Loxone Smart Home Miniserver < 6.3 Multiple Vulnerabilities

This script is Copyright (C) 2015-2016 Tenable Network Security, Inc.


Synopsis :

The remote device is affected by multiple vulnerabilities.

Description :

According to its banner, the remote Loxone Smart Home Miniserver
device is a version prior to 6.3. It is, therefore, affected by
multiple vulnerabilities :

- An information disclosure vulnerability exists due to
the device transmitting all data in cleartext. A remote
man-in-the-middle attacker can read the transmitted
data, resulting in the disclosure of device credentials.
(VulnDB 118940)

- A cross-frame scripting vulnerability exists due to
improper restriction of JavaScript from one web page
accessing another when the page originates from
different domains. A remote attacker can exploit this to
use one web page to load content from another,
concealing the origin of a web site. (VulnDB 118941)

- A cross-site request forgery (XSRF) vulnerability exists
due to improper validation of HTTP requests. (VulnDB
118942)

- An HTTP response splitting vulnerability exists due to
a failure to properly validate input appended to the
response header. This allows an attacker to insert
arbitrary HTTP headers to manipulate cookies and
authentication status. (VulnDB 118943)

- Multiple reflected cross-site scripting vulnerabilities
exist due to improper validation of HTTP requests.
(VulnDB 118944)

- A stored cross-site scripting vulnerability exists due
to improper validation of the content in the description
field of a new task. (118945)

- An information disclosure vulnerability exists due to
the program storing user credentials in an insecure
manner. The credentials are encrypted, but the key used
for their decryption may be requested without
authentication. (VulnDB 118946)

- Multiple denial of service vulnerabilities exist that
can be exploited via SYN floods and malformed HTTP
requests. (VulnDB 118947)

Note that Nessus has not tested for these issues but has instead
relied only on the devices's self-reported version number.

See also :

http://www.nessus.org/u?d49071d7
http://seclists.org/fulldisclosure/2015/Feb/99

Solution :

Upgrade the Loxone Smart Home Miniserver firmware to version 6.3 or
later.

Note that the two information disclosure vulnerabilities (VulnDB 118940
/ 118946) still exist in firmware version 6.3. We are currently
unaware of a solution for these issues.

Risk factor :

Medium / CVSS Base Score : 6.8
(CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)
CVSS Temporal Score : 5.9
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : true

Family: Misc.

Nessus Plugin ID: 81810 ()

Bugtraq ID: 72804

CVE ID:

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now