DB Elettronica SFT DAB Series Authentication Bypass Vulnerability in User Management API

A session management vulnerability has been identified in the DB Elettronica SFT DAB 600/C transmitter, running firmware version 1.9.3. This vulnerability allows attackers to bypass authentication controls by exploiting the binding of session IDs to IP addresses. By reusing an IP address assigned to a victim, an attacker can send unauthorized requests to the userManager API to delete user accounts without proper authentication.

Impact

Exploitation of this vulnerability leads to unauthorized account deletions via the userManager API, bypassing authentication controls.

Reproduction

To reproduce this vulnerability, wait for a session to be established with the target transmitter's userManager API. Once the session is active, send a request to the API to remove a user account, using the IP address that was previously assigned to the victim user. This can be done by exploiting the IP address session binding, which allows the reuse of the same IP address to issue unauthorized requests.