VOBOT CLOCK before 0.99.30 devices do not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information, and consequently execute arbitrary code, via a crafted certificate, as demonstrated by leveraging a hardcoded –no-check-certificate Wget option.
The product does not validate, or incorrectly validates, a certificate.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Vobot_firmware | Omninova | * | 0.99.30 (excluding) |