CVE-2024-25656

Vulnerability

Detail

AVSystem Unified Management Platform (UMP) version 23.07.0.16567~LTS suffers from improper input validation during the CPE (Customer Premises Equipment) registration process [1]. The registration, performed via the South Bridge Interface (SBI) as per the TR-069 specification, does not authenticate the CPE device and does not enforce any limit on the size of data fields provided by the device [1]. This allows an unauthenticated CPE to submit arbitrarily large amounts of data, including fields such as DeviceID.OUI, DeviceID.ProductClass, and multiple device information strings, leading to uncontrolled database growth [1].

Exploitation

An attacker can emulate a malicious CPE (e.g., using GenieACS-SIM simulator) and send a registration with an extremely long device ID (e.g., 1.1 megabytes) and oversized values for fields like InternetGatewayDevice.DeviceInfo.Description [1]. Since the CPE does not require authentication to register, no prior access is needed. Even though the UMP allows defining rules to filter CPE data format, the device is still registered as 'Unauthorized' and all provided data is stored in the database [1].

Impact

Repeated registrations from multiple malicious CPE devices can fill the server's storage disk, causing observable latencies in the web management interface (Device Inventory, Log generation) and in the REST API /devices endpoint [1]. In severe cases, this can lead to a denial of service (DDoS) against the application database and potentially affect the entire product [1].

Mitigation

As of the publication date (2024-03-18), no patch is mentioned in the reference. Affected users should apply input validation limits on CPE registration data and enforce authentication for registration where possible [1].