Web UI Malfunction when setting unexpected locale via API.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5.
An attacker remotely, without authentication and without user interaction, sends a request to the device's API containing an unexpected value for the locale parameter. This causes malfunction of the device's Web UI. The network attack vector and lack of any prerequisites make this vulnerability trivially exploitable from any network location. CWE-730 indicates a possible issue with regular expressions vulnerable to catastrophic backtracking or similar input processing mechanism.
An attacker can cause serious malfunction of the device's Web UI, potentially resulting in loss of availability, integrity, and confidentiality of both the device itself and associated systems — in accordance with the maximum values of the CVSS 4.0 vector.
Patches available from the manufacturer should be applied in accordance with references published at https://azure-access.com/security-advisories. Until updates are deployed, it is recommended to restrict network access to the Web UI and API of devices to trusted hosts only and implement network segmentation.
Azure-Access BLU-IC2 in all firmware versions up to and including 1.19.5 and Azure-Access BLU-IC4 in all firmware versions up to and including 1.19.5.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XAzure Access Blu Ic2
HWAzure-Accesswszystkie wersjeAzure Access Blu Ic2 Firmware
OSAzure-Access< 1.20Azure Access Blu Ic4
HWAzure-Accesswszystkie wersjeAzure Access Blu Ic4 Firmware
OSAzure-Access< 1.20
Related vulnerabilities
Podatność DoS (SlowLoris) w Azure-Access BLU-IC2 i BLU-IC4
Współdzielenie statycznych sekretów SDKSocket w urządzeniach Azure-Access BLU-IC2/IC4
Wyłączona weryfikacja certyfikatu serwera e-mail w Azure-Access BLU-IC2/IC4
Brak obsługi błędów HTTP 5xx w Azure-Access BLU-IC2 i BLU-IC4
Systemiczne błędy wewnętrzne serwera (HTTP 500) w Azure-Access BLU-IC2 i BLU-IC4