endpoint used for e.g. password change, the user can set the attribute rolename<\/strong> within the JSON in the request body to Administrator<\/strong>:<\/p>\n

\n
<\/span>PUT<\/span> \/api\/user\/users<\/span> HTTP<\/span>\/<\/span>1.1
<\/span>Host<\/span>:<\/span> 10.30.41.100
<\/span>Cookie<\/span>:<\/span> str=\"2|1:0|10:1726492201|3:str|44:ODJkNjU3MDdkMWZmNmEwNGYxNWZhMTQxZDA0ZmIzOTY=|c975395bdca560bb788ba7ecdbbe70ec379bd8a3d7cb32f1f3cf23ee744812c9\"
<\/span>[...]
<\/span>{  \"pentester_usd\":{    \"auth_mode\":\"local\",    \"password\":\"<REDACTED>\",    \"rolename\":\"Administrator\"  }}<\/pre>\n<\/div>\n
As the following screenshot shows, the user now has full administrative capabilities. This includes the ability to modify the passwords of all other user accounts, enabling a full compromise of the web application.<\/p>\n
\"\"<\/p>\n
Fix<\/h3>\n
It is recommended to check user privileges server-side for every request that modifies data. It is not sufficient to simply not display sensitive functionality (such as a role change) within the GUI.<\/p>\n
References<\/h3>\n