CVE-2020-28946 – An improper webserver configuration in Plum IK-... (How to Fix)

Q: What is the severity of CVE-2020-28946?

CVE-2020-28946 has a CVSS score of 7.5 (HIGH). An improper webserver configuration in Plum IK-401 devices allows unauthenticated attackers with network access to retrieve the device configuration file containing hashed credentials via a single GET request. This affects Plum IK-401 devices with firmware versions before 1.02. Attackers can potentially crack these hashes to gain unauthorized access.

📋 TL;DR

An improper webserver configuration in Plum IK-401 devices allows unauthenticated attackers with network access to retrieve the device configuration file containing hashed credentials via a single GET request. This affects Plum IK-401 devices with firmware versions before 1.02. Attackers can potentially crack these hashes to gain unauthorized access.

💻 Affected Systems

Products:

Plum IK-401

Versions: Firmware versions before 1.02

Operating Systems: Embedded firmware

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the default webserver configuration; no special configuration is required for exploitation.

📦 What is this software?

Ik 401 Firmware by Plummac

View all CVEs affecting Ik 401 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers crack the hashed credentials, gain administrative access to the device, and use it as an entry point to pivot into industrial control networks, potentially causing operational disruption or safety incidents.

🟠

Likely Case

Attackers obtain hashed credentials and attempt offline cracking; successful cracking could lead to unauthorized device access and configuration changes.

🟢

If Mitigated

With proper network segmentation and access controls, attackers cannot reach the vulnerable webserver, preventing exploitation entirely.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only a single unauthenticated HTTP GET request to a specific endpoint; no authentication or advanced techniques are needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firmware version 1.02 or later

Vendor Advisory: https://plummac.com/project/ik-401/

Restart Required: Yes

Instructions:

1. Download firmware version 1.02 or later from the vendor website. 2. Upload and apply the firmware update through the device's web interface. 3. Reboot the device to complete the update.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate Plum IK-401 devices from untrusted networks using firewalls or VLANs to prevent external access.

Access Control Lists

all

Configure network devices to restrict HTTP/HTTPS access to the Plum IK-401 webserver only from trusted management IP addresses.

🧯 If You Can't Patch

Implement strict network segmentation to prevent any external or unauthorized internal access to the device's management interface.
Monitor network traffic for unauthenticated GET requests to the device's configuration endpoints and investigate any suspicious activity.

🔍 How to Verify

Check if Vulnerable:

Attempt an unauthenticated HTTP GET request to the device's configuration endpoint (specific path not disclosed for security) and check if configuration data is returned.

Check Version:

Check the firmware version in the device's web interface under System > Firmware or similar settings.

Verify Fix Applied:

After updating to firmware 1.02 or later, attempt the same unauthenticated GET request; it should return an error or no sensitive data.

📡 Detection & Monitoring

Log Indicators:

Unauthenticated HTTP GET requests to configuration-related endpoints in device logs
Multiple failed login attempts following configuration file access

Network Indicators:

Unusual HTTP traffic patterns to the device's IP on port 80/443 from untrusted sources
Outbound connections from the device to unknown IPs after exploitation

SIEM Query:

source="plum-ik-401" AND (http_method="GET" AND uri CONTAINS "/config" OR status_code=200 AND user_agent="unknown")

📊 Metadata

CVE ID: CVE-2020-28946

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-306

Published: December 8, 2020

Last Updated: November 21, 2024

🔗 References

https://plummac.com/project/ik-401/ Product,Vendor Advisory
https://www.cert.pl/news/single/coraz-wiecej-urzadzen-przemyslowych-podlaczonych-do-internetu/ Exploit,Third Party Advisory
https://plummac.com/project/ik-401/ Product,Vendor Advisory
https://www.cert.pl/news/single/coraz-wiecej-urzadzen-przemyslowych-podlaczonych-do-internetu/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-28946, you might also want to check these: