CVE-2020-14930 in CTROMS Terminal OS Port Portal CT-464
Summary
by MITRE
An issue was discovered in BT CTROMS Terminal OS Port Portal CT-464. Account takeover can occur because the password-reset feature discloses the verification token. Upon a getverificationcode.jsp request, this token is transmitted not only to the registered phone number of the user account, but is also transmitted to the unauthenticated HTTP client.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 08/22/2024
This vulnerability resides in the BT CTROMS Terminal OS Port Portal CT-464 system where a critical security flaw exists in the password reset functionality. The issue manifests as an insecure direct object reference vulnerability that allows unauthorized disclosure of verification tokens during the account recovery process. The flaw specifically affects the getverificationcode.jsp endpoint which serves as the gateway for password reset operations within the system.
The technical implementation of this vulnerability stems from improper access control mechanisms within the verification token distribution system. When a user initiates a password reset request, the system generates a verification token that should only be accessible to the legitimate account owner. However, the system fails to properly authenticate or authorize the HTTP client requesting this token, allowing any unauthenticated party to receive the verification code via the same communication channel used for legitimate users.
This design flaw creates a severe account takeover risk that aligns with CWE-287, which addresses improper authentication issues. The vulnerability enables attackers to exploit the password reset mechanism by simply making a request to the getverificationcode.jsp endpoint without proper authentication, thereby obtaining verification tokens that can be used to compromise user accounts. This represents a fundamental breakdown in the principle of least privilege and proper access control enforcement.
The operational impact of this vulnerability is significant as it directly enables unauthorized account access and potential data breaches. Attackers can systematically enumerate user accounts and obtain verification tokens for any account registered in the system, effectively bypassing the intended security controls. This vulnerability can be exploited at scale to compromise multiple user accounts and potentially lead to broader system compromise or data exfiltration. The attack vector is particularly dangerous because it requires no prior authentication credentials, making it an attractive target for automated exploitation.
Mitigation strategies should focus on implementing proper authentication checks before token distribution, ensuring that verification codes are only transmitted to authenticated users or registered phone numbers. The system must enforce strict access controls on the getverificationcode.jsp endpoint, requiring proper session management or API key validation. Additionally, implementing rate limiting and monitoring for suspicious verification code requests can help detect and prevent abuse of this vulnerability. Organizations should also consider implementing multi-factor authentication for critical accounts and ensuring proper input validation to prevent further exploitation. The solution aligns with ATT&CK technique T1531 which addresses account access removal and credential exposure.