CVE-2022-35136

Vulnerability

Boodskap IoT Platform version 4.4.9-02 fails to authenticate API requests. The platform processes requests even without valid cookies or API keys, as demonstrated by a POST to /api/user/upsert/ [1]. This affects the entire API surface, making endpoints accessible to any unauthenticated attacker.

Exploitation

An attacker with network access to the platform can send crafted HTTP requests to any API endpoint without authentication [1]. No user interaction or prior access is required. For example, a POST request to /api/user/upsert/ with a JSON body containing "roles":["admin"] is processed and returns a 200 OK response [1]. The attacker can repeat this for any user UUID to escalate privileges.

Impact

Successful exploitation allows an unauthenticated attacker to escalate privileges to any role, including administrator [1]. This leads to full compromise of the platform, including unauthorized data access, modification of user accounts, and potential control over IoT devices managed by the platform.

Mitigation

As of the publication date (2022-10-13), no patch or fixed version has been released for CVE-2022-35136 [1]. Administrators should restrict network access to the platform and implement additional authentication layers, such as a reverse proxy with authentication, until an official fix is available.