← Advisories

Screen SFT DAB 600/C Unauthenticated Information Disclosure (userManager.cgx)

Medium

Advisory ID

ZSL-2023-5776

Release Date

13 May 2023

Vendor

DB Elettronica Telecomunicazioni SpA - https://www.screen.it, https://www.dbbroadcast.com

Affected Version

Firmware: 1.9.3, Bios firmware: 7.1 (Apr 19 2021), Gui: 2.46, FPGA: 169.55, uc: 6.15

CVE

CVE-2023-7328

Tested On

Keil-EWEB/2.1, MontaVista® Linux® Carrier Grade eXpress (CGX)

Summary

Screen's new radio DAB Transmitter is reaching the highest technology level in both Digital Signal Processing and RF domain. SFT DAB Series - Compact Radio DAB Transmitter - Air. Thanks to the digital adaptive precorrection and configuatio flexibility, the Hot Swap System technology, the compactness and the smart system design, the SFT DAB are advanced transmitters. They support standards DAB, DAB+ and T-DMB and are compatible with major headend brands.

Description

Screen is affected by an information disclosure vulnerability due to improper access control enforcement. An unauthenticated remote attacker can exploit this, via a specially crafted request to gain access to sensitive information including usernames and source IP addresses.

Proof of Concept

screen_info.pyTXT

Disclosure Timeline

19.03.2023Vulnerability discovered.

20.03.2023Vendor contacted.

12.05.2023No response from the vendor.

13.05.2023Public security advisory released.

Credits

Vulnerability discovered by Gjoko Krstic

References

[1]https://www.exploit-db.com/exploits/51460

[2]https://packetstormsecurity.com/files/172332/

[3]https://www.vulncheck.com/advisories/screen-sft-dab-600c-unauthenticated-information-disclosure

[4]https://www.cve.org/CVERecord?id=CVE-2023-7328

Changelog

13.05.2023Initial release

12.10.2023Added reference [1] and [2]

27.11.2025Added reference [3] and [4]