### Critical Vulnerability Information #### Vulnerability Type - **Server-Side Request Forgery (SSRF)** #### Affected Devices and Versions - **Vendor**: Selex s.r.l. - **Product Website**: https://www.selex.com - **Affected Models**: - Targa 512 - Targa 764 - Targa 764 TOM - Targa 805 - Targa 710 ENOX - Targa 750 - Targa 740 L&L - **Firmware Versions**: - BLD20131005214 - BLD20130503745 - BLD200904170901 - BLD200905047031A - BLD20130503945 - BLD101111345435 - BLD101001138146 - BLD101001108140 #### Vulnerability Description - **Issue**: The application parameters `ignotify_address` and `url` are used in POST JSON data to construct internal requests or perform DNS IP notifications. Due to lack of validation on these parameters, attackers can specify external domains and force the application to send HTTP requests to arbitrary target hosts. - **Impact**: Attackers can exploit this vulnerability to bypass firewalls, initiate services, perform network enumeration, and access internal networks through the compromised application. #### Test Environment - **Operating System**: GNU/Linux 3.10.53 (armv7l) - **PHP Version**: 5.6.22 - **Protocol**: HTTP - **Server**: Nginx/1.11.1, SelexCPHttpServer/1.1 #### Discoverer - **Discoverer**: Gjoko 'LiquidWorm' Krstic @ZeroScience #### Advisory Details - **Advisory ID**: ZSL-2021-5637 - **Advisory URL**: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5637.php #### Example Request and Response - **Request Example**: ```http POST /cps/test_url HTTP/1.1 Host: 192.168.1.17 {"url":"http://127.0.0.1:80"} ``` - **Response Example**: ```json {"elapsed_ms": 2,"jpg":"GGD89ue+CjcoZMFRgpo8dGL0NGU+V2VsZWEspOU5N04BYe21cm8BL3RpdGxlPgo3BbNVYSBodmVuXmdLZPSJyZnZyZXNoEiDbjbZ5ZW5PSIwe1YSTDOOhh12S5sodGllzJ4KPC5oZnFPRgu8n98eKT8L23V3HKeCfJwaAMTb3AKcg==","result":"OK"} ``` #### Timestamp - **Release Date**: 07.11.2020