Multiple vulnerabilities in Lantronix EDS-MD IoT gateway for medical devices

Pentagrid identified several vulnerabilities in Lantronix's EDS-MD product during a penetration test. The EDS-MD is an IoT gateway for medical devices and equipment. The vulnerabilities include an authenticated command injection, cross-site request forgery, missing authentication for the AES-encrypted communication, cross-site scripting vulnerabilities, outdated software components, and more.

Read more…

Remote code execution and elevation of local privileges in Mitel Unify OpenStage and OpenScape VoIP phones

During a research project, Pentagrid identified multiple vulnerabilities in the OpenStage and OpenScape VoIP phone series. The combination of insecure defaults and implementation weaknesses allows a remote compromise and the elevation of privileges for a network-local attacker on phones with an unhardened default configuration. Compromising a phone does not only allow to wiretap phone calls, but could also be abused to access microphones for listening to rooms. The vulnerabilities affect a wide range of devices. Pentagrid assumes that many small companies don't use a hardened configuration and are likely affected.

Read more…

Nothing new, still broken, insecure by default since then: Python's e-mail libraries and certificate verification

Today, basically every e-mail provider supports TLS for their services and programmatically accessing e-mail services with Python code using TLS-wrapped clients is common. Python offers three libraries shipped with a standard installation for handling e-mail transfer. These modules are smtplib, imaplib, and poplib. While Python programming is usually straightforward, using these Python libraries require passing a magic parameter in the right way to use secure communication. If one has just read the summary on Stackoverflow, read a tutorial that does not mention security settings, or asked ChatGPT not specifically enough, it results in programs that do not defeat active attackers in a machine-in-the-middle (MITM) position. Our journey started, when we wrote an e-mail monitoring plugin in Python and ended for the time being with the notification of various open source projects.

Read more…

Persistent cross-site scripting vulnerabilities in Liferay Portal

In 2023 we found multiple vulnerabilities in Liferay Portal, a digital experience platform for enterprise websites. It is a free and open-source software project. A few thousand installations on the Internet not suppressing the Liferay-Portal HTTP response header can be found via special purpose search engines.

The Liferay Portal in the Community Version is the foundation for the web interface of Liechtenstein's electronic health portal. That's the reason we got involved with the portal software – not as a customer pentest project, but out of interest. We wrote a blog post about the Liechtenstein's electronic health portal (blog post is in German). We reported our findings regarding the Liferay Portal to Liferay in order to get them addressed. Now we are releasing technical details about the vulnerabilities.

Read more…

Archive Pwn tool released

When extracting archive formats there are many things that can go wrong. While some unarchiving tools and libraries protect from malicious archives that include path traversal attacks, other might not or at least not in the default configuration. We wrote a tool to create such archives with path traversal attacks in Python.

Read more…

Wind River VxWorks tarExtract directory traversal vulnerability (CVE-2023-38346)

Today we publish an advisory for a specific function in Wind River's VxWorks operating system.

VxWorks is a real-time operating system used in many embedded devices in high-availability environments with high safety and security requirements. This includes important industrial, medical, airospace, networking and automotive devices. For example, NASA's Curiosity rover currently deployed on planet Mars is using Wind River's VxWorks operating system.

The vulnerability is triggered when VxWorks' tarExtract function is used on untrusted tar archive files. The official VxWorks advisory can be found on the Wind River website.

Read more…

IT-Sicherheit beim elektronischen Gesundheitsdossier im Fürstentum Liechtenstein

Am 1. Januar 2022 trat im Fürstentum Liechtenstein das Gesetz zum elektronischen Gesundheitsdossier (EGDG) in Kraft. Das elektronische Gesundheitsdossier (eGD) wird für alle 39'000 Bürger eingeführt, welche nicht Widerspruch einlegen und diesem Widerspruch eine Passkopie beilegen. Wir haben uns das genauer angeschaut.

Eine journalistische Aufbereitung unserer Befunde gibt es beim Liechtensteiner Vaterland (Paywall).

Read more…

Multiple vulnerabilities in Aten PE8108 power distribution unit

Pentagrid identified several vulnerabilities in the PE8108 rack power distribution unit (PDU) manufactured by Aten. The PE8108 is an outlet-metered and switched rack-mountable PDU, which means it supports measuring power of connected devices on a per-outlet basis and allows switching individual outlets on and off. The PDU can be controlled, for example, via HTTP/HTTPS and Telnet. Therefore, the PDU provides authentication and supports multiple users with the option to restrict a user's access to certain outlets. During a review, Pentagrid found authorization checks to be broken in several places, which might lead to a compromise of the appliance. Since the main purpose of the PDU is to distribute power to data center components, the main threat is that attackers switch off parts of the infrastructure.

Read more…

Credit card statement disclosure vulnerability in Viseca's eXpense portal

As a security company we try to use services that are solid, trustworthy and secure and therefore we do our due diligence if we find the time for it. Checking products for IT security issues in a non-intrusive way is a part of that. You can call it supply chain security if you like.

To avoid scanning credit card paper statements sent by snail mail every month, Pentagrid was looking for an option to receive them electronically. For our bank though, the only option was to sign up for Viseca's eXpense platform, which allows access to business credit card statements in PDF format. However, uppon login into the portal for the first time, our experienced analyst's gut feeling told us something is not right. For example, the second-factor authentication when doing a login on the eXpense platform was simply typing the last four digits of our telephone number. And that's definitely not state-of-the-art security.

We decided to have a quick look. Our experience in web application security analysis told us that the download function for PDF statements was a good candidate to have a look at. We've seen this kind of functionality fail in many applications before. You may guess, what happened.

Read more…