Loxone Smart Home Miniserver < 6.3 Multiple Vulnerabilities
Medium Nessus Plugin ID 81810
SynopsisThe remote device is affected by multiple vulnerabilities.
DescriptionAccording to its banner, the remote Loxone Smart Home Miniserver device is a version prior to 6.3. It is, therefore, affected by multiple vulnerabilities :
- An information disclosure vulnerability exists due to the device transmitting all data in cleartext. A remote man-in-the-middle attacker can read the transmitted data, resulting in the disclosure of device credentials.
- A cross-site request forgery (XSRF) vulnerability exists due to improper validation of HTTP requests. (VulnDB 118942)
- An HTTP response splitting vulnerability exists due to a failure to properly validate input appended to the response header. This allows an attacker to insert arbitrary HTTP headers to manipulate cookies and authentication status. (VulnDB 118943)
- Multiple reflected cross-site scripting vulnerabilities exist due to improper validation of HTTP requests.
- A stored cross-site scripting vulnerability exists due to improper validation of the content in the description field of a new task. (118945)
- An information disclosure vulnerability exists due to the program storing user credentials in an insecure manner. The credentials are encrypted, but the key used for their decryption may be requested without authentication. (VulnDB 118946)
- Multiple denial of service vulnerabilities exist that can be exploited via SYN floods and malformed HTTP requests. (VulnDB 118947)
Note that Nessus has not tested for these issues but has instead relied only on the devices's self-reported version number.
SolutionUpgrade the Loxone Smart Home Miniserver firmware to version 6.3 or later.
Note that the two information disclosure vulnerabilities (VulnDB 118940 / 118946) still exist in firmware version 6.3. We are currently unaware of a solution for these issues.