Skip to content

Latest commit

 

History

History

SBA-ADV-20240321-01_Paradox_Cross_Site_Request_Forgery

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
 
 

Paradox IP150 Internet Module Cross-Site Request Forgery

Vulnerability Overview

The Paradox IP150 Internet Module in version 1.40.00 is vulnerable to Cross-Site Request Forgery (CSRF) attacks due to a lack of countermeasures and the use of the HTTP method GET to introduce changes in the system.

  • Identifier : SBA-ADV-20240321-01
  • Type of Vulnerability : Cross-Site Request Forgery (CSRF)
  • Software/Product Name : IP150 Internet Module
  • Vendor : Paradox Security Systems (Bahamas) Ltd.
  • Affected Versions : 1.40.00 (possibly others too)
  • Fixed in Version : Not yet
  • CVE ID : CVE-2024-5676
  • CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H
  • CVSS Base Score : 6.8 (Medium)

Vendor Description

IP150 Internet Module Supports SWAN Server

Features

  • Controls and monitors a control panel through an IP network (LAN / WAN / Internet)
  • Reports control panel events via IP to the Paradox IPR512 GPRS / IP Monitoring Receiver and / or IPRS-7 GPRS / IP PC Receiver Software
  • Two I/Os on board; controlled via the web interface, triggering an email
  • Sends notification and alarm system events via email
  • Arm / Disarm individual partitions via Insite GOLD app
  • Connects to Swan for easy installation (no port forwarding)
  • Enables Insite GOLD, or BabyWare to access your system through the Internet
  • Push notification to Insite GOLD app
  • HTTPS support for improving security (HyperText Transfer Protocol Secure; a widely used communications protocol for secure communication over a computer network)
  • Very low bandwidth consumption
  • Easy installation; built-in clip for mounting in a metal box
  • Supported language: English
  • Compatible with EVO Series, Spectra SP Series, MG5000, MG5050 and MG5075

Source: https://www.paradox.com/Products/default.asp?PID=404

Impact

An attacker can coerce an administrator into clicking a link, which issues a HTTP request that changes the state of the system. Depending on the configuration, meaning which downstream component is controlled by the affected component, the impact will be different. As an example the IP150 Internet Module might control an alarm unit. Thus an attacker can deactivate the alarm by performing a CSRF attack.

Vulnerability Description

The server cannot verify whether a request was sent intentionally. This makes it possible for an attacker to trick a client into making unintentional requests to the web server which will be treated as an authentic request. In combination with a social engineering attack, this allows an attacker to perform server-side actions as the victim.

In addition, the functionality of activation and deactivation of the alarm systems, is accessed via a HTTP GET request. Changing the state of the server with GET is discouraged in the HTTP standard, since it is defined to be a safe method [1]. This makes the exploitation of the vulnerability easier, as an attacker can craft an URL. If the victim opens this URL, the CSRF attack is carried out and an action is performed.

Proof of Concept

For example, the following HTTP request disables the alarm in area 00:

GET /statuslive.html?area=00&value=d HTTP/1.1
Host: 192.0.2.1

It is vulnerable to CSRF, since it does not apply any CSRF countermeasures. Therefore, it is possible to craft an URL that performs this action:

http://192.0.2.1/statuslive.html?area=00&value=d

Recommended Countermeasures

We are not aware of a vendor fix yet. Please contact the vendor.

A generally valid solution against CSRF, which however requires a server-side state, is the implementation of an unpredictable token that is unique for each session. The OWASP project gives further recommendations [2] [3].

Timeline

  • 2024-02-09 Identified the vulnerability in version 1.40.00
  • 2024-02-12 First contact to the system owner to acquire more information about the system configuration and version
  • 2024-03-08 System owner provided all details on the affected system
  • 2024-03-21 First attempt to contact vendor via support email
  • 2024-04-03 Second attempt to contact vendor via web form and support email
  • 2024-06-19 No reaction from vendor to all previous contact attempts
  • 2024-06-19 SBA Research assigned CVE-2024-5676
  • 2024-06-19 Public disclosure

References

  1. RFC 7231. HTTP/1.1 Semantics and Content. Safe Methods: https://datatracker.ietf.org/doc/html/rfc7231#section-4.2.1
  2. OWASP Cheat Sheet Series. Cross-Site Request Forgery Prevention Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html
  3. OWASP Web Security Testing Guide (WSTG) v4.2. Testing for Cross Site Request Forgery: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/06-Session_Management_Testing/05-Testing_for_Cross_Site_Request_Forgery.html

Credits