Lucene search

Chizuru Toyama1337DAY-ID-39163

HistoryNov 28, 2023 - 12:00 a.m.

Loytec LINX Automation Servers Information Disclosure / Cleartext Secrets Vulnerability

2023-11-2800:00:00

Chizuru Toyama

0day.today

169

loytec linx automation servers

multiple vulnerabilities

linx-151

firmware 7.2.4

linx-212

firmware 6.2.4

information disclosure

cleartext secrets

insecure permissions

improper access control

vulnerability discovery

trend micro zdi

ics cert

public disclosure

exploit

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

7.7 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

45.2%

JSON

Loytec LINX-151 with firmware version 7.2.4 and LINX-212 with firmware version 6.2.4 suffer from file disclosure vulnerabilities that leak secrets as well as issues with stories secrets in the clear.

[+] CVE                                  : CVE-2023-46386, CVE-2023-46387, CVE-2023-46388, CVE-2023-46389  
[+] Title                                 : Multiple vulnerabilities in Loytec L-INX Automation Servers
[+] Vendor                            : LOYTEC electronics GmbH
[+] Affected Product(s)      : LINX-151, Firmware 7.2.4, LINX-212, firmware 6.2.4
[+] Affected Components : L-INX Automation Servers
[+] Discovery Date              : 01-Sep-2021
[+] Publication date           : 03-Nov-2023
[+] Discovered by               : Chizuru Toyama of TXOne networks


[Vulnerability Description]

CVE-2023-46386 : Insecure Permissions
'registry.xml' file contains hard-coded clear text credentials for 
 smtp client account. If an attacker succeeds in getting registry.xml file, 
 the email account could be compromised. Password should be encrypted.

CVE-2023-46387 : Improper Access Control
'/var/lib/lgtw/dpal_config.zml' file is accessible via file download API. 
 'dpal_config.wbx' which is extracted from 'dpal_config.zml' includes
sensitive configuration information such as smtp client information.  
 Authentication is required to exploit this vulnerability.
http://<IP>:<port>/DT?filename=/var/lib/lgtw/dpal_config.zml

CVE-2023-46388 : Insecure Permissions
'dpal_config.wbx' file contains hard-coded clear text credentials for 
 smtp client account. If an attacker succeeds in getting dpal_config.zml file, 
 the email account could be compromised. Password should be encrypted.

CVE-2023-46389 : Improper Access Control
'/tmp/registry.xml' file is accessible via file download API. 
 'registry.xml' includes device configuration information which includes
sensitive information such as smtp client information. Authentication is
required to exploit this vulnerability.
http://<IP>:<port>/DT?filename=/tmp/registry.xml


[Timeline]

01-Sep-2021 : Vulnerabilities discovered
13-Oct-2021 : Trend Micro ZDI (Zero Day Initiative) reported to vendor (no response)
07-Oct-2022 : ICS CERT reported to vendor (no response)
03-Nov-2023 : Public Disclosure

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

7.7 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

45.2%

JSON

Related for 1337DAY-ID-39163