Cleartext Transmission of Sensitive Information vulnerability due to the use of Basic Authentication for HTTP connections in Mitsubishi Electric consumer electronics products (PHOTOVOLTAIC COLOR MONITOR ECO-GUIDE, HEMS adapter, Wi-Fi Interface, Air Conditioning, Induction hob, Mitsubishi Electric HEMS Energy Measurement Unit, Refrigerator, Remote control with Wi-Fi Interface, BATHROOM THERMO VENTILATOR, Rice cooker, Mitsubishi Electric HEMS control adapter, Energy Recovery Ventilator, Smart Switch, Ventilating Fan, Range hood fan, Energy Measurement Unit and Air Purifier) allows a remote unauthenticated attacker to disclose information in the products or cause a denial of service (DoS) condition as a result by sniffing credential information (username and password). The wide range of models/versions of Mitsubishi Electric consumer electronics products are affected by this vulnerability. As for the affected product models/versions, see the Mitsubishi Electrics advisory which is listed in [References] section.
Weakness
The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Mac-557if-e_firmware | Mitsubishielectric | * | * |
Potential Mitigations
Related Attack Patterns
- https://cwe.mitre.org/data/definitions/102.html
- https://cwe.mitre.org/data/definitions/117.html
- https://cwe.mitre.org/data/definitions/383.html
- https://cwe.mitre.org/data/definitions/477.html
- https://cwe.mitre.org/data/definitions/65.html
References
- https://jvn.jp/vu/JVNVU96767562/index.html
- https://www.mitsubishielectric.co.jp/psirt/vulnerability/pdf/2022-010.pdf
- https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2022-010_en.pdf
- https://jvn.jp/vu/JVNVU96767562/index.html
- https://www.mitsubishielectric.co.jp/psirt/vulnerability/pdf/2022-010.pdf
- https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2022-010_en.pdf