lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Fri, 3 Nov 2023 05:44:39 +0000
From: Chizuru Toyama <chizuru_toyama@...ne.com>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] [CVE-2023-46380, CVE-2023-46381,
 CVE-2023-46382] Multiple vulnerabilities in Loytec products


[+] CVE                                 : CVE-2023-46380, CVE-2023-46381, CVE-2023-46382 
[+] Title                                : Multiple vulnerabilities in Loytec LWEB-802, L-INX Automation Servers, L-IOB I/O Controllers, L-VIS Touch Panels 
[+] Vendor                           : LOYTEC electronics GmbH
[+] Affected Product(s)     : LINX-212 firmware 6.2.4, LVIS-3ME12-A1 firmware 6.2.2, LIOB-586 firmware 6.2.3
[+] Affected Components : LWEB-802, L-INX Automation Servers, L-IOB I/O Controllers, L-VIS Touch Panels 
[+] Discovery Date             : 01-Sep-2021
[+] Publication date           : 03-Nov-2023
[+] Discovered by               : Chizuru Toyama of TXOne networks


[Vulnerability Description]

 CVE-2023-46380 : Insecure Permissions
 Password change request on the web interface on LOYTEC devices is sent
 in clear text over HTTP, and this allows information theft and account 
 takeover via network sniffing.

 CVE-2023-46381 : Improper Access Control
 Authentication is missing on the web user interface for the preinstalled 
 version of LWEB-802. If there is a project on a device, an unauthenticated 
 user could create a new project on a web and access/control a graphical 
 interface. An unauthenticated user also could edit or delete a current 
 web project, change settings and delete system logs etc...
 http://<IP>:<port>/lweb802_pre/

 CVE-2023-46382 : Insecure Permissions
 The web user interface on Loytec devices requires login credentials for 
 critical information (Data, Commission, Config, etc...); however, username 
 and password information is sent in clear text over HTTP. If anyone sniff 
 network traffic, they could easily steal credentials.


[Timeline]

 01-Sep-2021 : Vulnerabilities discovered
 13-Oct-2021 : Trend Micro ZDI (Zero Day Initiative) reported to vendor (no response)
 07-Oct-2022 : ICS CERT reported to vendor (no response)
 03-Nov-2023 : Public disclosure
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Powered by blists - more mailing lists