Nozomi Networks Labs
The login functionality of the application does not employ any countermeasures against Password Spraying attacks or Credential Stuffing attacks. An attacker could obtain a list of valid usernames on the device by exploiting the issue and then perform a precise Password Spraying or Credential Stuffing attack in order to obtain access to at least one account.
The login functionality of the application fails to normalize the response times of login attempts performed with wrong usernames with the ones executed with correct usernames. A remote unauthenticated attacker could exploit this side-channel information to perform a username enumeration attack and identify valid usernames.
The web application returns an AuthToken that does not expire at the defined auto logoff delay timeout. An attacker could be able to capture this token and re-use old session credentials or session IDs for authorization.
The web application stores the PBKDF2 derived key of users passwords with a low iteration count. An attacker with user profile access privilege can retrieve the stored password hashes of other accounts and then successfully perform an offline cracking attack and recover the plaintext passwords of other users.
The web application fails to enforce an upper bound to the cost factor of the PBKDF2 derived key during the creation or update of an account. An attacker with the user profile access privilege could cause a denial of service (DoS) condition through CPU consumption by setting a PBKDF2 derived key with a remarkably high cost effort and then attempting a login to the so-modified account.
The uClibc and uClibc-ng libraries are vulnerable to DNS cache poisoning due to the use of predictable DNS transaction IDs when making DNS requests. This vulnerability can allow an attacker to perform DNS cache poisoning attacks against a vulnerable environment.
A remote code execution vulnerability affecting a Valmet DNA service listening on TCP port 1517 allows an attacker to execute commands with SYSTEM privileges.
APC by Schneider Electric Network Management Cards (NMC) Exposure of Sensitive Information to an Unauthorized Actor – CVE-2021-22825
Specific paths of the administration interface are not protected by authentication.
Credentials for the administration interface are hardcoded in the application.
Philips Patient Information Center iX (PIC iX) and Efficia CM Series insecure communication – CVE-2021-43550
The patient data produced by Efficia CM Series monitors and consumed by the PIC iX workstation are encrypted with an insecure scheme.
Philips Patient Information Center iX (PIC iX) patient data backup hardcoded encryption key – CVE-2021-43552
The key used to encrypt patient data backups is hardcoded within the PIC iX workstation.
A network service running on the PIC iX workstation does not validate correctly the input received and upon parsing a malformed packet a workstation reboot can be triggered.
An insufficient entropy vulnerability in SESU can allow an attacker to decrypt the SESU
proxy password from the registry.
APC by Schneider Electric Network Management Cards (NMC) Cross-Site Scripting (XSS) – CVE-2021-22814
A CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability exists which could cause arbritrary script execution when a malicious file is read and displayed.
An unauthenticated remote attacker can obtain the credentials other than password and login to the CPU module
A user controlled parameter related to SMTP test functionality is not correctly validated making it possible to bypass blocked network recipients.
A user controlled parameter related to SMTP test functionality is not correctly validated making it possible to add the Carriage Return and Line Feed (CRLF) control characters and include arbitrary SMTP headers in the generated test email.
User controlled parameters related to SMTP notifications are not correctly validated. This can lead to a buffer overflow resulting in crashes and data leakage.
A remote attacker can lockout registered users by continuously trying to login with an incorrect password.
An attacker that can sniff the traffic when the password for an existing user is changed or a new user is registered can obtain the credentials required to login.
A remote attacker can exploit the authentication protocol to build a username bruteforcer that will reveal the list of registered users.
A parameter in the playback search HTTP request was found improperly handled by the server executable, such that it resulted possible to trigger a stack-based buffer overflow and obtain execution of arbitrarily defined code with the same privileges as the server user (root).
The communication between ThroughTek servers, OEMs products embedding ThroughTek P2P library and client applications is obfuscated with a custom protocol that relies on an hardcoded key. By deobfuscating the protocol, is possible to access the cleartext content of the communication.
An attacker may prevent legitimate clients from connecting to an affected product by manipulating the link parameter or changing its state
Mitsubishi Electric recommends that users apply the suggested mitigation so an unauthorized user cannot stop the establishment of Ethernet communications between devices.
Specially crafted packets sent to Port 161/UDP can cause an out of bounds write over the SNMP service requiring a cold restart in order to resume its functionality.
An attacker could prevent Ethernet communication from being established in the affected products by manipulating the link parameter or changing its state.
JTEKT Corporation recommends that users apply the suggested mitigation so an unauthorized user cannot stop the establishment of Ethernet communications between devices.
The communication between Reolink NVR, P2P servers and applications is obfuscated with a custom protocol that relies on an hardcoded key. By deobfuscating the protocol, is possible to access the cleartext content of the communication. During the tests, this was observed to contain the P2P credentials.
Reolink P2P video/audio stream is transmitted without any encryption. Any actor who can access the client/NVR traffic, as it traverses the Internet, can access its content with no confidentiality for the parties involved.
Mitsubishi Electric Multiple Factory Automation Engineering Software Products (Update A) – CVE-2020-14496
Successful exploitation of this vulnerability could allow an attacker to escalate privileges and execute malicious programs. This could cause a denial-of-service condition, and allow information to be disclosed, tampered with, and/or destroyed.
This vulnerability could cause a denial-of-service condition when reading data with invalid index using Modbus TCP.
An attacker may send large message packages repeatedly to the telnet service, which may create a denial-of-service condition.
An attacker could send crafted TCP packets against the FTP service, forcing the target devices to enter an error mode and cause a denial-of-service condition.
An attacker could send a crafted HTTP/HTTPS request to render the web server unavailable and/or lead to remote code execution caused by a stack-based buffer overflow vulnerability.
An attacker could exhaust the available connection pool of an affected device by opening a sufficient number of connections to the device.
A remote, unauthenticated threat actor may intentionally send specially-crafted Ethernet/IP packets to Port 44818, causing the software application to stop responding and crash. The user must restart the software to regain functionality.
Non-administrative users are able to change executable and library files on the affected products.
A specially-crafted DLL file may be placed in the search path and loaded as an internal and valid DLL. This may allow arbitrary code execution.
Improper path validation may allow an attacker to replace executable files.
Improper file permissions in the default installation of TIA Portal may allow an attacker with local file system access to manipulate resources, which may be transferred to devices and executed there by a different user.
Improper file permissions in the default installation of TIA Portal may allow an attacker with local file system access to insert specially-crafted files. This may prevent TIA Portal startup (denial-of-service) or lead to local code execution.
GE PACSystems CPE305/310, CPE330, CPE400, RSTi-EP CPE 100, CPU320/CRU320, RXi Denial of Service – CVE-2018-8867
The device does not properly validate input, which could allow a remote attacker to send specially-crafted packets. This may cause the device to become unavailable.
A remote attack may take advantage of an improper implementation of the 3-way handshake during a TCP connection, affecting the communications with commission and service tools. Specially-crafted packets may also be sent to Port 2455/TCP/IP, used in Codesys management software. This may result in a denial-of-service condition relating to communications with commissioning and service tools.
A stack-based buffer overflow vulnerability caused by sending crafted packets on port 20547 could force the PLC to change its state into halt mode.
Successful exploitation of this vulnerability may render the device unresponsive. A physical reset of the PLC may be required.
Curated and maintained by Nozomi Networks Labs, the Threat Intelligence™ service provides threat and vulnerability updates to Guardian, making it easy for IT/OT professionals to stay on top of current OT and IoT risks.
“Threat actors love finding new ways to attack critical infrastructure. We love finding new ways to detect their malware before damage occurs.”
© 2022 Nozomi Networks, Inc.
All Rights Reserved.