LOYTEC Electronics Insecure Transit / Insecure Permissions / Unauthenticated Access

`  
[+] CVE : CVE-2023-46380, CVE-2023-46381, CVE-2023-46382   
[+] Title : Multiple vulnerabilities in Loytec LWEB-802, L-INX Automation Servers, L-IOB I/O Controllers, L-VIS Touch Panels   
[+] Vendor : LOYTEC electronics GmbH  
[+] Affected Product(s) : LINX-212 firmware 6.2.4, LVIS-3ME12-A1 firmware 6.2.2, LIOB-586 firmware 6.2.3  
[+] Affected Components : LWEB-802, L-INX Automation Servers, L-IOB I/O Controllers, L-VIS Touch Panels   
[+] Discovery Date : 01-Sep-2021  
[+] Publication date : 03-Nov-2023  
[+] Discovered by : Chizuru Toyama of TXOne networks  
  
  
[Vulnerability Description]  
  
CVE-2023-46380 : Insecure Permissions  
Password change request on the web interface on LOYTEC devices is sent  
in clear text over HTTP, and this allows information theft and account   
takeover via network sniffing.  
  
CVE-2023-46381 : Improper Access Control  
Authentication is missing on the web user interface for the preinstalled   
version of LWEB-802. If there is a project on a device, an unauthenticated   
user could create a new project on a web and access/control a graphical   
interface. An unauthenticated user also could edit or delete a current   
web project, change settings and delete system logs etc...  
http://<IP>:<port>/lweb802_pre/  
  
CVE-2023-46382 : Insecure Permissions  
The web user interface on Loytec devices requires login credentials for   
critical information (Data, Commission, Config, etc...); however, username   
and password information is sent in clear text over HTTP. If anyone sniff   
network traffic, they could easily steal credentials.  
  
  
[Timeline]  
  
01-Sep-2021 : Vulnerabilities discovered  
13-Oct-2021 : Trend Micro ZDI (Zero Day Initiative) reported to vendor (no response)  
07-Oct-2022 : ICS CERT reported to vendor (no response)  
03-Nov-2023 : Public disclosure  
  
`