Title: Elber Signum DVB-S/S2 IRD For Radio Networks 1.999 Device Config
Advisory ID: ZSL-2024-5815
Type: Local/Remote
Impact: Security Bypass, Privilege Escalation, System Access, DoS
Risk: (5/5)
Release Date: 17.04.2024

Summary

The SIGNUM controller from Elber satellite equipment demodulates one or two DVB-S/ S2 signals up to 32APSK (single/multi-stream), achieving 256 KS/s as minimum symbol rate. The TS demodulated signals can be aligned and configured in 1+1 seamless switching for redundancy. Redundancy can also be achieved with external ASI and TSoIP inputs. Signum supports MPEG-1 LI/II audio codec, providing analog and digital outputs; moreover, it’s possible to set a data PID to be decoded and passed to the internal RDS encoder, generating the dual MPX FM output.

Description

The device suffers from an unauthenticated device configuration and client-side hidden functionality disclosure.

Vendor

Elber S.r.l. - https://www.elber.it

Affected Version

1.999 Revision 1243
1.317 Revision 602
1.220 Revision 1250
1.220 Revision 1248_1249
1.220 Revision 597
1.217 Revision 1242
1.214 Revision 1023
1.193 Revision 924
1.175 Revision 873
1.166 Revision 550

Tested On

NBFM Controller
embOS/IP

Vendor Status

[18.08.2023] Vulnerability discovered.
[20.08.2023] Vendor contacted.
[29.09.2023] No response from the vendor.
[09.12.2023] Vendor contacted.
[02.02.2024] No response from the vendor.
[16.03.2024] Vendor contacted.
[16.04.2024] No response from the vendor.
[17.04.2024] Public security advisory released.

PoC

elber_signum_idor.txt

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] https://packetstormsecurity.com/files/178135/
[2] https://www.exploit-db.com/exploits/52003

Changelog

[17.04.2024] - Initial release
[22.05.2024] - Added reference [1] and [2]

Contact

Zero Science Lab

Web: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk