CVE-2024-26153
📋 TL;DR
CVE-2024-26153 is a CSRF vulnerability in ETIC Telecom Remote Access Server (RAS) that allows attackers to trick authenticated users into submitting malicious configuration requests. This can cause denial of service on affected devices. Organizations using ETIC Telecom RAS versions before 4.9.19 are affected.
💻 Affected Systems
- ETIC Telecom Remote Access Server (RAS)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete device denial of service, rendering the remote access server unavailable and disrupting connectivity for all users.
Likely Case
Temporary service disruption requiring device reboot or configuration restoration.
If Mitigated
No impact if proper CSRF protections are implemented or if the device is not internet-facing.
🎯 Exploit Status
Requires social engineering to trick authenticated users into visiting malicious web pages. No authentication bypass needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.9.19
Vendor Advisory: https://www.cisa.gov/news-events/ics-advisories/icsa-22-307-01
Restart Required: No
Instructions:
1. Download ETIC Telecom RAS version 4.9.19 or later from vendor. 2. Backup current configuration. 3. Apply the update through the device's web interface or management console. 4. Verify the update completed successfully.
🔧 Temporary Workarounds
Implement CSRF Protection
allAdd CSRF tokens to all state-changing requests in the web interface
Custom implementation required - not a simple command
Network Segmentation
allRestrict access to the RAS management interface to trusted networks only
firewall rules to limit access to specific IP ranges
🧯 If You Can't Patch
- Isolate the RAS device from internet access and restrict management interface to internal trusted networks only
- Implement web application firewall (WAF) rules to detect and block CSRF attempts
🔍 How to Verify
Check if Vulnerable:
Check the device version in the web interface or via SSH. If version is below 4.9.19, the device is vulnerable.Check Version:
Check via web interface: Login > System > About. Or via SSH: show version (vendor-specific command may vary)Verify Fix Applied:
Verify the device version shows 4.9.19 or higher after applying the update.📡 Detection & Monitoring
Log Indicators:
- Multiple 'setconf' method requests from unusual sources
- Configuration changes without corresponding user authentication logs
Network Indicators:
- HTTP POST requests to /setconf endpoint with suspicious referer headers
- Traffic patterns showing users accessing device after visiting external sites
SIEM Query:
source="etic_ras" AND (method="POST" AND uri="/setconf") AND referer NOT CONTAINS "internal-domain"