Axel Technology StreamerMAX MK II Broken Access Control Vulnerability

A broken access control vulnerability has been identified in Axel Technology StreamerMAX MK II devices running firmware versions 0.8.5 prior to 1.0.3. The vulnerability arises from missing authentication on the '/cgi-bin/gstFcgi.fcgi' endpoint, allowing unauthenticated remote attackers to access sensitive administrative functions. Exploitation of this vulnerability enables attackers to list user accounts, create new administrative users, delete existing users, and modify system settings, potentially leading to a full compromise of the device.

Impact

Exploitation of this vulnerability allows for unauthorized access to administrative functions, including user account management and system configuration. This could result in unauthorized users gaining administrative privileges and full control over the device.

Reproduction

The vulnerability can be reproduced by sending unauthenticated POST requests to the '/cgi-bin/gstFcgi.fcgi' endpoint. This can be done using tools like curl or through a Python script that automates the process. The absence of authentication checks on this endpoint allows for direct access to sensitive functions such as listing, adding, and deleting user accounts.

Remediation

Users are advised to implement authentication for all sensitive endpoints and enforce role-based access control. Until a patch is available, access to the vulnerable endpoint should be restricted using firewall rules, and administrative access should be limited to trusted IP addresses or through a secure VPN.