CVE-2023-7328
📋 TL;DR
This vulnerability allows unauthenticated attackers to retrieve user data from Screen SFT DAB 600/C devices via the user management API. It exposes account names and connection metadata including client IP addresses and timeout values. Organizations using affected firmware versions are at risk of information disclosure.
💻 Affected Systems
- Screen SFT DAB 600/C
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could map internal network structure, identify user accounts for credential attacks, and gather reconnaissance data for further exploitation.
Likely Case
Unauthenticated information disclosure revealing user accounts and connection patterns, potentially enabling social engineering or targeted attacks.
If Mitigated
Limited impact with proper network segmentation and access controls preventing external access to the API.
🎯 Exploit Status
Multiple public exploit references exist, including Exploit-DB entry 51460. Simple HTTP requests to the API endpoint can trigger the vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: Not provided in references
Restart Required: No
Instructions:
1. Contact Screen SFT/D&B Broadcast for firmware updates
2. Check vendor website for security advisories
3. Apply any available firmware patches
🔧 Temporary Workarounds
Network Access Control
linuxRestrict network access to the device's management interface using firewall rules
iptables -A INPUT -p tcp --dport [management_port] -s [trusted_networks] -j ACCEPT
iptables -A INPUT -p tcp --dport [management_port] -j DROP
API Endpoint Blocking
allBlock access to the vulnerable user management API endpoint using web application firewall or reverse proxy
# Example nginx location block: location ~* /api/user { deny all; }
🧯 If You Can't Patch
- Isolate affected devices in separate network segments with strict access controls
- Implement network monitoring for unauthorized access attempts to the management API
🔍 How to Verify
Check if Vulnerable:
Send HTTP GET request to /api/user endpoint without authentication. If it returns user data, device is vulnerable.Check Version:
Check device web interface or use vendor-specific CLI commands to display firmware versionVerify Fix Applied:
Attempt the same unauthenticated request after remediation. Should return authentication error or no data.📡 Detection & Monitoring
Log Indicators:
- Unauthenticated requests to /api/user endpoint
- Multiple failed authentication attempts followed by API access
Network Indicators:
- Unusual traffic patterns to management interface from untrusted sources
- HTTP GET requests to /api/user without authentication headers
SIEM Query:
source_ip NOT IN trusted_networks AND dest_port=management_port AND uri_path="/api/user" AND http_method="GET"🔗 References
- https://packetstormsecurity.com/files/172332/
- https://www.dbbroadcast.com/products/radio/sft-dab-series-compact-air/
- https://www.exploit-db.com/exploits/51460
- https://www.vulncheck.com/advisories/screen-sft-dab-600c-unauthenticated-information-disclosure
- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5776.php
- https://www.exploit-db.com/exploits/51460
- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5776.php
