Summary
A security researcher discovered that the affected application doesn't properly restrict access to an endpoint that is responsible for saving settings, to a user with limited access rights. Based on the lack of adequately implemented access-control rules, by accessing a specific uniform resource locator (URL) on the web server, a malicious user is able to change the application settings without authenticating at all, which violates originally laid ACL rules.
Impact
This issue allows changing the configuration and get full access to the web-based configuration interface of the device wich includes all settings like passwords, alerting parameters and output states. That can adversely affect the planned operation of the equipment or can aid in further attacks on the industrial control process.
Affected Product(s)
| Model no. | Product name | Affected versions |
|---|---|---|
| SmartBox 4 LAN | Firmware all version | |
| SmartBox 4 LAN PRO | Firmware all version | |
| LX-Net | Firmware all versions | |
| LX-Q-Net | Firmware all versions | |
| e-litro net | Firmware all versions |
Vulnerabilities
Expand / Collapse allA security researcher discovered that the affected application doesn't properly restrict access to an endpoint that is responsible for saving settings, to a user with limited access rights. Based on the lack of adequately implemented access-control rules, by accessing a specific uniform resource locator (URL) on the web server, a malicious user is able to change the application settings without authenticating at all, which violates originally laid ACL rules.
Mitigation
In secure environments disable port forwarding and remote access to the device otherwise disable network access completely.
Revision History
| Version | Date | Summary |
|---|---|---|
| 1 | 04.06.2019 15:21 | Initial revision. |
| 2 | 06.11.2024 12:27 | Fix: correct certvde domain, added alias, added self-reference |
| 3 | 10.04.2025 15:00 | Fixed version info using vers:/all |
| 4 | 14.05.2025 15:00 | Fix: added distribution |