← Advisories

Elber Cleber/3 Broadcast Multi-Purpose Platform 1.0.0 Device Config

Critical

Advisory ID

ZSL-2024-5817

Release Date

17 April 2024

Vendor

Elber S.r.l. - https://www.elber.it

Affected Version

1.0.0 Revision 7304, 1.0.0 Revision 7284, 1.0.0 Revision 6505, 1.0.0 Revision 6332, 1.0.0 Revision 6258, XS2DAB v1.50 rev 6267

CVE

N/A

Tested On

NBFM Controller, embOS/IP

Summary

Cleber offers a powerful, flexible and modular hardware and software platform for broadcasting and contribution networks where customers can install up to six boards with no limitations in terms of position or number. Based on a Linux embedded OS, it detects the presence of the boards and shows the related control interface to the user, either through web GUI and Touchscreen TFT display. Power supply can be single (AC and/or DC) or dual (hot swappable for redundancy); customer may chose between two ranges for DC sources, that is 22-65 or 10-36 Vdc for site or DSNG applications.

Description

The device suffers from an unauthenticated device configuration and client-side hidden functionality disclosure.

Proof of Concept

elber_cleber_idor.txtTXT

Disclosure Timeline

18.08.2023Vulnerability discovered.

20.08.2023Vendor contacted.

29.09.2023No response from the vendor.

09.12.2023Vendor contacted.

02.02.2024No response from the vendor.

16.03.2024Vendor contacted.

16.04.2024No response from the vendor.

17.04.2024Public security advisory released.

Credits

Vulnerability discovered by Gjoko Krstic

References

[1]https://packetstormsecurity.com/files/178137/

[2]https://www.exploit-db.com/exploits/52005

Changelog

17.04.2024Initial release

22.05.2024Added reference [1] and [2]