EUVD-2018-19010

Malware in sbrugna...

CVE-2018-7276

An issue was discovered on Lutron Quantum BACnet Integration 2.0 firmware 3.2.243 devices. Remote attackers can obtain potentially sensitive information via a /DbXmlInfo.xml request, as demonstrated by the Latitude/Longitude of the device...

Lutron Devices Default Credentials (Telnet)

Lutron devices have default admin credentials that cannot be changed. SPDX-FileCopyrightText: 2018 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

CVE-2018-11629

Default and unremovable support credentials user:lutron password:integration allow attackers to gain total super user control of an IoT device through a TELNET session to products using the HomeWorks QS Lutron integration protocol Revision M to Revision Y. NOTE: The vendor disputes this id as not...

Design/Logic Flaw

DISPUTED Default and unremovable support credentials allow attackers to gain total super user control of an IoT device through a TELNET session to products using the Stanza Lutron integration protocol Revision M to Revision Y. NOTE: The vendor disputes this id as not being a vulnerability because...

Design/Logic Flaw

DISPUTED Default and unremovable support credentials user:lutron password:integration allow attackers to gain total super user control of an IoT device through a TELNET session to products using the HomeWorks QS Lutron integration protocol Revision M to Revision Y. NOTE: The vendor disputes this ...

CVE-2018-11681

Default and unremovable support credentials user:nwk password:nwk2 allow attackers to gain total super user control of an IoT device through a TELNET session to products using the RadioRA 2 Lutron integration protocol Revision M to Revision Y. NOTE: The vendor disputes this id as not being a...

CVE-2018-11682

Default and unremovable support credentials allow attackers to gain total super user control of an IoT device through a TELNET session to products using the Stanza Lutron integration protocol Revision M to Revision Y. NOTE: The vendor disputes this id as not being a vulnerability because what can...

Design/Logic Flaw

DISPUTED Default and unremovable support credentials user:nwk password:nwk2 allow attackers to gain total super user control of an IoT device through a TELNET session to products using the RadioRA 2 Lutron integration protocol Revision M to Revision Y. NOTE: The vendor disputes this id as not bei...

CVE-2018-11681

Default and unremovable support credentials user:nwk password:nwk2 allow attackers to gain total super user control of an IoT device through a TELNET session to products using the RadioRA 2 Lutron integration protocol Revision M to Revision Y. NOTE: The vendor disputes this id as not being a...

CVE-2018-11682

The CVE entries describe default and unremovable credentials enabling Telnet access to IoT devices using Lutron integration protocols (Stanza/HomeWorks QS HomeWorks/Lutron RadioRA 2) with Revision M–Y. The root cause cited is preserved credentials that cannot be changed, allowing attackers to gai...

CVE-2018-11681

Default and unremovable support credentials user:nwk password:nwk2 allow attackers to gain total super user control of an IoT device through a TELNET session to products using the RadioRA 2 Lutron integration protocol Revision M to Revision Y. NOTE: The vendor disputes this id as not being a...

CVE-2018-11629

CVE-2018-11629 affects Lutron HomeWorks QS devices using the HomeWorks QS integration protocol (Rev M–Y). The issue arises from default, unremovable credentials (user: lutron, password: integration) that permit Telnet access and full admin-like control of the IoT device. Exploitation appears to e...

CVE-2018-11681

CVE-2018-11681 : The connected OpenVAS entry confirms a vulnerability in Lutron devices using the RadioRA 2 integration protocol (Revision M–Y) where default credentials (user: nwk, pass: nwk2) provide full superuser access via Telnet. This allows complete control of the IoT device over the netwo...

CVE-2018-11682

Default and unremovable support credentials allow attackers to gain total super user control of an IoT device through a TELNET session to products using the Stanza Lutron integration protocol Revision M to Revision Y. NOTE: The vendor disputes this id as not being a vulnerability because what can...

CVE-2018-11682

Default and unremovable support credentials allow attackers to gain total super user control of an IoT device through a TELNET session to products using the Stanza Lutron integration protocol Revision M to Revision Y. NOTE: The vendor disputes this id as not being a vulnerability because what can...

PT-2018-10747 · Lutron · Stanza Lutron Integration Protocol

Name of the Vulnerable Software and Affected Versions: Stanza Lutron integration protocol versions Revision M through Revision Y Description: The issue allows attackers to gain total super user control of an IoT device through a TELNET session. This is made possible by default and unremovable...

PT-2018-10714 · Lutron · Homeworks Qs

Name of the Vulnerable Software and Affected Versions: HomeWorks QS Lutron integration protocol versions Revision M through Revision Y Description: The issue allows attackers to gain total super user control of an IoT device through a TELNET session. Default and unremovable support credentials ar...

PT-2018-10746 · Lutron · Lutron Radiora 2

Name of the Vulnerable Software and Affected Versions: Lutron RadioRA 2 versions Revision M through Revision Y Description: The issue allows attackers to gain total super user control of an IoT device through a TELNET session. Default and unremovable support credentials are used, with the usernam...

Lutron Quantum BACnet Integration Information Disclosure Vulnerability

Lutron Quantum BACnet Integration is a lighting control system from Lutron Electronics, USA. A security vulnerability exists in Lutron Quantum BACnet Integration version 2.0 using firmware version 3.2.243, which stems from the program not properly verifying a user's request before displaying...