Title: Akuvox Smart Intercom/Doorphone ServicesHTTPAPI Improper Access Control
Advisory ID: ZSL-2024-5862
Type: Local/Remote
Impact: Security Bypass, Elevation of Privileges
Risk: (4/5)
Release Date: 26.11.2024

Summary

Vandal-resistant Door Phone for High-end Buildings. Offering top-of-the-line features, Akuvox X912 is targeted at high-end residential and commercial projects. With a compact size, it is perfect for buildings with limited installation space.

Description

The Akuvox Smart Intercom/Doorphone suffers from an insecure service API access control. The vulnerability in ServicesHTTPAPI endpoint allows users with "User" privileges to modify API access settings and configurations. This improper access control permits privilege escalation, enabling unauthorized access to administrative functionalities. Exploitation of this issue could compromise system integrity and lead to unauthorized system modifications.

Vendor

The Akuvox Company - https://www.akuvox.com

Affected Version

Doorphone:
S539
S532
X916
X915
X912
R29
Intercom:
E16C
R20K-2
R20A-2
C313W-2
NS-2
NC-2
NX-2
Firmware: 912.30.1.137

Tested On

lighttpd/1.4.30
EasyHttpServer

Vendor Status

[25.02.2024] Vulnerability discovered.
[19.03.2024] Vendor contacted.
[20.03.2024] Vendor responds asking for more details. Sends PGP key.
[22.03.2024] Replied to the vendor.
[29.03.2024] Vendor starts working on a fix.
[02.04.2024] Working with the vendor.
[29.10.2024] Vendor releases version 915.30.10.158 to address this issue.
[26.11.2024] Coordinated public security advisory released.

PoC

akuvox_eop.txt

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] https://packetstormsecurity.com/files/182870/

Changelog

[26.11.2024] - Initial release
[27.11.2024] - Added reference [1]

Contact

Zero Science Lab

Web: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk