XENTRY Retail Data Storage v7.8.1 Denial of Service (CVE-2023–23590)

XENTRY Retail Data Storage is affected by denial of service (DoS). To exploit the vulnerability, the unauthorized author must be on the same network as the Retail Data Storage and send commands to restart the device through the api which does not validate the authorization.

When performing an authenticated test on Retail Data Storage, I could see that the ‘About the device’ tab has some functions available for storage management. One of these functions is the restart option, although the function is only available on the authenticated screen, it is possible to send a request through the API for the storage to be restarted, as the API does not validate authorization, allowing anyone, as long as is on the same network as the storage, can restart the device unrestrictedly.

Image 1 — Restart function on authenticated screen.

When intercepting the restart request, it is possible to notice that a request is sent via API and that there is no Authorization header or that uses some type of authentication to validate the authorization to perform this type of action. It is possible to notice that the result of the request is 200 OK, which indicates that the action was performed successfully.

Image 2 — The 200 OK indicates that the action was performed successfully.

Analyzing the activity responses through ping, it is possible to notice that the device stops responding to requests for a certain period and then returns to respond, which indicates that it was unavailable for a period (restarting).

Image 3 — Device stopping responding for a time interval.

The impact of this vulnerability is the interruption of the operation, since this attack can be enhanced and performed intermittently, effectively generating a denial of service.

The device’s IP address was censored due to belonging to a real scenario and in production, even if it is a local address, for security reasons I decided to preserve it.