← Advisories

KYOCERA Net Admin 3.4 CSRF Add Admin Exploit

Medium

Advisory ID

ZSL-2018-5458

Release Date

07 April 2018

Vendor

KYOCERA Corporation - https://global.kyocera.com

Affected Version

3.4.0906

CVE

CVE-2019-25254

Tested On

Microsoft Windows 7 Professional SP1 (EN), Apache Tomcat/8.5.15

Summary

KYOCERA Net Admin is Kyocera's unified device management software that uses a web-based platform to give network administrators easy and uncomplicated control to handle a fleet for up to 10,000 devices. Tasks that used to require multiple programs or walking to each printer can now be accomplished in a single, fast and modern environment.

Description

The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site.

Proof of Concept

kyocera_csrf.htmlTXT

Disclosure Timeline

28.03.2018Vulnerability discovered.

28.03.2018Vendor contacted.

06.04.2018No response from the vendor.

07.04.2018Public security advisory released.

Credits

Vulnerability discovered by Gjoko Krstic

References

[1]https://exchange.xforce.ibmcloud.com/vulnerabilities/141384

[2]https://cxsecurity.com/issue/WLB-2018040068

[3]https://packetstormsecurity.com/files/147098

[4]https://www.exploit-db.com/exploits/44431/

[5]https://www.cve.org/CVERecord?id=CVE-2019-25254

Changelog

07.04.2018Initial release

16.04.2018Added reference [1], [2], [3] and [4]

23.03.2026Added reference [5]