Newtec Celox UHD Authentication Bypass Vulnerability Allowing Privilege Escalation

An authentication bypass vulnerability has been identified in the Newtec Celox UHD models CELOXA504 and CELOXA820, running firmware version celox-21.6.13. This vulnerability allows an attacker to gain Superuser or Operator access by modifying intercepted responses from the '/celoxservice' endpoint during the login process. The attack exploits weak validation of server responses, enabling unauthorized access without valid credentials.

Impact

Exploitation of this vulnerability allows for full unauthorized access to Superuser or Operator functions, bypassing password verification and potentially leading to a remote compromise of the device and its configuration, especially on exposed networks.

Reproduction

To reproduce this vulnerability, intercept the login request sent to the '/celoxservice' endpoint. After capturing the response, replace it with a crafted payload that includes either Superuser or Operator access rights. Once the modified response is forwarded, the attacker will be logged in with the elevated privileges.

Remediation

It is recommended to implement server-side validation of login credentials and session tokens, sign and verify server responses to prevent tampering, apply secure session management, and use encrypted transport such as HTTPS. Additionally, backend role validation should be ensured before granting access to any privileged functions.