CVE-2024-26153 Overview
CVE-2024-26153 is a Cross-Site Request Forgery (CSRF) vulnerability [CWE-352] affecting ETIC Telecom Remote Access Server (RAS) firmware versions prior to 4.9.19. The vulnerability exists because the device's web interface accepts setconf method requests without requiring a CSRF token. An unauthenticated external attacker can craft a malicious web page that, when visited by an authenticated user, submits configuration changes to the RAS device. Successful exploitation results in denial of service on the affected industrial remote access device.
Critical Impact
An attacker can force authenticated users to submit unauthorized setconf configuration requests, causing denial of service on ETIC Telecom RAS devices deployed in industrial environments.
Affected Products
- ETIC Telecom Remote Access Server (RAS) firmware versions prior to 4.9.19
- All RAS device models running vulnerable firmware
- Industrial control system (ICS) deployments using ETIC Telecom RAS for remote access
Discovery Timeline
- 2025-01-17 - CVE-2024-26153 published to NVD
- 2025-07-30 - Last updated in NVD database
Technical Details for CVE-2024-26153
Vulnerability Analysis
The vulnerability stems from missing CSRF protection in the ETIC Telecom RAS web management interface. The setconf method handler processes configuration change requests without validating an anti-CSRF token. Any state-changing HTTP request to this endpoint executes if the user's browser carries valid session credentials.
The RAS device serves as a gateway for remote access into industrial networks. Configuration tampering via CSRF can disrupt connectivity between operators and downstream industrial equipment. The attacker does not need network access to the device itself, only the ability to lure an authenticated administrator into loading attacker-controlled content.
Root Cause
The root cause is the absence of synchronizer tokens, double-submit cookies, or SameSite cookie enforcement on requests invoking the setconf method. The web application trusts that any authenticated session cookie presented with a request reflects legitimate user intent. This trust assumption fails when a third-party origin triggers the request through forged HTML forms, JavaScript fetch calls, or image tags.
Attack Vector
Exploitation requires an authenticated RAS administrator to visit an attacker-controlled web page or click a crafted link while logged into the device's management interface. The malicious page issues a cross-origin request to the RAS setconf endpoint using the victim's authenticated session. The browser attaches session cookies automatically, and the device processes the configuration change as if it originated from the legitimate user.
The attacker requires no credentials, no network adjacency to the device, and no prior reconnaissance beyond knowledge of the target's RAS deployment. The vulnerability mechanism is described in the CISA ICS Advisory ICSA-22-307-01.
Detection Methods for CVE-2024-26153
Indicators of Compromise
- Unexpected configuration changes on RAS devices that correlate with administrator browsing sessions
- HTTP POST requests to the RAS setconf endpoint with Referer or Origin headers from untrusted domains
- Device availability disruptions following routine administrator web activity
- Session cookies from RAS management interfaces appearing in cross-origin request logs
Detection Strategies
- Inspect web proxy and firewall logs for cross-origin requests targeting RAS management URLs
- Monitor RAS device configuration baselines and alert on unauthorized changes to setconf parameters
- Correlate administrator browser activity with configuration change events on industrial devices
- Deploy network intrusion detection signatures matching setconf request patterns from external referrers
Monitoring Recommendations
- Enable verbose audit logging on RAS devices to capture all configuration change requests with source IP and session context
- Forward RAS logs to a centralized SIEM for correlation with administrator endpoint activity
- Alert on RAS configuration changes occurring outside scheduled maintenance windows
- Track web browser activity on engineering workstations that manage industrial devices
How to Mitigate CVE-2024-26153
Immediate Actions Required
- Upgrade ETIC Telecom RAS firmware to version 4.9.19 or later on all affected devices
- Restrict RAS management interface access to dedicated administrative workstations using network segmentation
- Require administrators to log out of RAS management sessions immediately after use
- Review recent RAS configuration changes for signs of unauthorized modification
Patch Information
ETIC Telecom addresses this vulnerability in RAS firmware version 4.9.19. Refer to the CISA ICS Advisory ICSA-22-307-01 for vendor coordination details. Apply firmware updates following standard ICS change management procedures, including device backups and tested rollback plans.
Workarounds
- Isolate RAS management interfaces on dedicated VLANs accessible only through jump hosts
- Use separate browsers or browser profiles for industrial device management to prevent cross-contamination with general web browsing
- Configure browser policies to block third-party cookies and enforce strict SameSite cookie behavior for RAS management sessions
- Implement web filtering on engineering workstations to block access to untrusted external sites during active management sessions
# Example: restrict RAS management access via host firewall (iptables)
iptables -A INPUT -p tcp --dport 443 -s 10.0.10.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
