MBS Universal BACnet Router UBR Web Interface Update Signature Bypass Vulnerability Allowing Full Device Compromise

A vulnerability has been identified in the web interface of the MBS Universal BACnet Router (UBR) related to an update signature bypass in the wwwupdate.cgi method. This vulnerability allows a high-privileged remote attacker to fully compromise the device. By exploiting this flaw, an attacker with admin credentials or a stolen admin session token can execute code as root, gain persistent access, and manipulate any system files. The vulnerability arises because the update process improperly verifies the authenticity of update files before applying them, enabling the upload of malicious files that can be executed with elevated privileges.

Impact

Exploitation of this vulnerability leads to full device compromise, allowing for unauthorized code execution as root and manipulation of system files. This vulnerability, combined with the lack of expiration for session tokens, poses a significant risk of unauthorized access and exploitation.

Remediation

Users are advised to update to the latest UBR firmware version 6.0.1.0, which addresses this vulnerability. For more details, please check the release notes on the MBS Solutions website.