Comet System Missing Authentication Vulnerability in Web Management Interface

A critical vulnerability exists in the web-based management interface of Comet System network sensor devices, specifically in models T0510, T3510, T3511, T4511, T6640, T7511, T7611, P8510, P8552, and H3531, all running version 1.60. The vulnerability arises from a lack of authentication controls, allowing unauthorized users to access the administrative configuration page '/setupA.cfg' on port 8082. This access enables them to modify essential device settings, such as security configurations, web server controls, network and protocol settings, and service disruption parameters. The issue stems from the 'Security' feature being disabled by default, which leaves critical functions exposed to unrestricted access. Although users can manually enable security, this is not the standard configuration.

Impact

Exploitation of this vulnerability could lead to unauthorized changes in device configurations, causing operational disruptions such as disabling alarms or network interfaces. Additionally, attackers might exploit modified settings to access sensitive data, disable security measures, or establish persistent backdoors, potentially allowing for lateral movement within the network.

Reproduction

To reproduce this vulnerability, access the web management interface of an affected Comet System device within the local network. Navigate to the '/setupA.cfg' file on port 8082. No authentication is required, allowing immediate access to the administrative configuration page. Once accessed, critical device settings can be modified without any credentials.

Remediation

It is recommended to implement proper firewalling to restrict access to the vulnerable web management interface. Additionally, users should manually enable the 'Security' feature in the device settings to require authentication for accessing critical functions.