CVE-2023-46386

LOYTEC electronics GmbH LINX-212 and LINX-151 devices (all versions) are vulnerable to Insecure Permissions via registry.xml file. This vulnerability allows remote attackers to disclose smtp client account credentials and bypass email authentication.

Weakness

The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.

Affected Software

Name	Vendor	Start Version	End Version
Linx-212_firmware	Loytec	6.2.4 (including)	6.2.4 (including)

Potential Mitigations

https://cwe.mitre.org/data/definitions/37.html

References

http://packetstormsecurity.com/files/175952/Loytec-L-INX-Automation-Servers-Information-Disclosure-Cleartext-Secrets.html
http://seclists.org/fulldisclosure/2023/Nov/7
https://www.cisa.gov/news-events/ics-advisories/icsa-24-247-01
https://www.txone.com/blog/ten-unpatched-vulnerabilities-in-building-automation-products-identified-by-txone-networks/
http://packetstormsecurity.com/files/175952/Loytec-L-INX-Automation-Servers-Information-Disclosure-Cleartext-Secrets.html
http://seclists.org/fulldisclosure/2023/Nov/7
https://www.txone.com/blog/ten-unpatched-vulnerabilities-in-building-automation-products-identified-by-txone-networks/

NVD	https://nvd.nist.gov/vuln/detail/CVE-2023-46386
CWE	https://cwe.mitre.org/data/definitions/312.html

Cleartext Storage of Sensitive Information

Weakness

Affected Software

Potential Mitigations

Related Attack Patterns

References