Loytec L-INX Automation Servers Information Disclosure / Cleartext Secrets

Loytec L-INX Automation Servers Information Disclosure / Cleartext Secrets: Posted Nov 28, 2023; Authored by Chizuru Toyama; Loytec LINX-151 with firmware version 7.2.4 and LINX-212 with firmware version 6.2.4 suffer from file disclosure vulnerabilities that leak secrets as well as issues with stories secrets in the clear.; tags | exploit, vulnerability, info disclosure; advisories | CVE-2023-46386, CVE-2023-46387, CVE-2023-46388, CVE-2023-46389; SHA-256 | c8d887d4717b94c1aee40cf1ff1bea9d76d8c987065fd897b45f142808786003; Download | Favorite | View

Loytec L-INX Automation Servers Information Disclosure / Cleartext Secrets


[+] CVE                                  : CVE-2023-46386, CVE-2023-46387, CVE-2023-46388, CVE-2023-46389  
[+] Title                                 : Multiple vulnerabilities in Loytec L-INX Automation Servers
[+] Vendor                            : LOYTEC electronics GmbH
[+] Affected Product(s)      : LINX-151, Firmware 7.2.4, LINX-212, firmware 6.2.4
[+] Affected Components : L-INX Automation Servers
[+] Discovery Date              : 01-Sep-2021
[+] Publication date           : 03-Nov-2023
[+] Discovered by               : Chizuru Toyama of TXOne networks


[Vulnerability Description]

CVE-2023-46386 : Insecure Permissions
'registry.xml' file contains hard-coded clear text credentials for 
 smtp client account. If an attacker succeeds in getting registry.xml file, 
 the email account could be compromised. Password should be encrypted.

CVE-2023-46387 : Improper Access Control
'/var/lib/lgtw/dpal_config.zml' file is accessible via file download API. 
 'dpal_config.wbx' which is extracted from 'dpal_config.zml' includes
sensitive configuration information such as smtp client information.  
 Authentication is required to exploit this vulnerability.
http://<IP>:<port>/DT?filename=/var/lib/lgtw/dpal_config.zml

CVE-2023-46388 : Insecure Permissions
'dpal_config.wbx' file contains hard-coded clear text credentials for 
 smtp client account. If an attacker succeeds in getting dpal_config.zml file, 
 the email account could be compromised. Password should be encrypted.

CVE-2023-46389 : Improper Access Control
'/tmp/registry.xml' file is accessible via file download API. 
 'registry.xml' includes device configuration information which includes
sensitive information such as smtp client information. Authentication is
required to exploit this vulnerability.
http://<IP>:<port>/DT?filename=/tmp/registry.xml


[Timeline]

01-Sep-2021 : Vulnerabilities discovered
13-Oct-2021 : Trend Micro ZDI (Zero Day Initiative) reported to vendor (no response)
07-Oct-2022 : ICS CERT reported to vendor (no response)
03-Nov-2023 : Public Disclosure

Top Authors In Last 30 Days

Red Hat 288 files
Ubuntu 53 files
Gentoo 33 files
Debian 24 files
Apple 9 files
malvuln 6 files
nu11secur1ty 5 files
Adam Gowdiak 4 files
Jann Horn 4 files
Google Security Research 4 files

File Archives

Systems

AIX (429)
Apple (2,088)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,048)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,500)
HPUX (880)
iOS (375)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,835)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,947)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,530)
UNIX (9,408)
UnixWare (187)
Windows (6,660)
Other

Loytec L-INX Automation Servers Information Disclosure / Cleartext Secrets

Loytec L-INX Automation Servers Information Disclosure / Cleartext Secrets

File Archive:

May 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Loytec L-INX Automation Servers Information Disclosure / Cleartext Secrets

Share This

Loytec L-INX Automation Servers Information Disclosure / Cleartext Secrets

File Archive:

May 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems