Axel Technology Puma Devices Broken Access Control Vulnerability

A broken access control vulnerability has been identified in Axel Technology Puma devices running firmware versions 0.8.5 prior to 1.0.3. The vulnerability arises from missing authentication on the '/cgi-bin/gstFcgi.fcgi' endpoint, allowing unauthenticated remote attackers to access sensitive administrative functions. Exploitation of this vulnerability enables attackers to list user accounts, create new administrative users, delete users, and modify system settings, potentially leading to a full compromise of the device.

Impact

Exploitation of this vulnerability allows for unauthorized access to administrative functions, including user account management and system configuration, leading to a complete takeover of the affected device.

Reproduction

The vulnerability can be reproduced by sending unauthenticated POST requests to the '/cgi-bin/gstFcgi.fcgi' endpoint. This can be done using tools like curl or through a Python script that automates the process. The requests can include payloads to list user accounts, add new administrative users, or delete existing users, demonstrating the lack of access control on the endpoint.

Remediation

To address this vulnerability, it is recommended to implement authentication for all sensitive endpoints, enforce role-based access control, and restrict access to administrative functions based on trusted IP addresses. Until a patch is available, administrators should monitor network traffic for suspicious activity and require a VPN or secure tunnel for administrative access.