| ITEM | Comment |
|---|---|
| Software | AXESS Auto Configuration Server |
| Vendor | Axiros GmbH |
| Version | From 3.11.0, 4.0.0 and 5.0.0 to 5.2.0 |
| Type of Issue | Denial of Service |
| CWE | CWE-20 |
| CVE | CVE-2024-56316 |
| OWASP | Input Validation Testing |
| Roles affected | All |
| CVSS | High – 7.5 |
| Credits | Christian Becker & Thore Imhof from Y-Security |
What is an Auto-Configuration Server?
An Auto-Configuration Server (ACS) manages networked equipment using the TR-069 protocol for remote configuration, monitoring, and troubleshooting. Service providers and enterprises rely on ACS to manage and configure millions of devices, such as routers, modems, and other customer-premises equipment (CPE).
A key function of the ACS is to configure routers to enable internet access for end users, ensuring seamless connectivity. By automating tasks like device provisioning, firmware upgrades, and fault resolution, ACS simplifies network management. As a critical component in modern network infrastructure, the ACS ensures the reliable performance and security of managed devices.
Vulnerability
The Axiros AXESS ACS (Auto Configuration Server) is an industry flagship software application used around the world by premier telecommunications and broadband service providers. It allows state of the art management of customer premise equipment (CPE) with Broadband Forum-compliant CWMP (TR-069), User Service Platform (USP) (TR-369) and other open management protocols. (Product description of https://www.axiros.com/products/axess-acs)
In AXESS ACS (Auto Configuration Server) from 3.11.0, 4.0.0 and 5.0.0 to 5.2.0, unsanitized user input in the TR069 API allows remote unauthenticated attackers to cause a permanent Denial of Service via crafted INFORM TR069 requests on either TCP port 9675 or 7547.
Resolving the Denial of Service condition requires manual intervention by a technician or administrator, as rebooting the server or service alone will not suffice.
Mitigation & Recommendation
It is unknown if the vulnerability has been successfully remediated in the latest version available.
Y-Security confirmed a hotfix made available to a single instance of the product. We confirmed that our initial exploit payload no longer works.
We closely follow the OWASP Guidelines when performing penetration tests and we recommend following the Input Validation Cheat Sheet to successfully mitigate input validation vulnerabilities.
Disclosure Policy
At Y-Security we take security vulnerabilities seriously and follow a responsible disclosure policy. The 90-day disclosure deadline was exceeded and therefore we decided to disclosure the vulnerability.
Disclosure Timeline
| DATE | COMMENT |
|---|---|
| 16.09.2024 | Y-Security discovered security vulnerability & communicated to client |
| 17.09.2024 | Y-Security reported issue to Axiros GmbH |
| 17.09.2024 | Axiros GmbH opened bug |
| 21.10.2024 | Axiros GmbH reproduced & acknowledged issue |
| 22.10.2024 | Axiros GmbH released a a hotfix for a single instance of the product |
| 22.10.2024 | Y-Security validation of hotfix and request for disclosure |
| 29.10.2024 | Y-Security & Axiros GmbH vulnerability disclosure call |
| 20.11.2024 | Y-Security requested update |
| 10.12.2024 | Vendor released AXESS 5.2.1 without notification |
| 12.12.2024 | CVE Request |
| 19.12.2024 | CVE assigned (CVE-2024-56316) |
| 19.12.2024 | Y-Security informed Axiros GmbH of assigned CVE & Full Disclosure Date |
| 20.12.2024 | Call with new contact at Axiros GmbH, Request to move Full Disclosure Date to June 2025 |
| 20.12.2024 | Y-Security extended Full Disclosure Date by 32 days |
| 20.01.2025 | Y-Security disclosed CVE-2024-56316 |
Author
Christian Becker
christian@y-security.de
Y-Security GmbH
20. January 2025