Loxone Smart Home Miniserver < 6.3 Multiple Vulnerabilities

medium Nessus Plugin ID 81810

Synopsis

The remote device is affected by multiple vulnerabilities.

Description

According to its banner, the remote Loxone Smart Home Miniserver device is a version prior to 6.3. It is, therefore, affected by multiple vulnerabilities :

- An information disclosure vulnerability exists due to the device transmitting all data in cleartext. A remote man-in-the-middle attacker can read the transmitted data, resulting in the disclosure of device credentials.

- A cross-frame scripting vulnerability exists due to improper restriction of JavaScript from one web page accessing another when the page originates from different domains. A remote attacker can exploit this to use one web page to load content from another, concealing the origin of a web site.

- A cross-site request forgery (XSRF) vulnerability exists due to improper validation of HTTP requests.

- An HTTP response splitting vulnerability exists due to a failure to properly validate input appended to the response header. This allows an attacker to insert arbitrary HTTP headers to manipulate cookies and authentication status.

- Multiple reflected cross-site scripting vulnerabilities exist due to improper validation of HTTP requests.

- A stored cross-site scripting vulnerability exists due to improper validation of the content in the description field of a new task.

- An information disclosure vulnerability exists due to the program storing user credentials in an insecure manner. The credentials are encrypted, but the key used for their decryption may be requested without authentication.

- Multiple denial of service vulnerabilities exist that can be exploited via SYN floods and malformed HTTP requests.

Note that Nessus has not tested for these issues but has instead relied only on the devices's self-reported version number.

Solution

Upgrade the Loxone Smart Home Miniserver firmware to version 6.3 or later.

Note that the two information disclosure vulnerabilities still exist in firmware version 6.3. We are currently unaware of a solution for these issues.

See Also

http://www.nessus.org/u?d49071d7

https://seclists.org/fulldisclosure/2015/Feb/99

Plugin Details

Severity: Medium

ID: 81810

File Name: loxone_smart_home_miniserver_6_3.nasl

Version: 1.8

Type: remote

Family: Misc.

Published: 3/13/2015

Updated: 1/2/2019

Supported Sensors: Nessus

Vulnerability Information

CPE: x-cpe:/h:loxone:smart_home_miniserver

Required KB Items: installed_sw/Loxone Smart Home Miniserver

Exploit Ease: No known exploits are available

Patch Publication Date: 2/25/2015

Vulnerability Publication Date: 2/27/2015

Reference Information

BID: 72804