← Advisories

Delta Controls enteliTOUCH 3.40.3935 Cross-Site Request Forgery (CSRF)

Medium

Advisory ID

ZSL-2022-5702

Release Date

14 April 2022

Vendor

Delta Controls Inc. - https://www.deltacontrols.com

Affected Version

3.40.3935, 3.40.3706, 3.33.4005

CVE

CVE-2022-29735

Tested On

DELTA enteliTOUCH

Summary

enteliTOUCH - Touchscreen Building Controller. Get instant access to the heart of your BAS. The enteliTOUCH has a 7-inch, high-resolution display that serves as an interface to your building. Use it as your primary interface for smaller facilities or as an on-the-spot access point for larger systems. The intuitive, easy-to-navigate interface gives instant access to manage your BAS.

Description

The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site.

Proof of Concept

entelitouch_csrf.htmlTXT

Disclosure Timeline

06.04.2022Vulnerability discovered.

06.04.2022Vendor contacted.

13.04.2022No response from the vendor.

14.04.2022Public security advisory released.

Credits

Vulnerability discovered by Gjoko Krstic

References

[1]https://www.exploit-db.com/exploits/50878

[2]https://packetstormsecurity.com/files/166727/

[3]https://exchange.xforce.ibmcloud.com/vulnerabilities/224337

[4]https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29735

[5]https://nvd.nist.gov/vuln/detail/CVE-2022-29735

Changelog

14.04.2022Initial release

20.04.2022Added reference [1], [2] and [3]

29.05.2022Added reference [4] and [5]