LB-Link BL-CPE300M AX300 4G LTE Router Improper IP Bound Session Authentication Vulnerability

A vulnerability exists in the LB-Link BL-CPE300M AX300 4G LTE Router, specifically in the firmware version BL-R8800_B10_ALK_SL_V01.01.02P42U14_06. The issue arises from inadequate session management in the web management interface. After a user authenticates from a particular IP address, the router allows access to any other client using that same IP, without requiring credentials or verifying the client's identity. This flaw, which affects all authenticated endpoints, including '/goform/*' and '/api/*', enables an attacker to gain full administrative access by simply configuring their device to use the same IP address as a previously authenticated user, resulting in a complete authentication bypass.

Impact

Exploitation of this vulnerability allows for unauthorized administrative access to the router, enabling an attacker to modify configurations, access logs, or reboot the device.

Reproduction

To reproduce this vulnerability, log into the router's web management interface from a specific IP address. Once authenticated, another client can be configured to use the same IP address, bypassing authentication and gaining access to authenticated endpoints as if they were the original user.