NovaCHRON Smart Time Plus Incorrect Access Control Vulnerability Allowing Service Restart

A vulnerability exists in NovaCHRON Smart Time Plus versions 8.x prior to 8.6, specifically in the web component accessed through the '/iclock/Settings?restartNCS=1' endpoint. This vulnerability allows attackers to bypass access controls and arbitrarily restart the NCServiceManager on the host via a crafted GET request. The NCServiceManager runs as a Windows service under the SYSTEM account, and while the service restart itself does not have a significant impact, it can be exploited to cause a denial-of-service condition by repeatedly restarting the service, causing the web application to become unavailable.

Impact

Exploitation of this vulnerability can lead to a denial-of-service condition, causing the web application to become unavailable. Additionally, because the NCServiceManager runs as a SYSTEM service, this vulnerability can be chained with other vulnerabilities in the application to achieve unauthenticated remote code execution as the SYSTEM user.

Reproduction

The vulnerability can be reproduced by sending a GET request to the '/iclock/Settings' endpoint with the 'restartNCS' parameter set to '1'. This can be done manually or automated with a fuzzing tool to repeatedly send the request, which will cause the Tomcat service to fail and the web application to become unavailable.

Remediation

Users should update to NovaCHRON Smart Time Plus version 8.6 or later, ensuring that the latest 8.6 installation package is used. The version 8.6.1.01 Build 1017 is confirmed to contain the necessary fixes.