Kaspersky Lab publishes information on newly identified vulnerabilities in order to raise user awareness of the IT security threats detected. Kaspersky Lab does not make any guarantees in respect of information received from vendors of products in which vulnerabilities have been identified, which is included in the following sections of the advisory: Affected Products, Vendor Mitigation.
| KL-IDS | KLCERT-18-004 |
| CVE-IDS | CVE-2018-15124 |
| Publication date | 2018.08.08 |
| Researcher | Andrey Muravitsky, Critical Infrastructure Defense Team, Kaspersky Lab ICS CERT |
| Description | Weak hashing algorithm allows attacker get passwords in clear text. |
| Impact | An unauthenticated attacker may be able to exploit vulnerability and extract clear text passwords. |
| Severity | |
| CVSS v3 Base Score: | 8.6 |
| Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N |
| Exploitability | Remotely |
| Difficulty | Low |
| User interaction | None |
| Existence of exploit | Unknown |
| Affected products | |
| Affected products | Zipato Zipabox (smart home controller) |
| Mitigation | |
| Vendor mitigation | Vendor stopped responding on our emails. |
| Timeline | 2018.01.12 – Vulnerabilities reported 2018.01.29 – First feedback from vendor 2018.06.06 – Vendor notifies that some vulnerabilities are fixed 2018.07.07 – Reminder sent to vendor No feedback form vendor |