ETL Systems DEXTRA Series Cross-Site Request Forgery Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the web management interface of ETL Systems Ltd DEXTRA Series Digital L-Band Distribution System, version 1.8. The vulnerability arises because the interface does not implement any CSRF protection mechanisms, such as tokens or validation of Origin/Referer headers, on critical configuration endpoints. This lack of protection allows an authenticated administrator to unknowingly send authorized POST requests, potentially leading to unauthorized changes in device settings.

Impact

Exploitation of this vulnerability could result in full administrative takeover of the affected device. An attacker could change the admin password, lock out legitimate users, reconfigure network settings such as IP address and gateway, alter the device hostname, and perform any other administrative actions. This silent attack requires no user interaction beyond the victim loading the malicious page.

Reproduction

To reproduce this vulnerability, an authenticated administrator must be tricked into visiting a malicious webpage. This page can be crafted to automatically submit a POST request to the vulnerable endpoint '/configr/config.htm' without any user interaction. The request must include the session cookie and payloads for the configuration options being changed, such as the admin password and network settings.

Remediation

ETL Systems Ltd is recommended to implement CSRF tokens, validate Origin and Referer headers on state-changing requests, use SameSite=Lax/Strict cookies, add a double-submit cookie mechanism for defense-in-depth, require re-authentication for password and network changes, and release patched firmware immediately.