The Paradox IP150 Internet Module in version 1.40.00 is vulnerable to
Cross-Site Request Forgery (CSRF) attacks due to
a lack of countermeasures and the use of the HTTP method GET to introduce
changes in the system.
- Identifier : SBA-ADV-20240321-01
- Type of Vulnerability : Cross-Site Request Forgery (CSRF)
- Software/Product Name : IP150 Internet Module
- Vendor : Paradox Security Systems (Bahamas) Ltd.
- Affected Versions : 1.40.00 (possibly others too)
- Fixed in Version : Not yet
- CVE ID : CVE-2024-5676
- CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H
- CVSS Base Score : 6.8 (Medium)
IP150 Internet Module Supports SWAN Server
Features
- Controls and monitors a control panel through an IP network (LAN / WAN / Internet)
- Reports control panel events via IP to the Paradox IPR512 GPRS / IP Monitoring Receiver and / or IPRS-7 GPRS / IP PC Receiver Software
- Two I/Os on board; controlled via the web interface, triggering an email
- Sends notification and alarm system events via email
- Arm / Disarm individual partitions via Insite GOLD app
- Connects to Swan for easy installation (no port forwarding)
- Enables Insite GOLD, or BabyWare to access your system through the Internet
- Push notification to Insite GOLD app
- HTTPS support for improving security (HyperText Transfer Protocol Secure; a widely used communications protocol for secure communication over a computer network)
- Very low bandwidth consumption
- Easy installation; built-in clip for mounting in a metal box
- Supported language: English
- Compatible with EVO Series, Spectra SP Series, MG5000, MG5050 and MG5075
Source: https://www.paradox.com/Products/default.asp?PID=404
An attacker can coerce an administrator into clicking a link, which issues a HTTP request that changes the state of the system. Depending on the configuration, meaning which downstream component is controlled by the affected component, the impact will be different. As an example the IP150 Internet Module might control an alarm unit. Thus an attacker can deactivate the alarm by performing a CSRF attack.
The server cannot verify whether a request was sent intentionally. This makes it possible for an attacker to trick a client into making unintentional requests to the web server which will be treated as an authentic request. In combination with a social engineering attack, this allows an attacker to perform server-side actions as the victim.
In addition, the functionality of activation and deactivation of the alarm
systems, is accessed via a HTTP GET request.
Changing the state of the server with GET is discouraged in the HTTP
standard, since it is defined to be a safe method [1].
This makes the exploitation of the vulnerability easier, as an attacker
can craft an URL.
If the victim opens this URL, the CSRF attack is carried out and an action
is performed.
For example, the following HTTP request disables the alarm in area 00:
GET /statuslive.html?area=00&value=d HTTP/1.1
Host: 192.0.2.1It is vulnerable to CSRF, since it does not apply any CSRF countermeasures. Therefore, it is possible to craft an URL that performs this action:
http://192.0.2.1/statuslive.html?area=00&value=d
We are not aware of a vendor fix yet. Please contact the vendor.
A generally valid solution against CSRF, which however requires a server-side state, is the implementation of an unpredictable token that is unique for each session. The OWASP project gives further recommendations [2] [3].
2024-02-09Identified the vulnerability in version 1.40.002024-02-12First contact to the system owner to acquire more information about the system configuration and version2024-03-08System owner provided all details on the affected system2024-03-21First attempt to contact vendor via support email2024-04-03Second attempt to contact vendor via web form and support email2024-06-19No reaction from vendor to all previous contact attempts2024-06-19SBA Research assigned CVE-2024-56762024-06-19Public disclosure
- RFC 7231. HTTP/1.1 Semantics and Content. Safe Methods: https://datatracker.ietf.org/doc/html/rfc7231#section-4.2.1
- OWASP Cheat Sheet Series. Cross-Site Request Forgery Prevention Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html
- OWASP Web Security Testing Guide (WSTG) v4.2. Testing for Cross Site Request Forgery: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/06-Session_Management_Testing/05-Testing_for_Cross_Site_Request_Forgery.html
- Jakob Pachmann (SBA Research)
- Fabian Funder (SBA Research)