lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Wed, 15 Jun 2016 20:52:59 +0000
From: Karn Ganeshen <karnganeshen@...il.com>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] Papouch TME Temperature & Humidity Thermometers - Multiple
	Vulnerabilities

+++++
*Vulnerable Products*
1. Papouch TME Ethernet thermometer
2. Papouch TME multi: Temperature and humidity via Ethernet

*All versions affected*

*TME - Ethernet Thermometer*
http://www.papouch.com/en/shop/product/tme-ip-ethernet-thermometer/

*TME multi: Temperature and humidity via Ethernet*
http://www.papouch.com/en/shop/product/tme-multi-temperature-humidity-via-ethernet/


*Vulnerability Details*

*1. Weak Credentials Management*

Device have three security levels – user (temperature viewing) and
administrator (configuration), superadmin (sensor calibration). Each level
has own password.

*Issue*
According to device manual, Superadmin password cannot be cleared. The
default password is 1234. This level allows you to access all settings
including sensor calibration.

-> The application does not allow/enforce a mandatory, password change from
default to strong password values.


*2. Authentication Issues & Sensitive Information Leakage*

By default, password authentication is not enabled on Telnet access. Telnet
service runs on TCP 9999. Telnet to 9999t drops in setup mode and gives
access to device configuration.

Configuration reveals administrative password in clear-text without any
authentication. Anyone can then use this password to gain administrative
access to the device.

-> Telnet access must have authentication enabled by default, a mandatory
password change must be enforced, and any login passwords and SNMP
community strings must be hidden/masked/censured.

*3. Vulnerable to Cross-Site Request Forgery*

In Device Management portal, there is no CSRF Token generated per page and
/ or per (sensitive) function. Successful exploitation of this
vulnerability can allow silent execution of unauthorized actions on the
device such as configuration parameter changes, and saving modified
configuration.

*Overall Impact*
AFAIK, these products are typically used for monitoring temperatures in
Data Center, Fuel Tanks, Heating system monitoring, AC failure monitoring,
or performing Food / grain storage temperature monitoring etc. Therefore,
impact due to device compromise can be severe depending upon the utility &
environment where they are deployed.

+++++
-- 
Best Regards,
Karn Ganeshen

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ