Magewell Pro Convert Cross-Site Request Forgery Vulnerability Allowing Unauthorized Account Creation

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the Magewell Pro Convert Ultra Encode model, specifically in the web-based management interface of the device running firmware 2.3.206. The vulnerability exists in the '/usapi?method=add-user' endpoint, which allows remote attackers to create user accounts, including administrative accounts, by sending a crafted GET request. This endpoint does not require or validate an anti-CSRF token, Origin, or Referer header, making it susceptible to exploitation.

Impact

Exploitation of this vulnerability allows for unauthorized account creation, with the potential for privilege escalation if an administrative account is created. A newly created admin account provides full control over the device. Additionally, all state-changing actions within the '/usapi' component may be vulnerable to CSRF attacks.

Reproduction

To reproduce this vulnerability, log into the Magewell Ultra Encode device as an administrator. Then, host a malicious web page that includes a Cross-Site Request Forgery payload targeting the '/usapi?method=add-user' endpoint. This can be done by using an auto-submitting form or a zero-click image request. Once the page is visited by an authenticated administrator, the attack will automatically create a new user account with administrative privileges.

Remediation

Users are advised to upgrade to the latest firmware version that addresses this issue and to implement standard CSRF countermeasures, such as requiring and validating anti-CSRF tokens, enforcing POST methods for state-changing operations, checking Origin or Referer headers, and restricting access to the management interface.