Paradox IP150 Internet Module 1.40.00 Cross Site Request Forgery

`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256  
  
# Paradox IP150 Internet Module Cross-Site Request Forgery #  
  
Link: https://github.com/sbaresearch/advisories/tree/public/2024/SBA-ADV-20240321-01_Paradox_Cross_Site_Request_Forgery  
  
## Vulnerability Overview ##  
  
The Paradox IP150 Internet Module in version 1.40.00 is vulnerable to  
Cross-Site Request Forgery (CSRF) attacks due to  
a lack of countermeasures and the use of the HTTP method `GET` to introduce  
changes in the system.  
  
* **Identifier** : SBA-ADV-20240321-01  
* **Type of Vulnerability** : Cross-Site Request Forgery (CSRF)  
* **Software/Product Name** : [IP150 Internet Module](https://www.paradox.com/Products/default.asp?CATID=3&SUBCATID=38&PRD=563)  
* **Vendor** : [Paradox Security Systems (Bahamas) Ltd.](https://www.paradox.com/)  
* **Affected Versions** : 1.40.00 (possibly others too)  
* **Fixed in Version** : Not yet  
* **CVE ID** : CVE-2024-5676  
* **CVSS Vector** : CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H  
* **CVSS Base Score** : 6.8 (Medium)  
  
## Vendor Description ##  
  
> IP150  
> Internet Module  
> Supports SWAN Server  
>  
> Features  
>  
> * Controls and monitors a control panel through an IP network (LAN / WAN / Internet)  
> * Reports control panel events via IP to the Paradox IPR512 GPRS / IP Monitoring Receiver and / or IPRS-7 GPRS / IP PC Receiver Software  
> * Two I/Os on board; controlled via the web interface, triggering an email  
> * Sends notification and alarm system events via email  
> * Arm / Disarm individual partitions via Insite GOLD app  
> * Connects to Swan for easy installation (no port forwarding)  
> * Enables Insite GOLD, or BabyWare to access your system through the Internet  
> * Push notification to Insite GOLD app  
> * HTTPS support for improving security (HyperText Transfer Protocol Secure; a widely used communications protocol for secure communication over a computer network)  
> * Very low bandwidth consumption  
> * Easy installation; built-in clip for mounting in a metal box  
> * Supported language: English  
> * Compatible with EVO Series, Spectra SP Series, MG5000, MG5050 and MG5075  
  
Source: <https://www.paradox.com/Products/default.asp?PID=404>  
  
## Impact ##  
  
An attacker can coerce an administrator into clicking a link, which issues  
a HTTP request that changes the state of the system.  
Depending on the configuration, meaning which downstream component is  
controlled by the affected component, the impact will be different.  
As an example the *IP150 Internet Module* might control an alarm unit.  
Thus an attacker can deactivate the alarm by performing a CSRF attack.  
  
## Vulnerability Description ##  
  
The server cannot verify whether a request was sent intentionally. This  
makes it possible for an attacker to trick a client into making  
unintentional requests to the web server which will be treated as an  
authentic request. In combination with a social engineering attack,  
this allows an attacker to perform server-side actions as the victim.  
  
In addition, the functionality of activation and deactivation of the alarm  
systems, is accessed via a HTTP `GET` request.  
Changing the state of the server with `GET` is discouraged in the HTTP  
standard, since it is defined to be a *safe* method [1].  
This makes the exploitation of the vulnerability easier, as an attacker  
can craft an URL.  
If the victim opens this URL, the CSRF attack is carried out and an action  
is performed.  
  
## Proof of Concept ##  
  
For example, the following HTTP request disables the alarm in area `00`:  
  
```http  
GET /statuslive.html?area=00&value=d HTTP/1.1  
Host: 192.0.2.1  
```  
  
It is vulnerable to CSRF, since it does not apply any CSRF countermeasures.  
Therefore, it is possible to craft an URL that performs this action:  
  
```text  
http://192.0.2.1/statuslive.html?area=00&value=d  
```  
  
## Recommended Countermeasures ##  
  
We are not aware of a vendor fix yet. Please contact the vendor.  
  
A generally valid solution against CSRF, which however requires a server-side  
state, is the implementation of an unpredictable token that is unique for  
each session.  
The OWASP project gives further recommendations [2] [3].  
  
## Timeline ##  
  
* `2024-02-09` Identified the vulnerability in version 1.40.00  
* `2024-02-12` First contact to the system owner to acquire more information about the system configuration and version  
* `2024-03-08` System owner provided all details on the affected system  
* `2024-03-21` First attempt to contact vendor via support email  
* `2024-04-03` Second attempt to contact vendor via web form and support email  
* `2024-06-19` No reaction from vendor to all previous contact attempts  
* `2024-06-19` SBA Research assigned CVE-2024-5676  
* `2024-06-19` Public disclosure  
  
## References ##  
  
1. RFC 7231. HTTP/1.1 Semantics and Content. Safe Methods: <https://datatracker.ietf.org/doc/html/rfc7231#section-4.2.1>  
2. OWASP Cheat Sheet Series. Cross-Site Request Forgery Prevention Cheat Sheet: <https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html>  
3. OWASP Web Security Testing Guide (WSTG) v4.2. Testing for Cross Site Request Forgery: <https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/06-Session_Management_Testing/05-Testing_for_Cross_Site_Request_Forgery.html>  
  
## Credits ##  
  
* Jakob Pachmann ([SBA Research](https://www.sba-research.org/))  
* Fabian Funder ([SBA Research](https://www.sba-research.org/))  
-----BEGIN PGP SIGNATURE-----  
  
iQIzBAEBCAAdFiEEL9Wp/yZWFD9OpIt6+7iGL1j3dbIFAmZyq50ACgkQ+7iGL1j3  
dbIISw/8CO95qAHA1sNw43g7j202gLt4zyIRHAjowX1btaOb5SwEPKgZCMa+Trnz  
fF/Ck5opN/Y8QvKE4C75TJVXVZBja4cTWeNa0bqXXNlvGsUB/9y5N2d7NTAN+CLc  
ew61aTFrudgjHL1hHyhzj74vt0rb44vrBlhQ562jwmHDgkixrek7m5FqLAa4nVVf  
yglBLbUlvi5MVCL1v3b1P5TTTBJfThRps5xhHpMpflyxsBWAdQZ+dZb000K+P5gf  
jnmMYAcDhe1Peun/ui4dYfsNapha16gpZ9vjjq0gBh+Si8t+Ri6Gup3d6AJuWVCV  
zcqjrYN+kwK0/I8e25MCpPNV3rIw16Gb+8HCeSKhVXEQalF1Gw+GVUsVua65hsoa  
JMF2gGN9p89Wcn5HD7Az3pv0HmdjrTghXhyf6JzP+k1NJscPbLQ9Lo7ea7Y4CBTG  
zkPoPEX3Ida05YxMgMesq60fXx9/Eq7vxIJtdnJSwjJVAhbEA+phkuX201ykK7WN  
iWIJVBY2EEZUOt2xBy/PLu6Eh5Bm11vCWqi8KeCyZj7OUYVNIPFbh52W+PJ9B13B  
1j0gf3TZF4nIO+ncvdKw3LQINkdj3G74VwKMFqLxSJQdzxDA0kDjWvZxst45n23J  
6HUGL0ur4KDQCMpeyqqgB46qF1GGl+iqAGJW4lTITUJO62EqRlo=  
=HcOX  
-----END PGP SIGNATURE-----  
  
`