Silex USB Device Server Web Configuration Page Empty Password

critical Nessus Plugin ID 72885

Synopsis

The remote web service is protected using an empty password.

Description

The Web Configuration Page of the remote Silex USB Device Server uses an empty password to manage the device. Knowing this, an attacker with access to the web server can gain administrative access to the device.

Note that the device's Web Configuration Page uses host-based authentication. If a login has already been established from the same host as the scanner, this plugin will not be able to test for the credentials.

Note also that the service supports only one session at a time. Any login attempts from a different host while a session is active will fail, even when the credentials are valid, which will result in false negatives.

Solution

Assign a strong password.

Plugin Details

Severity: Critical

ID: 72885

File Name: silex_web_configuration_default_creds.nasl

Version: 1.4

Type: remote

Family: CGI abuses

Published: 3/7/2014

Updated: 1/19/2021

Supported Sensors: Nessus

Risk Information

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Information

CPE: x-cpe:/a:silex:web_configuration_page

Excluded KB Items: global_settings/supplied_logins_only