CVE-2022-47848

Vulnerability

CVE-2022-47847 affects Bezeq Vtech NB403-IL (version BZ_2.02.07.09.13.01) and Vtech IAD604-IL (versions BZ_2.02.07.09.13.01, BZ_2.02.07.09.13T, and BZ_2.02.07.09.09T) routers. The vulnerability involves the UPnP service listening on port 8200, which discloses the device's serial number in the /rootDesc.xml page. The serial number is used as the administrative password for the web interface on ports 80/443, effectively providing an authentication bypass through information disclosure [1].

Exploitation

An attacker with LAN access (and in some cases WAN access) to an affected router can send a request to http://:8200/rootDesc.xml to retrieve an XML file containing the serial number. That serial number is then used as the login password for the router's admin panel on port 80/443. No prior authentication is required, and the user does not need to interact [1].

Impact

Successful exploitation grants an attacker full administrative access to the router. This allows the attacker to retrieve sensitive information, modify device settings, change network configuration, and potentially pivot to other devices on the network. The confidentiality, integrity, and availability of the router and connected devices are compromised [1].

Mitigation

As of the publication of this CVE on September 15, 2023, the vendor (Bezeq) has not released a firmware update to address the vulnerability. The researcher reports that Bezeq did not commit to a fix during the disclosure process [1]. Users should consider restricting access to the UPnP service (port 8200) via firewall rules or disabling UPnP entirely if not required. No workaround provided by the vendor exists, and the affected models are not listed on the CISA KEV.