Compliance Impact

The vulnerability in GenieACS 1.2.13 allows unauthenticated access to sensitive data such as user password hashes and salts, as well as arbitrary remote code execution on the server. This can lead to complete server compromise, exposing sensitive information and potentially enabling unauthorized data access or manipulation.

Such a compromise could impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data, secure authentication mechanisms, and prevention of unauthorized access. The ability for an attacker to retrieve sensitive data and execute arbitrary code without authentication poses a significant risk to data confidentiality and integrity, potentially leading to violations of these regulations.

Useful 0 Not Useful 0

Executive Summary

The vulnerability in GenieACS 1.2.13 involves unauthenticated access to the NBI API endpoint, which allows attackers to exploit a critical sandbox escape and code injection flaw.

By abusing the JavaScript sandbox through prototype chain traversal (using declare.constructor.constructor), an attacker can bypass restrictions and gain access to Node.js core modules like child_process and net.

This enables arbitrary JavaScript execution within the provisioning context, leading to full remote code execution (RCE) on the server without requiring authentication for some attack vectors.

• Unauthenticated retrieval of sensitive data such as user password hashes and salts.
• Ability to create malicious provisions and presets that execute code when triggered by device events.
• Execution of reverse shells and network pivoting from the compromised server.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to complete server compromise of the GenieACS provisioning system.

An attacker can execute arbitrary system commands remotely, including spawning reverse shells, which allows full control over the server.

Sensitive information such as user password hashes and salts can be accessed without authentication.

Attackers can create malicious provisioning scripts that run automatically when triggered by device events, potentially spreading the attack or causing further damage.

The vulnerability also enables network pivoting, allowing attackers to move laterally within the network from the compromised server.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking for unauthenticated access to the GenieACS NBI API endpoint, particularly on port 7557. You can attempt to access sensitive endpoints such as /users/, /files/, and /provisions/ without authentication to verify if the system is vulnerable.

Suggested commands include using curl or similar HTTP clients to test access:

• curl http://<target-ip>:7557/users/ -v
• curl http://<target-ip>:7557/files/ -v
• curl http://<target-ip>:7557/provisions/ -v

If these endpoints return data without requiring authentication, the system is likely vulnerable.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting network access to the GenieACS NBI API (port 7557) and ACS interface (port 7547) to trusted hosts only.

Additionally, upgrading GenieACS to a version where this vulnerability is patched (versions later than 1.2.13, such as 1.2.14 or newer) is recommended, although behavior on these versions is unverified.

As a temporary measure, disable or firewall off the NBI API endpoint if it is not required.

Monitor network traffic for suspicious API calls to the NBI endpoints and review provisioning and preset configurations for unauthorized changes.

Useful 0 Not Useful 0