Home / Advisories / KLCERT advisories / KLCERT-18-005: Zipato Zipabox Sensitive Information Disclosure

KLCERT-18-005: Zipato Zipabox Sensitive Information Disclosure

Kaspersky Lab publishes information on newly identified vulnerabilities in order to raise user awareness of the IT security threats detected. Kaspersky Lab does not make any guarantees in respect of information received from vendors of products in which vulnerabilities have been identified, which is included in the following sections of the advisory: Affected Products, Vendor Mitigation.

KL-IDS KLCERT-18-005
CVE-IDS CVE-2018-15125
Publication date 2018.08.08
Researcher Andrey Muravitsky, Critical Infrastructure Defense Team, Kaspersky Lab ICS CERT
Description A remote attacker can get sensitive information that expands attack surface.
Impact An unauthenticated attacker may be able to extract sensitive information about alive Zipatobox devices and their technical information.
Severity
CVSS v3 Base Score: 8.6
Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Exploitability Remotely
Difficulty Low
User interaction None
Existence of exploit Unknown
Affected products
Affected products Zipato Zipabox (smart home controller)
Mitigation
Vendor mitigation Vendor stopped responding on our emails.
Timeline 2018.01.12 – Vulnerabilities reported
2018.01.29 – First feedback from vendor
2018.06.06 – Vendor notifies that some vulnerabilities are fixed
2018.07.07 – Reminder sent to vendor
No feedback form vendor