MBS Universal BACnet Router UBR Web Interface Arbitrary File Read Vulnerability

An arbitrary file read vulnerability has been identified in the MBS Universal BACnet Router UBR web interface, specifically within an undocumented and unused API endpoint called wwwubr.cgi. This vulnerability allows low-privileged remote attackers to read any file on the system. The issue arises from the ubr-editfile method, which is likely a leftover from an older version. Exploitation of this vulnerability could lead to unauthorized access to sensitive files, such as the SSH service password, web interface credentials, or private keys for HTTPS and BACnet/SC services.

Impact

Exploitation of this vulnerability allows an authenticated user to read any file on the system, potentially leading to unauthorized access to sensitive information such as password hashes, private keys, and web interface credentials.

Remediation

MBS GmbH has released a firmware update to version V6.0.1.0 for the UBR routers. This update addresses the vulnerability. For more details, please check the release notes on the MBS Solutions website.