Executive Summary



This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Summary
Title Lantronix xPrintServer contains multiple vulnerabilities
Informations
Name VU#785823 First vendor Publication 2016-05-13
Vendor VU-CERT Last vendor Modification 2016-05-13
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Cvss Base Score 10 Attack Range Network
Cvss Impact Score 10 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#785823

Lantronix xPrintServer contains multiple vulnerabilities

Original Release date: 13 May 2016 | Last revised: 13 May 2016

Overview

The Lantronix xPrintServer and its accompanying cloud storage API contains several vulnerabilities.

Description

CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') - CVE-2014-9002

An unauthenticated attacker can include a shell command inside the 'c' parameter of an AJAX request to the device, which is then executed in context of the device root. According to Lantronix, this issue was addressed in version 3.3.0.

CWE-352: Cross-Site Request Forgery (CSRF) - CVE-2014-9003

According to MITRE, "Cross-site request forgery (CSRF) vulnerability in Lantronix xPrintServer allows remote attackers to hijack the authentication of administrators for requests that modify configuration, as demonstrated by executing arbitrary commands using the 'c' parameter in the rpc action". According to Lantronix, this issue was addressed in version 3.3.0.

CWE-798: Use of Hard-coded Credentials - CVE-2016-4325

An undocumented account with hard-coded passwords allows an unauthenticated attacker root access to the device. According to Lantronix, this issue was addressed in version 5.0.1-65.

Additionally, the device uses hard-coded default credentials and does not require the user to change them before using the device.

CWE-340: Predictability Problems

The device previously automatically binded to the DNS name http://xprintserver.local. An attacker may use this information to launch attacks without knowing the internal IP address of the device. According to Lantronix, this issue was addressed in version 5.0.1-65 by adding the MAC address of the device to the name.

CWE-200: Information Exposure

The xPrintServer connects to a remote cloud storage, hosted at http://ltrxips1.appspot.com and http://findmyxps.com.

These web applications may expose private information to an unauthenticated attacker. The private information may include file/data uploads, network logs, and the internal IP address of the device. According to Lantronix, this issue was addressed on 5/5/2016 (please see the Resolution below).

CWE-306: Missing Authentication for Critical Function

An unauthenticated user may be able to upload, modify, or delete files from the xPrintServer remote cloud storage. According to Lantronix, this issue was addressed on 5/5/2016 (please see the Resolution below).

The CVSS score below is based on the hard-coded credentials.

Impact

An unauthenticated remote attacker may be able to learn private information about the device's internal network, access or modify the device's configuration or files, or gain root access to the device.

Solution

Apply an update

Lantronix has released firmware version 5.0.1-65 to address these issues. Affected users are encouraged to update as soon as possible.

According to Lantronix, the web applications have been addressed as of 5/5/2016. The diagnostic upload has been partitioned from the site where printer drive files are read. In addition only select authenticated Lantronix Employees are able to read the uploaded files. Only the private
IP address is visible using the findmyxps.com service. The findmyxps.com feature can be disabled in version 5.0.0-66 or above in the Web UI under Printers->Advanced-> Check Disable Internet Services.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
LantronixAffected09 Feb 201613 May 2016
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

GroupScoreVector
Base8.3AV:A/AC:L/Au:N/C:C/I:C/A:C
Temporal6.5E:POC/RL:OF/RC:C
Environmental4.9CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

  • http://seclists.org/fulldisclosure/2014/Nov/24
  • https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9002
  • https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9003

Credit

Thanks to the reporter who wishes to remain anonymous.

This document was written by Garret Wassermann.

Other Information

  • CVE IDs:CVE-2014-9002CVE-2014-9003CVE-2016-4325
  • Date Public:13 May 2016
  • Date First Published:13 May 2016
  • Date Last Updated:13 May 2016
  • Document Revision:39

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/785823

CWE : Common Weakness Enumeration

% Id Name
33 % CWE-352 Cross-Site Request Forgery (CSRF) (CWE/SANS Top 25)
33 % CWE-264 Permissions, Privileges, and Access Controls
33 % CWE-255 Credentials Management

CPE : Common Platform Enumeration

TypeDescriptionCount
Hardware 1

Alert History

If you want to see full details history, please login or register.
0
1
2
Date Informations
2016-05-14 21:33:13
  • Multiple Updates
2016-05-14 05:22:19
  • Multiple Updates
2016-05-14 00:24:36
  • First insertion