#VU88762 Missing Authentication for Critical Function in Electrolink Hardware solutions
Vulnerability identifier: #VU88762
Vulnerability risk: Medium
CVSSv3.1: 6.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:U/RC:C]
CVE-ID:
CWE-ID:
CWE-306
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
10W Compact DAB Transmitter
Hardware solutions /
Firmware
100W Compact DAB Transmitter
Hardware solutions /
Firmware
250W Compact DAB Transmitter
Hardware solutions /
Firmware
500W Medium DAB Transmitter
Hardware solutions /
Firmware
1kW Medium DAB Transmitter
Hardware solutions /
Firmware
2kW Medium DAB Transmitter
Hardware solutions /
Firmware
2.5kW High Power DAB Transmitter
Hardware solutions /
Firmware
3kW High Power DAB Transmitter
Hardware solutions /
Firmware
4kW High Power DAB Transmitter
Hardware solutions /
Firmware
5kW High Power DAB Transmitter
Hardware solutions /
Firmware
100W Compact FM Transmitter
Hardware solutions /
Firmware
500W Compact FM Transmitter
Hardware solutions /
Firmware
1kW Compact FM Transmitter
Hardware solutions /
Firmware
2kW Compact FM Transmitter
Hardware solutions /
Firmware
3kW Modular FM Transmitter
Hardware solutions /
Firmware
5kW Modular FM Transmitter
Hardware solutions /
Firmware
10kW Modular FM Transmitter
Hardware solutions /
Firmware
15kW Modular FM Transmitter
Hardware solutions /
Firmware
20kW Modular FM Transmitter
Hardware solutions /
Firmware
30kW Modular FM Transmitter
Hardware solutions /
Firmware
15W - 40kW Digital FM Transmitter
Hardware solutions /
Firmware
BI VHF TV Transmitter
Hardware solutions /
Firmware
BIII VHF TV Transmitter
Hardware solutions /
Firmware
10W - 5kW UHF TV Transmitter
Hardware solutions /
Firmware
Vendor: Electrolink
Description
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to the affected devices allow access to an unprotected endpoint that allows MPFS file system binary image upload without authentication. A remote attacker can overwrite the flash program memory that holds the web server's main interfaces and execute arbitrary code.
Mitigation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versions
10W Compact DAB Transmitter: All versions
100W Compact DAB Transmitter: All versions
250W Compact DAB Transmitter: All versions
500W Medium DAB Transmitter: All versions
1kW Medium DAB Transmitter: All versions
2kW Medium DAB Transmitter: All versions
2.5kW High Power DAB Transmitter: All versions
3kW High Power DAB Transmitter: All versions
4kW High Power DAB Transmitter: All versions
5kW High Power DAB Transmitter: All versions
100W Compact FM Transmitter: All versions
500W Compact FM Transmitter: All versions
1kW Compact FM Transmitter: All versions
2kW Compact FM Transmitter: All versions
3kW Modular FM Transmitter: All versions
5kW Modular FM Transmitter: All versions
10kW Modular FM Transmitter: All versions
15kW Modular FM Transmitter: All versions
20kW Modular FM Transmitter: All versions
30kW Modular FM Transmitter: All versions
15W - 40kW Digital FM Transmitter: All versions
BI VHF TV Transmitter: All versions
BIII VHF TV Transmitter: All versions
10W - 5kW UHF TV Transmitter: All versions
External links
http://www.cisa.gov/news-events/ics-advisories/icsa-24-107-02
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
