Home / Advisories / KLCERT advisories / KLCERT-18-004: Zipato Zipabox Weak Hash Algorithm

KLCERT-18-004: Zipato Zipabox Weak Hash Algorithm

Kaspersky Lab publishes information on newly identified vulnerabilities in order to raise user awareness of the IT security threats detected. Kaspersky Lab does not make any guarantees in respect of information received from vendors of products in which vulnerabilities have been identified, which is included in the following sections of the advisory: Affected Products, Vendor Mitigation.

KL-IDS KLCERT-18-004
CVE-IDS CVE-2018-15124
Publication date 2018.08.08
Researcher Andrey Muravitsky, Critical Infrastructure Defense Team, Kaspersky Lab ICS CERT
Description Weak hashing algorithm allows attacker get passwords in clear text.
Impact An unauthenticated attacker may be able to exploit vulnerability and extract clear text passwords.
Severity
CVSS v3 Base Score: 8.6
Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Exploitability Remotely
Difficulty Low
User interaction None
Existence of exploit Unknown
Affected products
Affected products Zipato Zipabox (smart home controller)
Mitigation
Vendor mitigation Vendor stopped responding on our emails.
Timeline 2018.01.12 – Vulnerabilities reported
2018.01.29 – First feedback from vendor
2018.06.06 – Vendor notifies that some vulnerabilities are fixed
2018.07.07 – Reminder sent to vendor
No feedback form vendor