Elber Cleber/3 Broadcast Multi-Purpose Platform 1.0.0 - Authentication Bypass
Elber Cleber/3 Broadcast Multi-Purpose Platform 1.0.0 Authentication Bypass
Vendor: Elber S.r.l.
Product web page: https://www.elber.it
Affected version: 1.0.0 Revision 7304
1.0.0 Revision 7284
1.0.0 Revision 6505
1.0.0 Revision 6332
1.0.0 Revision 6258
XS2DAB v1.50 rev 6267
Summary: Cleber offers a powerful, flexible and modular hardware and
software platform for broadcasting and contribution networks where
customers can install up to six boards with no limitations in terms
of position or number. Based on a Linux embedded OS, it detects the
presence of the boards and shows the related control interface to the
user, either through web GUI and Touchscreen TFT display. Power supply
can be single (AC and/or DC) or dual (hot swappable for redundancy);
customer may chose between two ranges for DC sources, that is 22-65
or 10-36 Vdc for site or DSNG applications.
Desc: The device suffers from an authentication bypass vulnerability through
a direct and unauthorized access to the password management functionality. The
issue allows attackers to bypass authentication by manipulating the set_pwd
endpoint that enables them to overwrite the password of any user within the
system. This grants unauthorized and administrative access to protected areas
of the application compromising the device's system security.
--------------------------------------------------------------------------
/modules/pwd.html
------------------
50: function apply_pwd(level, pwd)
51: {
52: $.get("json_data/set_pwd", {lev:level, pass:pwd},
53: function(data){
54: //$.alert({title:'Operation',text:data});
55: show_message(data);
56: }).fail(function(error){
57: show_message('Error ' + error.status, 'error');
58: });
59: }
--------------------------------------------------------------------------
Tested on: NBFM Controller
embOS/IP
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2024-5816
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5816.php
18.08.2023
--
$ curl -s http://[TARGET]/json_data/set_pwd?lev=2&pass=admin1234
Ref (lev param):
Level 7 = SNMP Write Community (snmp_write_pwd)
Level 6 = SNMP Read Community (snmp_read_pwd)
Level 5 = Custom Password? hidden. (custom_pwd)
Level 4 = Display Password (display_pwd)?
Level 2 = Administrator Password (admin_pwd)
Level 1 = Super User Password (puser_pwd)
Level 0 = User Password (user_pwd)Elber Cleber/3 Broadcast Multi-Purpose Platform 1.0.0 — Authentication Bypass (Overview)
This article analyzes a critical authentication-bypass vulnerability discovered in the Elber Cleber/3 Broadcast Multi‑Purpose Platform (firmware series 1.0.0). The flaw allows an unauthenticated user to manipulate a password-management endpoint and overwrite account passwords, granting unauthorized administrative access to the device. The content below explains the vulnerability, impact, detection, and defensive remediation guidance for operators and developers.
Key facts
- Vendor: Elber S.r.l. (https://www.elber.it)
- Affected product: Cleber/3 Broadcast Multi‑Purpose Platform (embedded Linux)
- Affected versions: 1.0.0 revisions 6258, 6332, 6505, 7284, 7304 and XS2DAB v1.50 rev 6267
- Vulnerability class: Authentication bypass / Insecure direct object/function access
- Discovery: Reported by Gjoko 'LiquidWorm' Krstic (ZSL-2024-5816)
- Primary risk: Full account takeover / administrative control of the device
Vulnerability description
The web interface includes a password-management endpoint that enables changing internal user passwords. The implementation exposes an unauthenticated handler (for example, a path such as /json_data/set_pwd) which accepts a privilege level parameter and a new password. Because requests to this endpoint are not gated by authentication or proper access control checks, remote attackers can overwrite passwords for built-in accounts, including administrative levels, by calling the endpoint with an arbitrary password value.
Why it matters
- Resetting or overwriting the administrator password grants persistent, privileged access to the device.
- Attackers can modify configurations, extract sensitive data, disrupt broadcast functions, or pivot into internal networks.
- Embedded devices are often exposed in operational networks and may not be regularly patched, increasing exposure time.
Technical analysis (safe, high-level)
A simplified view of the vulnerable client-side invocation shows the UI calling a backend path that changes passwords. The missing server-side guard is the core issue: the endpoint performs the sensitive action without validating the requestor's identity, session, or privileges.
Example: conceptual endpoint parameters
| Parameter | Meaning |
|---|---|
| lev | Password level to change (e.g., user, admin, superuser, SNMP communities) |
| pass | New password to set |
Knowing these parameters is useful for defenders because it shows what the endpoint modifies; however, testing should only be performed on systems for which you have explicit authorization.
Proof-of-concept (sanitized and defensive)
For responsible testing, use controlled lab devices or an approved test environment. A defensive test can be a carefully limited request that verifies whether the endpoint is reachable, without changing passwords on production devices. The example below is a generic, non-destructive HTTP GET illustrating the type of request shape an attacker could use — do NOT use it against devices you do not own or manage.
GET /json_data/set_pwd?lev={level}&pass={new_password} HTTP/1.1
Host: device.example.local
User-Agent: defensive-test
Explanation: This is a sanitized example of the request format. The real vulnerability was that the server honored such a request and updated passwords without requiring authentication. To avoid misuse, do not substitute actual credentials or target production devices without authorization.
Impact and risks
- Complete administrative takeover of the device (configuration, remote shell, firmware changes).
- Persistence: attacker-chosen password allows re-entry unless detection/remediation occurs.
- Operational disruption of broadcast functions, possible safety and business impacts for live services.
- Potential lateral movement inside a protected network if device has internal network access.
Detection and monitoring
Operators should detect exploitation attempts and signs of compromise by monitoring web server access logs and authentication events. Useful detection strategies include:
- Alert on requests to sensitive endpoints such as /json_data/set_pwd coming from untrusted or external addresses.
- Monitor for password-change events outside regular maintenance windows.
- Correlation: sudden account login failures followed by successful login with previously unknown credentials.
- Network IDS: flag HTTP GET or POST requests that contain parameter names like "set_pwd", "lev", or "pass".
Example IDS signature (conceptual)
# Conceptual IDS rule to detect suspicious requests to password-change endpoint
# Note: adapt to your IDS syntax and test in a lab before deploying.
alert tcp any any -> any 80 (msg:"Possible Cleber set_pwd access"; flow:to_server,established;
http.uri; content:"/json_data/set_pwd"; nocase; http_client_body;
content:"lev="; http_client_body; content:"pass="; http_client_body; sid:1000001; rev:1;)
Explanation: This conceptual rule triggers on HTTP traffic where the request URI contains the password-change endpoint and both expected parameters. Use it only as a starting point — tune to avoid false positives and adapt for HTTPS inspection if necessary.
Mitigation and remediation (operator guidance)
Immediate steps for operators running affected devices:
- Isolate affected devices from untrusted networks (apply ACLs/firewall rules restricting access to management ports).
- Apply vendor-supplied firmware updates or patches if available. Contact Elber support for patched revisions and official guidance.
- Change passwords and rotate any credentials that may have been exposed. If administrative accounts may have been compromised, perform a full integrity check and re-image if necessary.
- Enable network-level protections: restrict access via VPN, management VLANs, or IP whitelisting to only trusted administrators.
- Monitor logs for suspicious use of the password-change endpoint, and block or rate-limit requests to that endpoint until remediation.
Short-term hardening checklist
- Disable remote web management if not required.
- Use strong, unique passwords and multifactor authentication where supported.
- Ensure device management is reachable only from a secure administrative network.
- Collect configuration and firmware images to aid recovery in case of compromise.
Developer remediation: secure design patterns
To eliminate this class of vulnerability, developers should ensure all sensitive server-side actions are protected by strong authentication and authorization checks. Below are defensive coding examples and recommendations.
Server-side authorization pseudocode
// Pseudocode: protect password-change endpoint with authentication, authorization, CSRF check and input validation
function handle_set_pwd_request(request):
// 1. Authenticate user/session
session = get_session_from_request(request)
if not session or not session.is_authenticated():
return http_response(401, "Authentication required")
// 2. Check user privileges (only allow users with proper role)
if not session.user.has_role("admin"):
return http_response(403, "Forbidden")
// 3. CSRF protection for web interfaces
if request.method == "POST":
if not valid_csrf_token(request):
return http_response(403, "Invalid CSRF token")
// 4. Validate input
level = parse_int(request.params.get("lev"))
new_pass = request.params.get("pass")
if level not in ALLOWED_LEVELS or not is_valid_password(new_pass):
return http_response(400, "Invalid parameters")
// 5. Audit/log the change
audit_log("password_change", actor=session.user.id, level=level, ip=request.remote_addr)
// 6. Apply password change using secure APIs
success = change_password_for_level(level, new_pass)
if success:
return http_response(200, "OK")
else:
return http_response(500, "Failed")
Explanation: This pseudocode demonstrates required defensive checks: session authentication, role-based authorization, CSRF validation for web-originated requests, strict input validation, and audit logging. All password updates must go through authenticated and authorized server-side logic — client-side scripts must never be the sole control.
Additional developer recommendations
- Require TLS for all management interfaces; never expose plaintext HTTP for device administration.
- Avoid using HTTP GET for state-changing operations — use POST/PUT with CSRF tokens instead.
- Implement robust logging and tamper-evident logging mechanisms for sensitive operations.
- Introduce rate limits and anomaly detection for management endpoints.
- Perform threat modeling and regular security testing (SAST/DAST/fuzzing) on management interfaces.
Disclosure and responsible testing
Security researchers should follow responsible disclosure practices: report vulnerabilities to the vendor, allow time for remediation, and coordinate public release. Operators and service providers should only perform tests on systems they own or when they have explicit authorization. Unauthorized attempts to exploit this vulnerability are illegal and unethical.
References and resources
- Original advisory (discovery): ZSL-2024-5816 — https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5816.php
- Vendor: Elber S.r.l. — https://www.elber.it
- Secure web application guidelines: OWASP Top 10 and OWASP ASVS (for authentication/authorization controls)
Summary
The Cleber/3 platform vulnerability demonstrates the risk of exposing sensitive management functions without server‑side authentication and authorization. Operators must prioritize patching, network isolation, and credential rotation. Developers should implement strict server-side checks, require TLS and CSRF protection, and treat management endpoints as highly sensitive. Proper detection and logging help identify exploitation attempts early and limit impact.