CVE-2019-10847

Vulnerability

Computrols CBAS version 18.0.0 is affected by a Cross-Site Request Forgery (CSRF) vulnerability. This vulnerability allows an attacker to trick an authenticated administrator into unknowingly executing unwanted actions on the CBAS web application. The specific conditions require that the targeted user is currently logged into the CBAS interface and visits a malicious page controlled by the attacker. The vulnerability exists in the web application's handling of HTTP requests, where it fails to enforce CSRF tokens or other anti-forgery measures. References [1] and [2] are the vendor advisory and download page, while [3] provides a proof-of-concept from Packet Storm.

Exploitation

To exploit the CSRF vulnerability, an attacker must first craft a malicious web page or email containing HTML or JavaScript that submits a forged request to the CBAS server. The attacker then lures an authenticated CBAS user (typically an administrator) into accessing that page. The user's browser, because the user is already authenticated to CBAS, automatically includes the session cookie with the forged request, making it appear legitimate to the server. The attacker can chain multiple requests to perform actions such as modifying system configurations, adding new users, or deploying malicious settings. No authentication or direct network access to the CBAS server is needed beyond the victim's participation.

Impact

Successful exploitation of this CSRF vulnerability enables an attacker to perform any action that the authenticated victim is authorized to do. In the worst case, an administrator account could be hijacked to create new admin accounts, change critical building automation settings, or exfiltrate sensitive data. The impact is a loss of integrity and availability of the CBAS system, potentially compromising the entire building automation environment. The CVE description [1] lists the vulnerability as CVSS v3 score of 8.8, indicating high severity.

Mitigation

As of the available references, no official patch or fixed version has been released by Computrols for CBAS 18.0.0. Users should immediately restrict network access to the CBAS web interface to trusted IP ranges only. They should also implement additional CSRF protection mechanisms, such as requiring a unique token or using referrer header validation. Until a patch is available, administrators should be trained to avoid clicking on suspicious links while logged into CBAS. The vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.