Technostrobe HI-LED-WR120-G2 Obstruction Lighting Controller Broken Access Control Vulnerability

A broken access control vulnerability has been identified in the Technostrobe HI-LED-WR120-G2 obstruction lighting controller, specifically in version 5.5.0.1R6.03.30. The vulnerability resides within the component Endpoint, in an unknown function of the file /Technostrobe/. This issue allows remote attackers to manipulate access controls, leading to unauthorized access to sensitive administrative endpoints via the device's embedded web management interface.

Impact

Exploitation of this vulnerability allows unauthenticated users to access administrative pages, view system configurations, and interact with device controls, such as changing passwords and tampering with alarm settings.

Reproduction

The vulnerability can be reproduced by sending a request to the Technostrobe web server with a fake userId and keyId. The server responds without any validation, granting access to the administrative interface. This can be done using a simple GET request or by posting to the LoginCB endpoint with a Base64-encoded new password.

Remediation

It is recommended to implement server-side session management, enforce authentication on all administrative routes, and require current passwords for password changes. Additionally, sessions should be bound to IP addresses and user agents.