Loytec L-INX Automation Servers Information Disclosure / Cleartext Secrets

Loytec L-INX Automation Servers Information Disclosure / Cleartext Secrets: Posted Nov 28, 2023; Authored by Chizuru Toyama; Loytec LINX-151 with firmware version 7.2.4 and LINX-212 with firmware version 6.2.4 suffer from file disclosure vulnerabilities that leak secrets as well as issues with stories secrets in the clear.; tags | exploit, vulnerability, info disclosure; advisories | CVE-2023-46386, CVE-2023-46387, CVE-2023-46388, CVE-2023-46389; SHA-256 | c8d887d4717b94c1aee40cf1ff1bea9d76d8c987065fd897b45f142808786003; Download | Favorite | View

Loytec L-INX Automation Servers Information Disclosure / Cleartext Secrets


[+] CVE                                  : CVE-2023-46386, CVE-2023-46387, CVE-2023-46388, CVE-2023-46389  
[+] Title                                 : Multiple vulnerabilities in Loytec L-INX Automation Servers
[+] Vendor                            : LOYTEC electronics GmbH
[+] Affected Product(s)      : LINX-151, Firmware 7.2.4, LINX-212, firmware 6.2.4
[+] Affected Components : L-INX Automation Servers
[+] Discovery Date              : 01-Sep-2021
[+] Publication date           : 03-Nov-2023
[+] Discovered by               : Chizuru Toyama of TXOne networks


[Vulnerability Description]

CVE-2023-46386 : Insecure Permissions
'registry.xml' file contains hard-coded clear text credentials for 
 smtp client account. If an attacker succeeds in getting registry.xml file, 
 the email account could be compromised. Password should be encrypted.

CVE-2023-46387 : Improper Access Control
'/var/lib/lgtw/dpal_config.zml' file is accessible via file download API. 
 'dpal_config.wbx' which is extracted from 'dpal_config.zml' includes
sensitive configuration information such as smtp client information.  
 Authentication is required to exploit this vulnerability.
https://<IP>:<port>/DT?filename=/var/lib/lgtw/dpal_config.zml

CVE-2023-46388 : Insecure Permissions
'dpal_config.wbx' file contains hard-coded clear text credentials for 
 smtp client account. If an attacker succeeds in getting dpal_config.zml file, 
 the email account could be compromised. Password should be encrypted.

CVE-2023-46389 : Improper Access Control
'/tmp/registry.xml' file is accessible via file download API. 
 'registry.xml' includes device configuration information which includes
sensitive information such as smtp client information. Authentication is
required to exploit this vulnerability.
https://<IP>:<port>/DT?filename=/tmp/registry.xml


[Timeline]

01-Sep-2021 : Vulnerabilities discovered
13-Oct-2021 : Trend Micro ZDI (Zero Day Initiative) reported to vendor (no response)
07-Oct-2022 : ICS CERT reported to vendor (no response)
03-Nov-2023 : Public Disclosure

Top Authors In Last 30 Days

Red Hat 239 files
Ubuntu 62 files
Debian 23 files
LiquidWorm 20 files
Apple 9 files
indoushka 5 files
Gentoo 5 files
Google Security Research 4 files
Chokri Hammedi 3 files
Alter Prime 3 files

File Archives

Systems

AIX (430)
Apple (2,126)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,163)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,604)
HPUX (881)
iOS (393)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,862)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (17,265)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (9,976)
UNIX (9,474)
UnixWare (188)
Windows (6,784)
Other

Loytec L-INX Automation Servers Information Disclosure / Cleartext Secrets

Loytec L-INX Automation Servers Information Disclosure / Cleartext Secrets

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Loytec L-INX Automation Servers Information Disclosure / Cleartext Secrets

Share This

Loytec L-INX Automation Servers Information Disclosure / Cleartext Secrets

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems