MBS Universal BACnet Router UBR Web Interface Arbitrary File Read Vulnerability

An arbitrary file read vulnerability has been identified in the MBS Universal BACnet Router UBR web interface, specifically within the 'ubr-logread' method of 'wwwubr.cgi'. This vulnerability allows low-privileged remote attackers to read any file on the system. The 'ubr-logread' method accepts a parameter specifying the log file to open, but this parameter is not properly validated. As a result, attackers can manipulate it to reference arbitrary files and retrieve their contents. This issue affects both the 32 MB and 64 MB RAM versions of the UBR firmware.

Impact

Exploitation of this vulnerability allows an authenticated user to read any file on the system. This could include sensitive files such as '/etc/shadow', which contains hashed passwords, web interface credential files, or private keys for HTTPS or BACnet/SC services.

Remediation

Users are advised to upgrade to UBR firmware version 6.0.1.0, which addresses this vulnerability. For more details, please check the release notes on the MBS Solutions website.