CVE-2018-13862 in Touchpad
Summary
by MITRE
Touchpad / Trivum WebTouch Setup V9 V2.53 build 13163 of Apr 6 2018 09:10:14 (FW 303) allow unauthorized remote attackers to reset the authentication via the "/xml/system/setAttribute.xml" URL, using the GET request "?id=0&attr=protectAccess&newValue=0" (a successful attack will allow attackers to login without authorization).
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 09/24/2024
This vulnerability exists in Touchpad / Trivum WebTouch Setup V9 V2.53 build 13163 firmware version released on April 6 2018. The flaw resides in the web interface's handling of system attribute modifications through the xml system endpoint. Specifically an unauthorized remote attacker can exploit this weakness by sending a GET request to the /xml/system/setAttribute.xml URL with parameters id=0 attr=protectAccess newValue=0. This particular request effectively disables the authentication protection mechanism by setting the protectAccess attribute to zero, thereby removing all access controls from the system. The vulnerability represents a critical security flaw that directly violates the principle of least privilege and authentication requirements. According to CWE-306 this weakness falls under the category of missing authentication checks for critical functions, while also aligning with CWE-287 which addresses improper authentication scenarios. The attack vector is particularly dangerous as it allows remote exploitation without requiring any prior authentication credentials, making it accessible to attackers anywhere on the network.
The operational impact of this vulnerability is severe and far-reaching within industrial control systems and building automation environments where Touchpad/Trivum devices are commonly deployed. Once successfully exploited, attackers gain complete administrative access to the device without any authorization requirements, enabling them to modify system configurations, access sensitive data, or potentially disrupt critical operations. This vulnerability particularly affects environments where these devices control access systems, lighting controls, or other building management functions. The attack requires minimal technical expertise and can be executed through simple web requests, making it highly attractive to malicious actors. From an attack framework perspective this vulnerability maps directly to the ATT&CK technique T1078 which covers valid accounts usage, and T1566 which covers credential harvesting through social engineering or direct exploitation. The device's web interface becomes completely compromised, allowing attackers to establish persistent access and potentially use the device as a foothold for further network penetration.
Mitigation strategies for this vulnerability should focus on immediate network segmentation and access control measures. Organizations should implement strict firewall rules to restrict access to the affected device's web interface, ensuring only authorized personnel can reach the system. Network monitoring should be enhanced to detect unusual GET requests targeting the vulnerable endpoint, particularly those with attribute modifications. The most effective remediation involves updating to a firmware version that properly validates authentication before allowing system attribute changes. Until such updates are available, network administrators should consider disabling the web interface entirely or implementing additional authentication layers such as IP whitelisting or VPN access controls. Security teams should also conduct comprehensive audits of all industrial control systems to identify similar vulnerabilities in other networked devices. The vulnerability highlights the critical importance of secure configuration management and proper authentication implementation in embedded systems, particularly those controlling physical access or operational technology environments where unauthorized access could lead to significant operational disruptions or safety hazards.