R.V.R Elettronica TEX Broken Access Control Vulnerability Allowing Unauthorized Password Changes

A broken access control vulnerability has been identified in the R.V.R Elettronica TEX product, specifically in firmware TEXL-000400 and Web GUI TLAN-000400. The issue arises from improper authentication checks on the /_Passwd.html endpoint, allowing an attacker to send an unauthenticated POST request to change passwords for Admin, Operator, and User roles. This vulnerability could lead to complete system compromise.

Impact

Exploitation of this vulnerability allows for unauthorized password changes on the /_Passwd.html endpoint, enabling an attacker to reset passwords for all user roles, including Admin. This access could be used to gain full control over the system. Additionally, such actions could lock out legitimate users by changing their passwords.

Reproduction

To reproduce this vulnerability, send an unauthenticated POST request to the /_Passwd.html endpoint with the desired new passwords for the Admin, Operator, and User accounts. The system will accept the request and update the passwords without any authentication. Once the passwords are changed, log in using the new credentials to gain access to the system.

Remediation

Until a patch is released, administrators should restrict access to the /_Passwd.html endpoint using firewall rules or web server configurations. It is also advisable to monitor logs for unauthorized password change requests and manually secure admin credentials by periodically changing them.