Itel DAB MUX Authentication Bypass Vulnerability

A vulnerability allowing authentication bypass has been identified in the Itel DAB MUX (IDMUX build c041640a) due to improper validation of JSON Web Tokens (JWT) across devices. This flaw enables attackers to reuse a valid JWT token from one device to gain administrative access on another device with the same firmware, regardless of differing passwords or networks. The vulnerability results in a complete compromise of the affected device.

Impact

Exploitation of this vulnerability allows for unauthorized administrative access to the device, enabling full control and modification of the device's settings and functions.

Reproduction

To reproduce this vulnerability, log into an affected device (Device 1) using valid credentials to obtain a JWT token. This token can then be injected into the local storage of another device (Device 2) running the same firmware. After refreshing the page, Device 2 will authenticate as an admin without requiring a password. This process can be automated with a Python script that logs into Device 1, retrieves the JWT, and uses it to access Device 2.

Remediation

Itel Electronics should implement proper JWT validation by binding tokens to specific devices or sessions, incorporating device identifiers in JWT claims, and using secure storage methods. Until a patch is available, administrators can disable JWT-based authentication, restrict access to the login endpoint, and monitor for suspicious login activity.